NIGERIA Law and Practice Contributed by: Isa Alade, Seyi Bella, Ayodele Adeyemi-Faboya and Ayomikun Ogunkanmi, Banwo & Ighodalo
Cybercrimes (Prohibition & Prevention) (Amendment) Act 2024 The Cybercrimes (Prohibition and Prevention) Act 2015, as amended by the Cybercrimes (Pro - hibition and Prevention) (Amendment) Act 2024, introduces a crucial update regarding the report - ing of cyber threats. The Amended Act now mandates that any individual or entity – wheth - er public or private – must notify the National Computer Emergency Response Team (National CERT) about any cyber threat or breach within 72 hours of detection, significantly reducing the previous deadline of seven days. Failure to com - ply with this reporting requirement can result in a fine of NGN2,000,000 and/or denial of internet services. This new provision aligns with Section 40(2) of the Nigeria Data Protection Act (NDPA), which encourages data controllers to report personal data protection breaches to the Nigeria Data Protection Commission (NDPC) within 72 hours of awareness. While not every cyber threat or breach results in a personal data breach, the obligation to report to the National CERT applies regardless. However, if the breach involves per - sonal data, both the National CERT and the NDPC must be notified within the same 72-hour period. These changes strengthen the country’s cyber - crime response framework and aim to enhance data security and transparency across sectors. Guidance Notice on the Registration of Data Controllers and Data Processors of Major Importance pursuant to the Nigeria Data Protection Act 2023 (NDPA) In 2024, the NDPC expatiated the concept of Data Controllers and Processors of Major Impor - tance (DCPMIs), entities processing personal data deemed crucial to Nigeria’s economy, soci -
ety, or security. Section 65 of the NDPA allows the NDPC to designate such entities based on the volume and significance of data processed. The NDPC’s Guidance Notice issued in Febru - ary 2024 outlines that entities processing per - sonal data for over 200 individuals in six months or working in sectors like finance, healthcare, and education may qualify as DCPMIs. Organi - sations under fiduciary relationships with data subjects are also considered. The registration requirement aims to enhance data protection standards for critical data handlers in Nigeria. There has been a recent decision of the Federal High Court of Nigeria invalidating certain provi - sions of the Guidance Notice and further man - dating that the NDPC clarifies entities exempted from the Guidance Notice. CBN rules for Virtual Assets Service Providers (VASPs) On 22 December 2023, the CBN issued Guide - lines on the Operations of Bank Accounts for Virtual Assets Service Providers (VASP) (Account Guidelines). In issuing the Account Guidelines, the CBN has lifted the restrictions it had previ - ously placed on banks and other financial insti - tutions to close the account of persons dealing in cryptocurrency transactions ie, entities reg - istered by the SEC as VASPs under the Securi - ties and Exchange Commission (SEC) Rules on Issuance Offering and Custody of Digital Assets (Digital Assets Rules) will now be allowed to operate bank accounts pursuant to the Account Guidelines. Conversely, banks and other finan - cial institutions are still prohibited from dealing in cryptocurrency. The framework further provides minimum standards and requirements for bank - ing business relationships and account open - ing for VASPs and creates effective monitoring of the activities of banks and Other Financial
562 CHAMBERS.COM
Powered by FlippingBook