MULTICHOICE GOT FINED BIG - HERE’S WHAT NIGERIAN BUSINESSES CAN LEARN

In a major enforcement move, the Nigerian Data Protection Commission (NDPC) recently issued a 766,242,500 million naira fine to Multichoice Nigeria, a subsidiary of Africa’s leading entertainment platform, for breaching the Nigeria Data Protection Act (NDPA) and the constitutional right to privacy.

Following the investigation which commenced in 2024, the Commission discovered that Multichoice violated the data privacy rights of both subscribers and non-subscribers and also, carried out illegal cross-border transfer of personal data relating to data subjects in Nigeria.

As part of its remediation procedure, the Commission directed Multichoice to take remedial measures. But after reviewing what was done, the Commission found their efforts unsatisfactory. In light of their poor cooperation, the Commission went ahead to impose a fine of ₦766,242,500 for breach of the NDPA.

This action taken by NDPC reinforces the fact that compliance with the Act is not optional and no company is too big or too small to be held accountable.

Key Takeaways for Companies and other Data Controllers

1. Data must be processed lawfully, transparently, collected for specific purposes and protected. Data Controllers must also minimize data collection, retain said data for not longer than necessary and demonstrate accountability at all times.

2. Data controllers must not process personal data without the consent of the data subject. Such consent must be unambiguous, informed, voluntary and the data subject must at the time of consent be informed of their right to withdraw consent.

3. Data controllers are prohibited from the transfer of personal data from Nigeria to another country unless the destination country offers an adequate level of data protection and the data controller has implemented appropriate safeguards.

4. Data controllers are legally required to cooperate with the Commission during investigation, and this means swift response and full disclosure. Being uncooperative or slow to act only adds to the problem.

To avoid being found wanting by the NDPC, it is advisable to do the following;

- Conduct regular data audit to make sure you’re in compliance with the principles governing processing of personal data and also, not violating the rights of data subjects.

- Train your staff to understand and apply the requirements of the NDPA in their daily work activities.

- Keep records of all data processing activities, you may have to prove compliance sometimes.

- Carry out due diligence. This goes beyond data handling, but also involves response to oversight. Therefore, respond swiftly to regulators inquiries.

- Lastly, have a Data Protection Officer. (But of course you already have one…..right? RIGHT??)

I am Joy Chidinma Etenwa Esq, your latest gen z lawyer helping you navigate the fine print before it becomes a fine. Stay tuned for more😉