February 2024

1. Governing Texts

Niger, like other countries in the sub-region, aware of the urgency of the moment, hastened to legislate in the field of personal data protection, regulating the protection of personal data by providing a 'legal arsenal' of a preventive but also repressive nature. In this respect, it enacted Law No. 2017-28 of May 3, 2017, on the Protection of Personal Data Law, which is amended and supplemented by the laws:

• Law N° 2019-71 of December 24, 2019 (only available in French here)(‘the Law'), which creates the High Authority for the Protection of Personal Data ('HAPDP');

• Law N° 2022-59 (only available in French here)('Law 2022-59') of December 16, 2022, on the protection of Personal Data; and

• Law N° 2023-31 of July 4, 2023 (only available in French here)('Law 2023-31'), amending Law N^o 2022-59 of December 16, 2022, on the Protection of Personal Data.

Personal data is constantly processed at work, in dealings with public authorities, in the health sector, when purchasing goods and services, when traveling, or when searching on the internet. At this level, it should be noted that personal data is defined as 'any information of any nature whatsoever and regardless of its medium, including sound and image, relating to a natural person identified or identifiable directly or indirectly by reference to an identification number or to several specific elements, specific to their physical, physiological, genetic, psychological, cultural, social, or economic identity' (see section on key definitions below).

1.1. Key acts, regulations, directives, bills

• Decree No. 2020-309/PRN/MJ of April 30, 2020, setting the terms of application of Law No. 2017-28 of May 3, 2017, on the protection of personal data as amended and supplemented by the Law (only available in French here);

• Order No. 000045 of October 5, 2020, determining the profile and setting the conditions of remuneration of the personal data protection correspondent (only available in French here);

• Law No. 2018-45 of July 12, 2018, on Electronic Communications (only available in French here);

• Law on Cybercrime of 2019 (only available in French here) amended and supplemented by Law N° 2022-30 of June 23, 2023;

• Decree N° 2023-1083 of November 23, 2023, establishing the anti-cybercrime office (only available in French here); and

• WAPIS- Best Practice Guide of Data Protection of ECOWAS of June 2020 (only available in French here).

1.2. Guidelines

The HAPDP is an independent administrative authority set up under the Law.

It announced, on August 6, 2020, that it had officially launched, on August 5, 2020, its operations (only available in French here).

The HAPDP has released the following guidance:

• Guidance on guiding principles for data protection (only available in French here);

• Guidance on the rights of data subjects in the processing of their personal data (only available in French here); and

• Guidance on the duties of the data controller (only available in French here).

The HAPDP has also released the following relevant supplementary resources:

• List of data controllers that have designated a personal data protection correspondent; and

• List of data controllers compliant with the Law (only available in French here).

Further to this, the HAPDP has provided the following forms to aid in compliance with the Law:

• Form for the designation of the personal data protection correspondent (only available to download in French here);

• Form for declarations to the HAPDP (only available to download in French here);

• Form to request the opinion of the HAPDP (only available to download in French here);

• Form to request authorization from the HAPDP (only available to download in French here); and

• Form for the request of authorization to transfer personal data to a third country (only available to download in French here).

1.3. Case law

We have not seen any information relating to case law.

2. Scope of Application

2.1. Personal scope

The Law applies to any collection, processing, transmission, storage, and use of personal data by entities under public and private law as well as an individual.

2.2. Territorial scope

The Law applies to personal data processing handled by:

• a data controller or a subcontractor established on the national territory and in any place where this law applies;

• a data controller or a subcontractor not established in Niger, who uses processing means located on the national territory, excluding means which are only used for transit purposes in the territory. When it is not established in Niger, the data controller must appoint a representative established in the national territory, notwithstanding the appeals which may be lodged directly against him; or

• a data controller or a subcontractor not established in Niger, when the processing activity targets Nigerien citizens or the offering of goods and services to persons established in Niger.

2.3. Material scope

Under the provisions of the Law, the following types of processing are covered:

• any collection, processing, transmission, storage, and use of personal data by legal entities under public or private law as well as individuals;

• any automated or non-automated processing of data provided or to appear in a file, implemented by entities under public or private law as well as individuals; and

• any processing of data relating to public security, defense, research, and prosecution of criminal offenses or state security.

However, the following are excluded from the scope of the Law:

• data processing carried out by an individual in the exclusive context of their domestic activities provided, however, that the data is not intended for third parties or disclosure;

• temporary copies made as part of the technical activities of transmission and supply of access to a digital network; and

• to the processing of personal data protection for literary and artistic purposes or journalism purposes, whatever the media used, in compliance with the rules of professional conduct and ethics of these professions and the mandatory moderation rules applicable to message forums discussion, or other broadcast media.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

Pursuant to Article 43 of the Law, the HAPDP is in charge of ensuring that the processing of personal data is carried out in accordance with the provisions of the Law.

It’s an independent authority that is part of the Presidency of the Republic (Article 6 of Law 2023-31).

3.2. Main powers, duties and responsibilities

The HAPDP is composed of eleven members chosen because of their legal and/or technical competence.

The HAPDP's role is to ensure that any processing of personal data is in accordance with the Law. In addition, the HAPDP's responsibilities include informing data controllers and data subjects of their rights and obligations, handling complaints, conducting audits, and sanctioning data controllers who are in breach of the Law.

4. Key Definitions

Data controller: The natural or legal person, public or private, any other agency or association which, alone or jointly with others, takes the decision to collect and process personal data and determine the purposes thereof.

Data processor: A subcontractor, individual, public or private legal entity, or any other agency or association that processes data for the person in charge of the treatment.

Personal data: Any information of any nature whatsoever and regardless of its medium, including sound and image, relating to a natural person identified or identifiable directly or indirectly by reference to an identification number or to several specific elements, specific to their physical, physiological, genetic, psychological, cultural, social, or economic identity.

Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life and sexual orientation, genetic data or biometric data, prosecution, criminal or administrative sanctions.

Health data: Any information concerning the physical and mental state of a data subject, including the aforementioned genetic data.

Biometric data: Any personal data resulting from specific technical processing, relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms their unique identification, such as facial images or fingerprint data.

Pseudonymization: processing of personal data in such a way that they can no longer be attributed to a person without recourse to additional information.

5. Legal Bases

5.1. Consent

Any processing of personal data can only take place if the person concerned and the data subject, has expressed their consent in a free, specific, informed, and unambiguous manner. The processing of personal data is considered legitimate if the data subject gives their prior express consent.

5.2. Contract with the data subject

The requirement of prior consent may be waived where the controller is duly authorized and the processing is necessary for the performance of a contract to which the data subject is a party or in order to take pre-contractual measures at their request.

5.3. Legal obligations

The requirement of prior consent may be waived where the controller is duly authorized and the processing is necessary to comply with a legal obligation to which the controller is subject.

5.4. Interests of the data subject

The requirement of prior consent may be waived where the controller is duly authorized and the processing is necessary to protect the interests or fundamental rights and freedoms of the data subject.

5.5. Public interest

The requirement of prior consent may be waived where the controller is duly authorized and the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The principles of legitimacy of processing

The processing of personal data is considered legitimate if the data subject gives express prior consent.

The principles of transparency, lawfulness, and loyalty

Data must be processed fairly, lawfully, and transparently. The lawfulness of the processing refers to its legal basis (legal obligation, contractual obligation, etc.). Fairness of processing refers to how the data is collected. This principle refers to the individual's right to information. Data must not have been collected and must not be processed without the knowledge of the data subject. This principle also requires providing data subjects with several pieces of information (on the processing of their data, but also on their rights).

The principles of purpose and conservation

Personal data must be collected for specified, explicit, and legitimate purposes and not be further processed in a way incompatible with those purposes. The purpose of the processing operations to be carried out must be specified in the declaration or request for an opinion submitted to the HAPDP.

Personal data collected must be kept for a period that does not exceed the period necessary for the purposes for which they were collected or processed. Beyond that period, they may only be stored for historical, statistical, or research purposes under legal provisions.

The principles of proportionality and accuracy

Data must be adequate, relevant, and not excessive in relation to the purposes for which they are collected and further processed. The data controller must not collect more data than it actually needs. Thus, only data strictly necessary for the achievement of the specified purpose must be collected.

The data must also be accurate and, where necessary, updated. Every reasonable step must be taken to ensure that data that are inaccurate or incomplete, having regard to the purposes for which they are collected and further processed, are erased or rectified.

Principle of confidentiality and security

It is the responsibility of the controller as well as the subcontractor to ensure the confidential processing of personal data.

7. Controller and Processor Obligations

The Law does not differentiate between the data controller and the data processor.

However, the Law defines the data controller as being the natural or legal person, public authority, agency, or other agency that, alone or jointly with others, determines the purposes and means of the processing of personal data.

The data controller must ensure, inter alia, that:

• data is collected and processed fairly and lawfully;

• data is collected for specified, explicit, and legitimate purposes and subsequently processed in a manner that is compatible with such purposes;

• data is adequate, relevant, and not excessive in relation to the purposes for which it was collected;

• collected data is accurate and complete;

• collected data is retained in a form that allows the identification of the data subjects for a period that is no longer than necessary for the purposes for which it was collected;

• data subjects are informed of the data processing;

• data subjects have given their consent to the data processing;

• data subjects have the right to access the data and request amendments or deletions;

• persons with access to the system can only access the data they are allowed to;

• non-authorized persons cannot read, copy, modify, destroy, or move data;

• all data introduced in the system is authorized;

• non-authorized persons will not use data transmission facilities to enter into the data processing system;

• the identities of third parties having access to personal data will be checked;

• data is backed up with security copies; and

• data is renewed and converted to preserve it.

7.1. Data processing notification

Under the provisions of Article 29 of Law 2023-31, the processing of personal data is subject to prior notification to the HAPDP. The notification must include an undertaking that the processing meets the requirements of the Law.

However, for certain types of personal data processing, prior authorization of the HAPDP is required. This is particularly the case for the processing of personal data relating to genetic, medical data, and scientific research.

7.2. Data transfers

Data transfer to a State ensuring a sufficient level of protection

Pursuant to Article 62 of Law 2023-31, the transfer of a data subject's personal data to a third country is allowed if the country guarantees individuals a sufficient level of protection in terms of privacy and fundamental rights and liberties.

Prior to any transfer of personal data to a third country, the data controller must:

• implement technical and organizational security measures guaranteeing in particular encryption, availability, confidentiality, and data integrity as well as the constant resilience of processing systems and services; and

• require authorization from the HAPDP.

Data transfer to a State not ensuring a sufficient level of protection

Notwithstanding the provisions of Article 62 of Law 2023-31, the transfer of a data subject's personal data to a third country which not ensure a sufficient level of protection can be carried out under the conditions defined in Article 63, in particular, if the data subject has given specific, free, informed and unequivocal consent, after having been informed of the risks linked to the absence of appropriate guarantees.

7.3. Data processing records

Articles 64 and 65 of Law 2023-31 outline that the data controller and the data processor must keep, prior to the implementation of processing, a register of operations that must record the collection, modification, consultation, and communication including transfers, interconnection, and deletion of personal data.

The data controller and the data processor make this register available to the HAPDP when it requests it, particularly during an on-site or documentary inspection.

The HAPDP issues a certificate of conformity for the procedures and products relating to the protection of personal data when this complies with standards.

7.4. Data protection impact assessment

Pursuant to Article 67 of Law 2023-31, for certain processing relating to sensitive data likely to infringe the rights and liberties of individuals, the HAPDP may, before issuing an authorization, require from the data controller an impact analysis of the private lives of the persons concerned.

The HAPDP establishes and publishes a list of processing operations that are likely to present a high risk to the the rights and liberties of individuals.

7.5. Data protection officer appointment

There is no provision in the law relating to the appointment of a data protection officer.

However, Article 79 of Law 2023-31 pertains to the designation of the personal data protection correspondent, which is defined as the person designated by the company who must possess the required qualifications to carry out their duties.

Furthermore, the data controller's designation of a correspondent must be notified to the HAPDP.

7.6. Data breach notification

According to Article 83 of Law 2023-31, as soon as the data controller is aware of a data breach, they must notify, without delay, the HAPDP.

When a data breach is likely to result in a high risk to the rights and liberties of an individual, the data controller communicates the breach to the data subject.

7.7. Data retention

According to Article 84 of the Law 2023-31, personal data must be kept for a period of time necessary to fulfil the purpose for which they were collected or processed.

This can be kept for period beyond the time necessary, in particular by the HAPDP.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

Chapter VII of the Law 2023-31, treats the specific principles of personal data, in particular public opinions, racial, or ethnic data.

7.10. Controller and processor contracts

The Law does not specify the form of the relationship between the data controller and the data processor. Article 86 of Law 2023-31 states that when the processing of personal data is carried out on behalf of the data controller, the latter must choose a subcontractor who provides sufficient guarantees for the protection and confidentiality of this data.

The data processor is subject to the same obligations as the data controller.

Any processing carried out on behalf of the data controller by the data processor must be governed by contract confidentiality or any other legal act recorded in writing which binds the parties.

8. Data Subject Rights

8.1. Right to be informed

Right of information

Pursuant to Article 68 of Law 2023-31, unless otherwise provided by law or regulation, the data controller is required to provide the data subject with information about said processing, at the latest upon collection.

8.2. Right to access

Right of direct access

Pursuant to Article 69 of Law 2023-31, the data subjects have a right to direct access to their data. This right can, according to their choice, be exercised by on-site consultation and/or by delivery.

The data subject can ask questions and obtain from the data controller, the information relating to them.

Right of indirect access

By derogation from the aforementioned Article 68 of Law 2023-31, when processing concerns state security, defense, or public security, the right of access is exercised according to the conditions of Article 70 of Law 2023-31.

8.3. Right to rectification

Under the provisions of Article 71 of Law 2023-31, any natural person who can prove their identity may require the data controller to rectify, complete, update, block, or delete, as the case may be, any personal data concerning them that is inaccurate, incomplete, ambiguous, out of date, or whose collection, use, communication, or storage is prohibited.

8.4. Right to erasure

Under the provisions of Article 73 of Law 2023-31, the data subject may require the data controller to delete, their personal data, which are inexact, incomplete, ambiguous, out of day, or whose collection, use, communication, or storage is prohibited.

The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the cessation of the dissemination of such data, in particular with regard to personal data which the data subject made available when they were a minor, or for one of the following reasons:

• the data is no longer necessary for the purposes for which they were collected or processed;

• the data subject has withdrawn the consent on which the processing is based or where the authorized retention period has expired and there are no other legal grounds for processing the data;

• the data subject objects to the processing of personal data relating to them where there is no legal ground for such processing;

• the data processing does not comply with the provisions of this Law; or

• for any other legitimate reason.

8.5. Right to object/opt-out

Right to object

In light of Article 72 of Law 2023-31, any data subject has the right to:

• oppose, for legitimate reasons due to his particular situation, the processing of his personal data unless legal provisions expressly provide for the processing;

• oppose the processing of their personal data for prospecting purposes; and

• be informed before their personal data is communicated for the first time to third parties for prospecting purposes.

The provisions of Paragraph 1 of this article do not apply when the processing aims to a legal obligation or if the data controller demonstrates to HAPDP the existence of legitimate reasons justifying the processing which prevail over the interests, rights, and fundamental liberties of the data subject.

8.6. Right to data portability

Pursuant to Article 76 of Law 2023-31, any individual, proving their identity, has the right to transmit their data to another data controller, according to the state of technology, without the object of the data controller to which the data has been communicated.

The right to data portability does not prevent:

• nor the rights and liberties of third parties;

• nor the execution of a mission of public interest or for the exercise of public authority by the data controller; or

• nor to exercise the right of erasure.

8.7. Right not to be subject to automated decision-making

In accordance with Article 52 of Law 2023-31, no court decision, no administrative or private decision, involving an assessment of the behavior of a natural person may have as its sole basis an automated processing of personal data intended to provide a definition of the profile or to evaluate certain aspects of its personality.

8.8. Other rights

Right of digital oblivion

Pursuant to Article 74 of 2023-31, the data subject has a right of digital oblivion regarding his personal data which are collected and made public.

The data controller defines appropriate mechanisms ensuring the respect for the right of digital oblivion and the erasure of personal data or periodically examines the need to retain this data, in accordance with Law 2023-31.

Right to restriction of processing

Exercising the right to restriction of processing allows any person to ask an organization to temporarily freeze the use of certain of their data.

The terms of implementation of the right to restriction of treatment are set by a Decree taken by the Council of Ministers.

9. Penalties

There are two types of sanctions for non-compliance with the Law, those pronounced by the HAPDP and those pronounced by the judge.

Sanctions from the HAPDP

The HAPDP has the following administrative and financial sanctions:

• to issue a warning to the data controller who does not comply with the obligations of the Law;

• to issue a formal notice to put an end to the breaches within a fixed period;

• to issue a provisional withdrawal of the authorization granted by HAPDP; and

• to issue a permanent withdrawal of the authorization.

The amount of the financial penalty is proportional to the gravity of the breaches committed and to the benefits derived from this breach.

Sanctions from the judge

In case of breach of the Law, a judge can apply sanctions ranging from a prison sentence of three to five years and a fine of XOF 500,000 (approx. $827.29) to XOF 50 million (approx. $82,729.40), depending on the case of breach.

9.1 Enforcement decisions

We are not aware of any notable enforcement decisions regarding data protection in Niger.