Niger, like other countries in the sub-region, recognizing the urgency of the situation, moved quickly to legislate on personal data protection. The country established a legal framework that both prevents and penalizes violations in this area. To this end, it enacted Law No. 2017-28 on May 3, 2017, concerning the Protection of Personal Data. 

Scope and Applicability. 

Territorial scope 

The Law applies to personal data processing carried out by: 

1. Data controllers or subcontractors based in Niger, or in any location where the law applies. 

2. Data controllers or subcontractors not based in Niger, but using processing means within the country (excluding transit-only means). Such entities must appoint a representative in Niger, although appeals can be made directly against them. 

3. Data controllers or subcontractors not based in Niger, when the processing targets Nigerien citizens or offers goods and services to people in Niger. 

Material scope 

  The Law covers the following types of data processing: 

1. The collection, processing, transmission, storage, and use of personal data by public or private entities and individuals. 

2. Both automated and non-automated data processing by public or private entities and individuals. 

3. Processing data related to public security, defense, criminal investigations, or state security. 

Legal bases 

1. consent 

2. Contract with the data subject 

3. Legal Obligation 

4. Interest in the data subject. 

5. Public Interest. 

Principles 

The principles of legitimacy of processing: - 

• The principles of transparency, lawfulness, and loyalty 

• The principles of purpose and conservation 

• The principles of proportionality and accuracy 

• Principle of confidentiality and security 

Controller and Processor Obligation. 

This law does not differentiate between a Data Controller and a Data Processor. 

Data processing notification

According to Article 29 of Law 2023-31, personal data processing must be notified in advance to the HAPDP. The notification must include a commitment that the processing complies with the requirements of the Law. 

Data transfers 

1. Data transfer to a State ensuring a sufficient level of protection. 

the transfer of a data subject's data to a third country is allowed if the country guarantees individuals a sufficient level of protection in terms of privacy and fundamental rights and liberties. 

2. Data transfer to a State does not ensure a sufficient level of protection. 

The transfer of a data subject's data to a third country that does not provide an adequate level of protection may occur under the conditions set out in Article 63. Specifically, this can happen if the data subject has given explicit, informed, and voluntary consent after being made aware of the risks associated with the lack of adequate safeguards. 

Data processing records 

Articles 64 and 65 of Law 2023-31 require that both the data controller and the data processor maintain a register of processing operations before any processing begins. This register must document activities such as the collection, modification, consultation, communication (including transfers), interconnection, and deletion of personal data. 

Data protection impact assessment 

Under Article 67 of Law 2023-31, for certain processing of sensitive data that may infringe on individuals' rights and freedoms, the HAPDP may require the data controller to conduct a privacy impact assessment before granting authorization. The HAPDP also maintains and publishes a list of processing activities that are deemed to pose a high risk to individuals' rights and freedoms. 

Data Protection Officer appointment 

There is no provision in the law relating to the appointment of a data protection officer.  

Data Breach notification. 

According to Article 83 of Law 2023-31, as soon as the data controller is aware of a data breach, they must notify, without delay, the HAPDP. When a data breach is likely to result in a high risk to the rights and liberties of an individual, the data controller communicates the breach to the data subject.  

Data Retention 

Article 84 of Law 2023-31 stipulates that personal data must be retained only for as long as necessary to fulfill the purpose for which it was collected or processed. However, it may be kept for a longer period if required, particularly by the HAPDP. 

Children's data 

Not applicable. 

Special categories of personal data 

Chapter VII of the Law 2023-31, treats the specific principles of personal data, in particular public opinions, racial, or ethnic data.   

Data Subject Rights 

1. Right of Information  

2. Right of Direct Access 

3. Right of Indirect Access 

4. Right to Rectification. 

5. Right to erasure 

6. . Right to object 

7. Right to data portability 

8. Right not to be subject to automated decision-making 

9. Right of digital oblivion 

10. Right to restriction of Processing  

Penalties 

In case of breach of the Law, a judge can apply sanctions ranging from a prison sentence of three to five years and a fine of XOF 500,000 (approx. $827.29) to XOF 50 million (approx. $82,729.40), depending on the case of breach.