An Insight into Data Protection in Nigeria: The Need for the Next Level

by Olasupo Jubril Adedimeji


Data in this digital age has been referred to “as the oil of the digital era”, it presents “A Trillion Dollar Opportunity” for individuals, corporations, and sovereign states. This is evidenced in the fact that the five most valuable listed firms/companies are those who deal in data of individuals, Facebook, for example, has made millions and is still making millions of dollars over the data of individuals signed up to its platform by offering “advert targeting” to businesses and companies.

Data, according to The Nigeria Data Protection Regulation 2019 (NDPR) are “Characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device”. Data protection is about safeguarding our fundamental right to privacy, within the local and international laws. 

In a clear view, Data protection is commonly defined as the law designed to protect your personal information, which is collected, processed, and stored by “automated” means or intended to be part of a filing system. To safeguard important data from corruption, compromise, or loss, nations of the world put in place regulations and other mechanisms to guarantee these objectives. Nigeria is not left out in this global community of regulations. Thus, the focus of this paper would be on Nigeria.


In Nigeria, until recently, there was no comprehensive regulatory framework for the protection of the private data of individuals. Rather, there were piecemeal data protection provisions in different legislations which were restricted in their scope of application which include Constitution of the Federal Republic of Nigeria 1999 (as amended), Freedom of Information Act 2011, The Cybercrimes (Prohibition, Prevention, etc.) Act 2015, Child Rights Act 2003, National Health Act 2014, The NCC Consumer Code of Practice Regulation 2007, The NCC Registration of Telephone Subscribers Regulation 2011, The Consumer Protection Framework 2016, The National Identity Management Commission Act 2007, The Federal Competition and Consumer Protection Act 2019 and The General Data Protection Regulation. 

However, on the 15th January 2019, the National Information Technology Development Agency issued the Nigeria Data Protection Regulations which has introduced major compliance obligations on Nigerian companies across all sectors, which include audit checks, a publication of data protection policies, filing of audit reports amongst others, and also penalties for its breach. Data protection gives Nigeria access to foster safe conduct for transactions involving the exchange of personal data and ensures that Nigerian businesses remain competitive in international trade.


Significantly, the presence of regulation for data protection has given data users privilege to challenge their right to privacy when tampered upon as seen in the French Data Protection Authority (CNIL) which reportedly slammed “Google” with a fine of £44million, for allegedly breaching the GDPR’s rules on transparency by failing to give Data Subjects adequate information on the use of their data. The CNIL also alleged that Google failed to make the process for declining or withdrawing consent easy for the Data Subjects. 

In a similar vein, Nigeria has had its fair share of data privacy breaches as seen in the recent case between NITDA and TrueCaller (2019) as well as the case involving MTN Nigeria Communications Ltd v Barr. Godfrey Eneye (2013) and Barr. Ezugwu Anene v Airtel Nigeria Ltd (2015) is a few instances. Indeed, the essence of data protection is to minimize the risk of identity theft, exploitation, and manipulation. These personal data reveal a lot about a person, their thoughts, choices, and finances. Furthermore, it makes the body or platform usually referred to as the data controller accountable to the data subject i.e where there is a breach of his obligation in relation to data subjects’ personal data, a data subject has a cause action against the data controller.

Also, data protection makes the data subject to have the right to give the controller access to the individual’s data and the extent of such data. Finally, it imposes obligations on the data controller in relation to the data of individuals or companies. We have established that data protection yields a positive impact and opportunities not only on the users but also in the country. 


It is instructive to note that the NDPR is not without criticism. Paragraph 1.0 (a) of NDPR restricts the safeguard/protection offered under the regulation to only the rights of natural persons and personal data. This means the regulation excludes other forms of data and corporate organizations respectively. This is inadequate because, institutions/organizations can also fall victims to privacy/data breach but if the express provision of the NDPR is slavishly adhered to, then artificial persons can’t take cover under it as currently enacted. 

Furthermore, the NDPR is, sadly, limited to electronic data thereby leaving paper- based data violations without remedies or protection. Recourse may however be had to section 37 of the Constitution but reliance thereon is not without its nuances especially when faced with a narrow minded court as we have seen in the past, where clear cases ofg infringement of privacy have been struck out because the court concerned preferred to deal with them as a tort of nuisance.


To cover these loopholes the following are suggested:

  1. The Personal Information and Data Protection Bill which President Muhammadu Buhari rejected should be reconsidered by the National Assembly and re-drafted to include provisions that will bring it in line with international best practices. This is particularly important bearing in mind the large amount of personal data presently being processed as a result of the COVID-19 pandemic. 
  2. Attention should also be paid to the laws and regulations on data protection that have been promulgated in other African jurisdictions in order to swiftly develop extensive and efficient data protection laws capable of ensuring the adequate safeguard of data. 
  3. The Nigerian data protection regulation should strengthen both data security and governance through the protection of both active and passive parties to cloud services agreements. Federal and state legislature can advance this agenda by maintaining certain basic requirements in cloud service relations/set benchmarks and standards in line with international best practices. 
  4. An organization that engages in the collection of personal data for one purpose and then decides to start analyzing it for completely different purposes should make its users aware of this, except where the data is further processed for archiving purposes.


Data in the computer age has been noted to be one of the most valuable assets in this modern time. As a result, protecting this data from compromise and unauthorized users for the value to be retained is a big deal.

And as such, a large part of the protection strategy has been put in place on ensuring that data can be restored quickly after any corruption or loss. Protecting data from compromise and ensuring data privacy are other key components of data protection; however, the present Nigeria data protection is not at par with other developed sovereign nations of the world regulations and other mechanisms which has guaranteed the data privacy of their citizenry. 

However, Nigeria can meet this standard, if the following can be put into consideration: re-drafting of the Personal Information and Data Protection Bill, concentration to regulations of other nations for adequate and upgrade of our data protection regulation, the advancement of the regulation to cover the field of data security and governance and requesting for data users consent before the collection of the users’ personal data.

Inarguably, the increasing data flows have spurred countries including Nigeria to see the need for the next level in their data protection legislation to collectively ensure that fundamental rights are fully protected in today’s digital economy.

Adedimeji is a law student of the Lagos State University, Ojo, Lagos State, Nigeria.


Leave a Reply

Your email address will not be published. Required fields are marked *