Authored By: Henry Nwobiarandu Tehillah
Rivers State University
INTRODUCTION
In the digital age, personal data has become a valuable asset, and safeguarding it is crucial for individuals and economies. Nigeria’s growing digital economy – with over 107 million internet users by early 2025 (about 45% of the population) – depends on trust in data handling. Concerns about identity theft, misuse of personal data, opaque profiling and unauthorized sharing are widely reported. In response, Nigeria has developed a legal framework to protect data privacy, aligning with global standards such as the EU’s GDPR. For example, the Nigeria Data Protection Act 2023 (NDPA) was specifically enacted to “safeguard personal information” and implement data protection nationwide. This article aims to provide legal professionals with a thorough overview of Nigeria’s data privacy landscape: it clarifies key concepts, outlines the historical and regulatory framework (including NDPR 2019 and NDPA 2023), describes institutional roles, explains core data protection principles, and examines challenges, comparative lessons (e.g. from the GDPR and African regional conventions), and practical recommendations. The methodology is a doctrinal review of statutes, regulations and authoritative commentary, focusing on developments up to 2025. The scope covers primarily the federal laws (especially NDPA 2023), regulations, and relevant constitutional guarantees in Nigeria, while noting significant international influences and best practices.
CONCEPTUAL CLARIFICATIONS
MEANING OF DATA PRIVACY AND DATA PROTECTION
“Data privacy” generally refers to individuals’ right to control their personal information and keep it confidential, whereas “data protection” denotes the legal and technical measures to secure that information. In other words, privacy emphasizes the data subject’s interests and expectations of consent and confidentiality, while protection emphasizes the obligations of data controllers/processors to implement safeguards and procedures. Nigerian law uses “data protection” as its statutory term, but it is premised on the fundamental “right to privacy” guaranteed by the Constitution. Data protection laws aim to operationalize that right by setting rules for the collection, use and sharing of personal data, ensuring data subjects’ privacy rights are respected. This distinction is reflected in practice: data privacy is often about policy and consent (what data is collected and why), while data protection involves security measures, compliance programs, and breach response.
CATEGORIES OF PERSONAL DATA
Nigeria’s laws distinguish between ordinary personal data and sensitive personal data (also called special category data). Under the NDPA, personal data means any information relating to an identifiable individual, whether directly or indirectly, including identifiers like name, ID numbers, location data or factors specific to a person’s physical, physiological, genetic, psychological, cultural, social or economic identity. In addition, the NDPA defines sensitive personal data as data revealing information such as genetic or biometric identifiers, race or ethnic origin, religious or philosophical beliefs, health status, sex life, political opinions or affiliations, and trade union membership. These categories require higher protection. For example, processing of sensitive data in Nigeria typically requires explicit consent or other strict conditions, similar to the GDPR’s special categories. The NDPA also allows the Nigeria Data Protection Commission (NDPC) to designate other information as sensitive.
RIGHTS OF DATA SUBJECTS
Nigeria’s data protection laws enumerate specific rights for individuals (“data subjects”). These rights include (as enumerated in NDPA Sections 34–38): the right to be informed about the processing of their personal data; the right of access to their data; the right to rectification of inaccurate data; the right to erasure (be “forgotten”); the right to restrict processing; the right to data portability; the right to object to processing (including for direct marketing); the right to lodge complaints with the regulator; and the right not to be subject to automated decision-making without recourse. In summary, data subjects in Nigeria have a range of GDPR-like rights: they can ask controllers what data is held about them, seek correction or deletion, demand explanations of how data is used, withdraw consent, and report abuses. For example, any organization processing personal data must, by law, inform the subject of the purposes of processing and retention period. A data subject can request a copy of their data in a common format (the NDPA even contemplates charging a fee only to cover costs). These rights ensure individuals can exercise control and transparency over their personal information, reflecting international best practice in data privacy.
LEGAL AND REGULATORY FRAMEWORK FOR DATA PROTECTION IN NIGERIA HISTORICAL DEVELOPMENT OF DATA PROTECTION IN NIGERIA
Nigeria’s modern data protection regime began with regulatory actions rather than legislation. The pioneer instrument was the Nigeria Data Protection Regulation (NDPR) 2019, issued by the National Information Technology Development Agency (NITDA) under the Federal Ministry of Communications. The NDPR provided Nigeria’s first comprehensive data protection rules, drawing heavily on international standards. In 2020, NITDA also issued an Implementation Framework to guide organizations on compliance. Prior to the NDPR, Nigeria had sector specific laws and policies (e.g. bank data guidelines, communications regulations) but no general privacy law. Meanwhile, Nigeria’s constitutional framework already guaranteed privacy: Section 37 of the 1999 Constitution states that “the privacy of citizens, their homes, correspondence, telephone conversations… is hereby guaranteed and protected”. Moreover, other statutes touched on data issues – for example, the Freedom of Information Act 2011 and the Child Rights Act 2003 include provisions related to personal data; and various sectoral laws (credit reporting, health records, telecommunications registration, etc.) impose data handling requirements. However, none of these laws provided a unified national data protection scheme, which led to the creation of the NDPR.
THE NIGERIA DATA PROTECTION REGULATION (NDPR) 2019
The NDPR 2019 (NITDA Regulation) introduced basic data protection principles and obligations for data controllers and processors. It defined personal data and sensitive data, required the appointment of Data Protection Officers (DPOs) by organizations, mandated data breach notifications to NITDA, and prescribed security standards. The NDPR also established penalties for non-compliance (fines for data breaches and unauthorized processing). It aimed to fill the gap in Nigeria’s legal landscape. Although the NDPR is a “regulation” and not an Act of the legislature, it was widely treated as de facto binding law. During its tenure, thousands of organizations (especially in banking, telecoms and digital services) registered with NITDA as data controllers/processors or DPOs. The NDPR’s approach was largely inspired by GDPR principles (lawfulness, consent, transparency) and it recognized similar data subject rights.
However, as a regulation, it lacked the full force of law, and enforcement capacity was initially limited. By mid-2025, Nigeria’s NDPC has indicated that with the new legal framework in place, the NDPR regime (including its Implementation Framework) will be phased out and superseded by the NDPA and supporting directives.
THE NIGERIA DATA PROTECTION ACT 2023
On June 12, 2023, the President signed into law the Nigeria Data Protection Act, 2023 (NDPA). The NDPA is the country’s first Act of Parliament dedicated to data protection, giving the regime full legislative backing. It covers processing of personal data by automated or non-automated means whenever the controller or processor is in Nigeria or the data subject is a Nigerian (extraterritorial scope). The Act codifies many of the NDPR’s principles and rights in statutory form, and establishes stronger enforcement mechanisms. Under the NDPA, the NDPR remains in effect until September 2025, when a forthcoming General Application and Implementation Directive (GAID 2025) will replace or update the NDPR’s provisions. Key innovations of the NDPA include new definitions (e.g., “Data Controller of Major Importance”), specific lawful bases for processing (beyond consent, similar to GDPR), mandatory registration and auditing for certain entities, and tougher penalties. The NDPA also explicitly created the Nigeria Data Protection Commission (NDPC) (see below). Overall, the NDPA 2023 provides the long-awaited comprehensive legal framework for data protection in Nigeria, aligning domestic law with international standards.
OTHER RELEVANT LEGISLATION
Beyond the NDPR and NDPA, several laws intersect with data privacy in Nigeria. The Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (as amended) is frequently cited – it prohibits unauthorized access to and interference with data, and makes disclosure of another’s personal information without consent an offense. Other statutes include the Freedom of Information Act 2011 (which contains provisions for personal data exemption and protection), the Credit Reporting Act 2017 (governing use of financial data), the Health Act 2014 (privacy of medical records), and sectoral regulations by the Central Bank and Nigerian Communications Commission (e.g. SIM card registration rules). Importantly, Nigeria has also engaged with regional instruments: it is a signatory to the AU Convention on Cyber Security & Personal Data Protection (the “Malabo Convention”) and a member of ECOWAS, but it has not formally domesticated these treaties. Nevertheless, legal scholars note that the NDPA substantially satisfies the data protection objectives of the Malabo and ECOWAS conventions. Finally, the 1999 Constitution’s guarantee of privacy (Section 37) underpins all of these laws, as it broadly protects citizens’ personal data and correspondence.
INSTITUTIONAL FRAMEWORK
ROLE OF THE NIGERIA DATA PROTECTION COMMISSION (NDPC)
The NDPA explicitly establishes the Nigeria Data Protection Commission as the independent regulator and enforcement authority. The NDPC’s mandate includes overseeing implementation of the Act, licensing Data Protection Compliance Organizations (DPCOs), registering major data controllers/processors, conducting audits and investigations, and sanctioning offenders. In practice, the NDPC has been active since the NDPR days – for example, it organized training for thousands of DPOs and issued guidance notes – but its powers are now grounded in statute. According to the NDPA, the NDPC can require organizations to register or obtain approval, demand compliance audits and breach reports, and impose fines or other penalties for violations. The Commission’s 2024 Annual Report and public statements illustrate its dual focus on raising awareness and enforcing the law. For instance, in 2025 the NDPC conducted over 1,300 investigations across key sectors and levied significant fines (e.g. ₦766.2m on a broadcaster for privacy violations). Thus, the NDPC is the central authority “responsible for enforcing the provisions of the NDPA and the administration of all data protection matters in Nigeria”.
OTHER REGULATORY BODIES AND THEIR CONTRIBUTIONS
While the NDPC is primary, other regulators also touch on data privacy within their domains. The Central Bank of Nigeria (CBN), for example, includes data protection in its banking regulations (e.g. Bank Verification Number rules) and closely monitors fintech’s use of consumer data. The Nigerian Communications Commission (NCC) enforces SIM registration policies and mobile network data security. The Federal Competition and Consumer Protection Commission (FCCPC) enforces consumer privacy laws (it recently targeted rogue digital lenders over data abuses). The National Identity Management Commission (NIMC) controls the national ID database (NIN) and its privacy. These agencies often collaborate with the NDPC; the NDPA even authorizes the NDPC to work with sector regulators on overlapping issues. For example, the NDPC has partnered with the National Orientation Agency to launch nationwide awareness campaigns via radio, TV and community outreach. In academia, think tanks and law firms regularly produce guidance for businesses (e.g. NDPR compliance guides), helping interpret the laws. Together, these institutions form a multi-layered regulatory framework for data in Nigeria.
ENFORCEMENT MECHANISMS
Enforcement under Nigerian law now blends investigative, administrative and criminal tools. The NDPA empowers the NDPC to compel data controllers/processors to produce records, to inspect facilities, and to require breach notifications (within 72 hours for serious breaches). Contraventions can attract administrative fines: under the NDPR, penalties were up to 10 million naira or 2% of annual turnover; the NDPA’s penalties and enforcement process (e.g. hearings, remediation orders) are designed to be more robust. The NDPC has shown a measured approach: it typically engages non-compliant firms through “pre-action conferences,” requiring remediation where possible, and reserving hefty fines for willful violations. In 2025, after a year of awareness-building, the Commission entered an “era of enforcement,” issuing fines, breach order notices and compliance directives. High-profile actions (such as fining a major broadcaster or closing rogue loan app breaches) demonstrate the NDPC’s enforcement reach. Criminal sanctions under the Cybercrimes Act (for hacking or illegal data sharing) can also apply, although in practice most corporate enforcement is civil/regulatory. Sector regulators likewise enforce privacy rules; for instance, the NCC can fine telecom operators for subscriber data mishandling. Overall, Nigeria’s enforcement regime is evolving, aiming to balance deterrence (through fines and registration requirements) with capacity-building (audits, training, certification of data officers).
KEY PRINCIPLES OF DATA PROTECTION IN NIGERIA
The NDPA (and prior NDPR) enshrine well-established data protection principles. Broadly, these mirror international norms:
Lawfulness, Fairness and Transparency: Personal data must be processed lawfully, fairly and in a transparent manner. In practice, this means controllers must have a clear legal basis (consent, contract, public interest, etc.) for processing and must disclose to data subjects what they are doing with the data. The NDPA’s Section 24(1) explicitly requires that data be “processed in a fair, lawful and transparent manner” and collected for specified, legitimate purposes. This transparency principle is central: organizations are expected to publish privacy notices and policies explaining their data practices. For example, the NDPC’s own guidelines state that data subjects should be informed in a “concise, transparent, intelligible and easily accessible form, using clear language”.
Purpose Limitation: Data must be collected for explicit, legitimate purposes and not used in ways incompatible with those purposes. That is, a controller cannot collect data for A and then use it for unrelated B without consent or legal basis. The NDPA enforces this in Section 24(1)(b): personal data must not be further processed in a way incompatible with the original purpose. Thus, repurposing data (e.g. using customer emails for marketing without consent) would violate this principle. Organizations should document and stick to specific purposes (e.g. “customer service, billing”) and not blur them.
Data Minimization and Storage Limitation: Only the minimum necessary data should be collected (“adequate, relevant and limited to what is necessary” per NDPA Sec. 24(1)(c)). This combats over-collection. For example, an app shouldn’t gather full ID images if a phone number suffices. Similarly, data should not be stored longer than needed: NDPA Sec. 24(1)(d) mandates retention “no longer than is necessary” for the purpose. In fact, the NDPR Framework provided specific retention schedules (e.g. 3 years after last use, or 6 years after contract end) in the absence of other requirements. In any case, stale or irrelevant data must be deleted or archived in a safe manner. Recent draft directives (GAID 2025) propose a 6-month maximum retention where the purpose is fulfilled, underscoring storage limitation.
Accuracy and Integrity: Personal data must be accurate, complete, and kept up to date as necessary. Controllers are obligated to ensure that any errors or outdated information are corrected or erased. This protects data subjects from decisions made on false data. For instance, NDPA Sec. 24(e) (and the right to rectification) explicitly require that inaccurate data be updated. If a bank has a customer’s wrong address, it must correct it upon notice. NDPR even cites cases (from abroad) illustrating the harm of false data.
Security (Confidentiality and Integrity): Controllers and processors must secure personal data against unauthorized access, disclosure, loss or destruction. Section 24(1)(f) of the NDPA mandates “appropriate security” measures, and Section 39(1) requires technical and organizational safeguards (encryption, access controls, etc.). In practice, this means robust IT security (firewalls, intrusion detection, regular audits) as well as physical and administrative controls (staff training, locked file cabinets, confidentiality agreements). Adequate security is key to preventing data breaches, which must be reported to NDPC when they risk affecting rights of individuals. In a recent NDPC privacy policy statement, the Commission emphasized its commitment to data confidentiality, integrity and availability.
Accountability: Perhaps the most important principle is that data controllers (and processors) are responsible for complying with all these principles and must be able to demonstrate it. The NDPA explicitly imposes a duty of care on controllers/processors and requires them to “demonstrate accountability” for their processing activities. This means organizations should maintain records of processing, implement data protection policies, perform impact assessments for risky processing, and show regulators that they have taken due diligence. Under NDPA, contracts with third-party processors are mandatory, and liability can flow to both parties. The emphasis on accountability is illustrated by Nigeria licensing Data Protection Compliance Organizations (DPCOs) to audit and certify others. In summary, while the above principles set the what, accountability ensures the how – Nigeria’s framework expects ongoing governance, not just one-off checklists.
CHALLENGES IN DATA PRIVACY AND PROTECTION IN NIGERIA
Despite the robust legal framework, Nigeria faces several obstacles in achieving effective data protection:
Weak Institutional Capacity: Regulatory bodies like the NDPC are still in their infancy and face resource constraints. As NDPC leadership has acknowledged, the Commission struggles with limited funding and a shortage of skilled personnel. When the NDPA took effect in June 2023, Nigeria had under 1,000 certified Data Protection Officers nationwide – a number that has since grown to several thousand, but still falls short of the need. The law itself requires many organizations to have DPOs and comply with audits, but training and licensing enough professionals to meet demand has been slow. In addition, enforcement capacity is stretched: the NDPC must investigate breaches across a population of 220 million, often without proportional budgets or technology. Academic observers note that “weak enforcement by regulatory bodies” has been a recurring issue in Nigeria’s privacy landscape. Strengthening the NDPC (and child agencies like NIMC) with adequate staffing, funding and technical tools is essential to overcome this challenge.
Low Public Awareness and Compliance Gaps: Surveys and reports indicate that awareness of data privacy rights is very low among Nigerians and even among many businesses. The NDPC has conceded that public “awareness and compliance with the Nigeria Data Protection Act are relatively low”. Most citizens are unfamiliar with the NDPA/NDPR and do not know they have rights to access or erase their data. Meanwhile, a large segment of businesses, especially small and medium enterprises and the informal sector, has yet to implement the required data governance measures. Research has found widespread lack of awareness: “Many citizens are unaware of their rights under the NDPR and NDPA,” undermining the framework. This gap means that even when data abuses occur (for example by digital lenders or telemarketing firms), victims often do not seek redress, and offenders may not feel pressure to comply. It also affects compliance: if customers are not demanding privacy, some companies neglect safeguards. Closing this awareness gap is a critical challenge. Nigeria has launched initiatives (e.g. a national privacy week, media campaigns) to educate businesses and the public, but achieving high-level understanding nationwide will take sustained effort.
Technological Limitations and Cybersecurity Risks: While mobile and internet penetration are growing, Nigeria still faces infrastructure gaps. As of early 2025, only about 45% of the population were internet users. Many rural areas have limited broadband or power supply, making digital recordkeeping and secure cloud storage uneven. Weak IT infrastructure also hampers timely incident response. At the same time, cybercrime and data breaches are on the rise. The NDPC reports an “intense” year of combating data breaches, noting an average of three daily complaints about exploitative digital lending apps (so-called “loan sharks”) sharing borrowers’ personal data without consent. These loan apps and other fintech platforms often collect sensitive data and have been implicated in harassment of debtors via personal contacts. More generally, hackers and scam networks target Nigeria’s financial and telecommunications networks; incidents of identity theft or SIM swapping have been reported. The Cybercrimes Act criminalizes many of these acts, but enforcement against sophisticated cyber offenders remains difficult. In short, the technological environment is double-edged: it enables digital services but also exposes Nigerians to new data privacy risks. Improving network security, encouraging secure software development, and cooperating internationally against cyber threats are ongoing challenges.
Cross-Border Data Transfer Issues: Nigeria’s legal framework imposes conditions on transferring personal data abroad. The NDPA prohibits data controllers from exporting Nigerian personal data to any country unless certain safeguards are in place. These include a requirement that the foreign recipient country’s laws provide an “adequate level of protection,” or that the transfer is governed by binding corporate rules, standard contractual clauses or other approved mechanisms. In practice, this raises complexity for multinational businesses and cloud services, since Nigeria has not yet established explicit adequacy determinations or detailed guidance. Some international companies have expressed uncertainty over the pending “General Application and Implementation Directive (GAID) 2025” rules. Without a clear adequacy list or streamlined exemption process, cross-border transfers can face delays or legal risks. At the same time, Nigeria seeks to enable secure international data flows. The law’s cross-border rules are broadly aligned with GDPR (e.g. using EU-style adequacy and contract clauses), which is positive, but the lack of reciprocal agreements (Nigeria is not EU-adequate) means businesses must rely on standard agreements or local representation. As more data-driven services become global, balancing protection with interoperability remains a challenge.
COMPARATIVE INSIGHTS
LESSONS FROM THE EU’S GDPR
Nigeria’s data protection laws borrow heavily from the EU’s General Data Protection Regulation (GDPR). Many NDPA provisions mirror GDPR standards (e.g. detailed data subject rights, data breach notification, accountability obligations). Nigerian lawyers and regulators often look to the EU for guidance. For instance, just as the GDPR phased in enforcement after giving companies time to adjust, the NDPC has followed a similar model: spending its first year on awareness and capacity-building before ramping up enforcement (“the era of enforcement”). From the GDPR, Nigeria can learn the importance of regulatory clarity and communication: EU regulators publish FAQs, opinions, and detailed breach reports, which help unify understanding. Similarly,
Nigeria’s NDPC has begun issuing guidance notes (e.g. on cookies, data portability) to clarify NDPA requirements. Another lesson is the potential deterrent effect of significant fines; the ₦766.2 million fine against a Nigerian subsidiary of MultiChoice suggests Nigerian authorities may also wield financial penalties to compel compliance. However, differences remain: Unlike the GDPR’s vast enforcement budget and thousands of sanctions, Nigeria’s framework is newer and less resourced, so penalties and cross-border cooperation will evolve. In sum, the GDPR’s emphasis on transparency, individual empowerment and heavy enforcement serves as both a model and a benchmark for Nigeria; stakeholders should continue to monitor EU developments (e.g. court cases on international transfers or algorithmic bias) for applicable insights.
REGIONAL AND INTERNATIONAL BEST PRACTICES
Regionally, data protection is a growing priority. The African Union’s Malabo Convention (2014) and ECOWAS’s Supplementary Act on Data Protection (2010) set out continent-wide standards. Although Nigeria has signed but not ratified Malabo (and ECOWAS Acts are not automatically enforceable domestically without incorporation), scholars note that NDPA’s substance largely satisfies these regional norms. For example, both frameworks require an independent regulator, protection of data subject rights, and accountability – features Nigeria has implemented. One divergence is that Malabo also covers broad cybersecurity obligations (which Nigeria instead handles through the Cybercrimes Act). Nevertheless, as data flows within Africa increase, Nigeria could benefit from harmonizing its rules with neighbors. For instance, Nigeria can coordinate with Ghana, Kenya and South Africa, which have their own data protection authorities; sharing enforcement experiences (through networks like the Global Privacy Assembly or African Data Protection Authorities forum) can help build capacity.
On the global stage, Nigeria has sought to align with international best practices. For example, the OECD’s privacy guidelines (which influenced GDPR) have similar principles to Nigeria’s law. Nigeria’s NDPA similarly allows for data export under binding corporate rules and certifications, echoing EU-approved mechanisms. Moreover, Nigeria is participating in global discussions; NDPC officials regularly attend international privacy conferences, indicating a commitment to interoperability. An international best practice is public reporting of enforcement: many jurisdictions publish breach statistics or fine justifications. To emulate this, Nigeria’s NDPC has released annual performance reports and bulletins, although more transparency could bolster public trust. Finally, the education component – training DPOs and citizens – is emphasized by best practices globally. Nigeria has launched innovative programs (e.g. the Virtual Privacy Academy and multi-language awareness campaigns) that reflect this approach. Continued benchmarking against GDPR and other mature laws (such as Canada’s PIPEDA, or Brazil’s LGPD) will help Nigeria adapt its rules to emerging issues like AI ethics and data sovereignty.
PROSPECTS AND RECOMMENDATIONS
Nigeria’s data protection landscape is progressing rapidly, but further actions are needed to consolidate gains:
Strengthening Regulatory Enforcement: The NDPC must be empowered to ensure compliance. This includes increasing its budget and technical resources, hiring more expert staff, and investing in enforcement technology (for example, privacy audit software or AI-based breach monitoring). Legislatively, the government could consider raising statutory fines to make them more dissuasive (especially for large multinationals), and clearly defining enforcement procedures (e.g. timelines for investigations). The NDPC’s use of fines in 2025 suggests deterrent potential, but consistent enforcement will be key. Cooperation with other regulators (e.g. the ICCP or international privacy authorities) can help tackle transnational breaches. Finally, expanding the network of licensed Data Protection Compliance Organizations (DPCOs) will provide private-sector audit and training capacity, indirectly enforcing standards.
Enhancing Public Awareness and Education: As noted, awareness is low. Nigeria should expand and sustain public education efforts. The NDPC and partners like the National Orientation Agency (NOA) should continue to leverage mass media and community outreach: for example, using 255 radio stations in 72 languages to broadcast data protection messages. Schools and professional institutions should incorporate privacy principles into curricula and training. Public service campaigns (e.g. posters in banks, telecoms, markets) can inform citizens of their rights (e.g. you can request your data back). The NDPC’s Virtual Privacy Academy is a positive initiative; more such portals or mobile apps could reach youth and remote communities. Encouraging civil society, media, and businesses to run their own awareness drives is also important – data literacy is as vital as digital literacy. Over time, a more informed public will demand better corporate data practices and exercise their legal rights, creating a culture of accountability.
Building Technological Infrastructure: To support data protection, Nigeria must address its digital infrastructure gaps. Expanding reliable internet and mobile broadband access (currently ~45% population) will help implement electronic privacy solutions (e.g. secure cloud storage, e ID cards). Investing in nationwide digital IDs and e-governance (e.g. completing NIN registration) should be paired with strong privacy safeguards. On the cybersecurity front, the government and private sector need to develop robust incident response frameworks and information-sharing hubs (CERTs) to quickly counter breaches. Encouraging local development of security software and encrypted communication tools can reduce dependence on foreign systems. Additionally, as organizations adopt new technologies like AI and blockchain, the NDPC and regulators should proactively research and update guidelines to address emerging privacy risks (for example, drafting rules on automated decision-making algorithms). In sum, technical capacity building and infrastructure investment will underpin the effectiveness of legal protections.
International Collaboration: Data flows know no borders, so Nigeria should deepen international cooperation. Bilateral agreements or memoranda (for example, with the EU or leading economies) on data transfers could facilitate trade and provide clarity on cross-border compliance. At the continental level, Nigeria should ratify and domesticate the African Union’s data protection and cybersecurity conventions. Although the NDPA aligns with them, formal ratification would enhance legal certainty and allow Nigeria to influence the regulatory agenda. Within ECOWAS, Nigeria can work towards harmonizing its law with the ECOWAS Data Protection Act, thereby easing regional business and enforcement. Joint trainings or exchanges among African data protection authorities can build collective expertise. Finally, engaging in global privacy forums will help Nigeria keep pace with best practices and possibly negotiate data adequacy or mutual recognition with other states. By collaborating internationally, Nigeria not only bolsters its own protections but also contributes to a safer global data ecosystem.
CONCLUSION
Data privacy and protection in Nigeria have advanced significantly with the enactment of the NDPA 2023 and related regulations. These laws establish a comprehensive regime of rights and obligations modeled on international standards, enforced by an empowered NDPC. Yet, implementation challenges remain: institutions need reinforcement, public awareness must grow, infrastructure must develop, and complex issues like cross-border data flows require careful handling. By learning from global best practices (such as the GDPR’s enforcement model and African regional frameworks) and investing in enforcement, education, technology and cooperation, Nigeria can turn its legal protections into tangible safeguards. The goal is a resilient data privacy ecosystem that earns citizens’ trust and supports the country’s digital development. Achieving this will require commitment from government, industry and society alike, but the foundations now in place suggest Nigeria can become a data privacy leader in the region.
REFERENCES/BIBLIOGRAPHY
Nigeria Data Protection Commission (NDPC) – Official website and publications (Mission, “Your Rights as a Data Subject”).
Nigeria Data Protection Act 2023 (NDPA) (enacted June 12, 2023).
Nigeria Data Protection Regulation (NDPR) 2019 and Implementation Framework (NITDA). Constitution of the Federal Republic of Nigeria, 1999 (Section 37).
Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (as amended).
Mondaq, “Rights Of A Data Subject Under The Nigeria Data Protection Act 2023” (July 25, 2023). ICLG – Data Protection Laws and Regulations: Nigeria (2025).
Victor, Simon, “Data Protection and Compliance in Nigeria: Challenges and Opportunities”, SSRN (May 2025).
Eleanya, Frank, TechCabal: “Nigeria’s NDPC battles three loan shark breaches daily” (Sept. 2025).
Olaniwun Ajayi LP, “Navigating Cross Border Data Transfers – Key Insights Under Nigeria’s Data Protection Laws” (May 2025).
Tunde & Adisa Legal Practitioners, “Essential Data Privacy Considerations for Nigerian Businesses…” (Sept. 12, 2024).
Osagu, Chuks, “International Data Protection Laws and the Nigerian State”, SSRN (Aug. 20, 2025).
DataReportal, “Digital 2025: Nigeria” (Global Digital Insights).
Nigeria Data Protection Commission news releases: “NDPC Outlines Mandate… Permanent Secretary” (May 30, 2025); “NDPC and NOA to Promote Data Protection” (Sept. 2025).
“Nigeria Data Protection Regulation Performance Report 2020-2021” (NDPC).
