Authored By: Juwe Uzochikwa Rabin
University of Nigeria, Nsukka
ABSTRACT
The rapid growth in technological and digital infrastructure and resources has ushered in an era of tremendous developments globally. The world has undergone a swift evolution from the analogue era to a period of digital transformation. These developments have come with their perils with regard to data privacy, especially as we attempt to reconcile this right with the need to protect public interest. This paper analyzes the tension between data privacy rights, the demands of public interest in a digital era and the risks of unauthorized data exposure. Through an analytical review of the NDPA, GDPR and constitutional provisions, the study examines informed consent as a core legal pillar. While acknowledging exceptions for public security and health, the paper argues that such interests must not override individual autonomy. It concludes by recommending robust legislative enforcement, encryption and transparency to harmonize personal privacy with societal progress.
Introduction
The privacy of data is a requisite in maintaining balance in the society and in ensuring the protection of identity and personal information from unauthorized exposure.
Data privacy, also “information privacy”, is a fundamental and indispensable human right that exists to safeguard individual autonomy and freedom. It is the protection of data and restriction of unauthorized access to sensitive information. This right is provided for in Article 17 of the International Covenant on Civil and Political Rights (ICCPR).1
Vast amounts of data are collected and processed daily when people access various platforms like social media and engage in e-commercial activities and financial services. As a result of this and to protect the rights of individuals, organizations and the government, ensuring the privacy of data has become a critical concern.
It is essential that Data privacy data be enforced and maintained to the extent of establishing a balance between individual rights and the interest of the society. Privacy of data restricts malicious access to personal information or records of individuals or organizations that might endanger the victims of the exposure.
With regard to this, the bulk of concern and effort of the society should be channeled towards achieving a balance between these conflicting interests.
To further buttress this point, the critical events of 2024 in Nigeria regarding the National Identity Management Commission & AnyVerify Data Leak is brought to notice (NIMC 2024)2.
The state was plunged into a crisis when in 2024, investigative reports revealed that private websites like XpressVerify and AnyVerify had gained unauthorized access to Nigeria’s NIMC database. It was reported that sensitive data including Identity Numbers, Bank Verification Numbers and home addresses were being sold to the public for as little as 100 Naira ($0.07). This exposure put millions at risk of targeted kidnappings, financial fraud and identity theft (Paradigm Initiative 2024).3 Subsequently, the Nigerian government through its legislative and regulatory arms and in a bid to surmount this risk, took action to strengthen the legal framework surrounding digital identity by repealing and re-enacting the NIMC Act.
It is imperative therefore, that with the occurrences of colossal data breaches in emerging digital ecosystems, the equipoise between individual rights and the public interest can only be attained through enforcement of legislative regulations that prioritize individual consent over bureaucratic convenience.
Research Methodology
The information in this essay was gathered through a comprehensive review of legal authorities and analysis of legal commentaries and glossaries from reputable data privacy organizations. A number of these sources are Privacy Engine, HUDOC – European Court of Human Rights, Brit Certifications and Assessments.
To create a better understanding of the issue in question, an analytical strategy or method of research and evaluation was adopted.
What is Data Privacy?
Data privacy helps ensure that sensitive data is only available to approved data processors. It prevents criminals from fraudulently gaining access to and using data, it ensures that organizations meet regulatory requirements stipulated by certified data controllers.
Data privacy applies to Personal Health Information and Personal Identification Information. These include financial information, medical records, social security, birth dates, contact information and even cookies.4
Privacy is a constitutional right; the Constitution of the Federal Republic of Nigeria5 lends credence to this right. In Section 37, it guarantees the privacy of citizens, correspondences, telephone conversations and telegraphic communications.
Similarly, India’s ‘Digital Personal Data Protection Act (DPDP) 2023’ also provides grounds for data privacy.6 In a situation where there is an infringement on this privacy, there may be hazardous effects: cyber-attacks, financial losses, reputational damages and even blackmail.
Privatization of data is immensely beneficial to individuals and organizations because it helps build trust, prevents identity theft, helps in maintaining personal autonomy, ensures dignity and freedom, protects intellectual property amongst other benefits.
Data privacy is crucial in maintaining trust and reliance between individuals and data processors. When individuals share or allow access to personal information, they expect that it should be used responsibly and stored securely. However, the concept of privacy of data should not be considered only on the basis of individual rights, but also in fostering a secure digital environment for businesses and the government.
While it has been established that individual rights are of paramount necessity, it is also essential that the interest and requirements of the public be considered in the context of data privacy.
Governments and organizations collect and process vast amounts of data daily in order to provide essential services, prevent crimes and promote public health. For instance, data gathering and analysis can help identify patterns of disease outbreaks, enabling targeted interventions and saving lives. Similarly, data-driven law enforcement can help prevent and investigate crimes, ensuring public safety. However, these benefits must be weighed against the potential risks and damages to individual privacy, highlighting the need for a multifaceted approach that balances competing interests.
Achieving and maintaining this balance between individual rights and the public interest in data privacy is a challenge, which requires collective attention and effort. Rights advocates argue that robust data protection measures are imperative in preventing misuse of personal data and in protecting individual autonomy; while proponents of public interest argue that access to data is necessary for the seamless provision of essential services, prevention of crime, etcetera (Onabuchi P.)7 Uncertainty then lies in creating an equilibrium that acknowledges and protects the rights of individuals, while also serving public interest.
On certain occasions, data is collected and processed without explicit and formal consent. Hence, the enactment of comprehensive data protection frameworks, in addition to existing ones, is essential for safeguarding the rights of individual in a digital community.
Data Privacy Consent and the Legal Framework for Data Protection
Consent is a core principle of data protection. Section 25(1)(a) of Nigeria Data Protection Act (NDPA), 2023,8 establishes unwithdrawn consent as a lawful basis for data processing. Data Privacy Consent is the approval given by a data subject for the collection, processing, storage and usage of their personal data. (PrivacyEngine)9. In recent years, various legal frameworks, laws and regulations have been set up to govern data privacy and protect the rights of individuals. The NDPA 2023 demands informed consent in processing data. Similarly, the European Union’s General Data Protection Regulation (GDPR) 2018, 10 restricts collection of data to informed consent, providing a comprehensive framework for data protection and imposing significant penalties for non-compliance. These frameworks emphasize the importance of acquiring consent, employing transparency, accountability and individual control in data processing.
In Nigeria, the balance between data privacy rights and public interest is established by the NDPA 2023.11 The Act permits processing of data in the public interest, only if the data controller establishes that the public interest or other legitimate grounds supersede the fundamental rights of the individual. This connotes that the guaranteed right of protection of personal data and information is not extreme or absolute; it requires justification for an exemption in extraordinary circumstances pertaining to national security or humanitarian emergencies but not for marketing or other unauthorized operations.
Several laws and regulations have been enacted and incorporated into the legal systems of various jurisdictions. These rules stipulate restrictions to be observed in the collection and storage of data. For example:
- Constitution of Nigeria (1999): It is of necessity to reiterate that the fundamental right to privacy of persons, provided for by the Constitution of the Federal Republic of Nigeria is not entirely absolute. There are some restrictions to this right. Section 45(1) allows for laws that are reasonably justifiable in a democratic society in the interest of national security, in order to maintain public order, public health or to protect the rights of others.
- European Convention on Human Rights: Article 8 of the ECHR guarantees respect for private and family life.
- Nigerian Data Protection Act (NDPA) 2023: This Act establishes a legal framework for data protection in Nigeria. It outlines the rights of individuals, including the right to object to data collection and processing.
- United Kingdom Data Protection Act 2018 (DPA): The DPA of the United Kingdom governs how businesses, organizations and the government use personal data.
Judicial Interpretation of Data Privacy Breaches in Nigeria
- Exceptions for Public Interest: Data processing for public interest is generally permissible for specific, legitimate, and lawful purposes. However, it is as an exception, and not a rule. In the locus classicus case of Incorporated Trustees of Personal Data Protection Awareness Initiative (PDPA) v. Nizamiye Hospital, FCT,12 the data privacy obligations of an individual and its enforcement mechanisms were examined. The suit was instituted on an alleged breach of Section 24 and Section 27 of the NDPA, 2023, due to the defendant’s usage of a CCTV surveillance and website-tracking device without appropriate notification to the subjects. The defendants had also failed to conduct a Data-Privacy Impact Assessment (DPIA) and to deploy privacy notices on their websites and other mediums to inform individuals of how their personal data is collected, processed and stored; as mandated under Article 2.5 of the Nigerian Data Protection Regulation.
- Strict Interpretation: It is essential to note that despite the exception, arguments of public interest in defense of allegations of data breaches are not always upheld, especially when they pose significant risks or abuse. This was given judicial notice in the case of Incorporated Trustees of Digital Rights Lawyers Initiative & Ors v. National Identity Management Commission (NIMC).13
- Superseding Legitimate Grounds: Under the NDPA, an individual can object to the processing of their personal data. The data processor must, in such case, discontinue processing unless they can demonstrate a public interest or other legitimate grounds that override the data subject’s fundamental rights and freedoms, without posing any risk to the individual in any way.
- Limited Scope: The exceptional basis of use in public interest for data processing is often restricted to situations of true public need, such as public health or humanitarian crises.
- Direct Marketing Exception: However, the right to object to processing of data for direct marketing is absolute. If the individual objects, the controller must immediately terminate any processing for such purposes. This was enunciated in Section 36 of the NDPA 2023.
- Balancing Interests: The Nigerian legal framework attempts to balance individual privacy with broader societal interests. Although exceptions exist for public interest, such as national security and law enforcement, they must be applied judiciously and with proper oversight by the Nigeria Data Protection Commission (NDPC). There is need to ensure that individual rights remain adequately safeguarded within the digital economy.
Recommendations
To achieve a balance between individual rights and public interest in the handling of data in this digital age, it is necessary to adopt the following strategies:
Data Protection Frameworks: Governments and organizations should establish and stringently enforce comprehensive data protection regulations that prioritize individual rights and provide transparency and accountability in data processing while putting the public interest into consideration. These should be ensured in addition to sanctions accompanying a breach of such regulations.
Implementation of Technological Solutions: In order to support and ensure achievement of this aim, certain technological solutions such as anonymity, encryption, and related measures should be implemented to protect sensitive data and condition the use of data for legitimate purposes. Encryption ensures data is protected from unauthorized access, while anonymity guarantees the use of data for research and analysis. Adoption of these strategies can help strike a balance between individual rights and the public interest by ensuring the use of data for legitimate purposes while protecting individual privacy. This way, the rights of individuals are safeguarded and data is made available for interest of the public under the cloak of anonymity.
Accountability and Transparency: These traits should be imbibed and promoted in all stages of data processing, thus, granting individuals control over their information and at the same time holding organizations accountable for misuse of data.
Withdrawal of Consent: Section 35(1) of the NDPA 2023 states that individuals should be aware of and exercise their rights to withdraw previously given consent to the processing of their data whenever they want. The Indian Digital Personal Data Protection Act14 also has such provision.
International Cooperation: All forms of collaboration with international agencies and corporations such as Organization for Economic Co-operation and Development (OECD) and others should be fostered to address this global issue. This would enable the development of consistent data protection standards and solutions and facilitate the sharing of best practices.
Conclusion
In an era of data-driven innovation, the dissonance between individual privacy rights and the broader public interest has aroused concern. This necessitates a balance; a compromise that allows individuals to regulate who has access to their personal information without hindering societal and technological growth.
While it has been agreed that the rights of individuals to privacy are paramount, the public interest must also be considered in the scope of data privacy. The solution is neither absolute privacy nor complete access, but for organizations and entities to always obtain informed consent before accessing or using any collected data. By obtaining consent, organizations show that they value and respect the privacy of their data subjects.
Public interest is indeed an essential and valid exception. However, it should not utterly supersede the fundamental right to individual sovereignty and explicit consent. The central view is that an individual is the principal decision-maker in issues concerning his/her data to encourage healthy and trustworthy relations between individuals and data processors.
It has been established that data collected for a specific purpose should not be used for activities unrelated to the necessary public interest tasks without acquiring permission or a legitimate basis.
The privatization of data is a collective responsibility, requiring the cooperation of both the government, organizations and individuals in order to achieve harmony and ensure that the benefits of the digital age are attained, while minimizing the possible risks of infringement on privacy. By establishing stringent data protection frameworks, monitoring compliance, implementing various technological solutions and promoting accountability, we can arrive at a balance, respecting individual autonomy while also serving the public interest.
Thus, the path to maintaining this balance lies in constructing thoughtful, transparent and adaptive frameworks that respect personal autonomy while ensuring societal progress.
REFERENCE(S):
Primary Sources
Statutes and Statutory Instruments
California Consumer Privacy Act 2018
Constitution of the Federal Republic of Nigeria 1999
Cybercrimes (Prohibition, Prevention) Act 2015 (as amended 2024)
Data Protection Act 2018
Digital Personal Data Protection Act 2023 (India)
European Union’s General Data Protection Regulation (GDPR) 2018
General Data Protection Regulation (EU) 2016/679
Nigeria Data Protection Act 2023
Treaties and International Instruments
Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention on Human Rights, as amended) ETS 5
International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1
Secondary Sources
Cases
Incorporated Trustees of Personal Data Protection Awareness Initiative (PDPA) v. Nizamiye Hospital (FCT High Court, 10 April 2025)
Incorporated Trustees of Digital Rights Lawyers Initiative & Ors v. National Identity Management Commission (NIMC) LPELR-55623 (CA)
Reports and Press Statements
National Identity Management Commission, ‘NIMC Denounces Allegations of Data Compromise’ (Press Statement, 22 June 2024)
Websites, Blogs and Online Reports
BCAA, ‘Informed Consent in Data Protection’ (BCAA UK) <https://www.bcaa.uk/informed-consent-in -data protection.html> accessed 22 December 2025
Kosinski M and Forrest A, ‘What is Data Privacy?’ (IBM, 24 August 2025) <https://www.ibm.com/think/topics/data-privacy> accessed 23 December 2025
Onabuchi P, ‘Data Consent, and Public Interest within the Legal Boundaries of Data Privacy: The case of PDPA v. Nizamiye Hospital’ (BusinessDay NG, 29 May 2025) <https://businessday.ng/news/legal-business/article/data-consent-and-public-interest-within-the-legal-boundaries-of-data-privacy-the case-of-pdpa-v-nizamiye-hospital/> accessed 23 December 2025
Paradigm Initiative, ‘Major Data Breach: Sensitive Government Data of Nigerian Citizens Available Online for Just 100 Naira’ (20 June 2024)
Privacy Engine, ‘Data Privacy Consent’ (PrivacyEngine) <https://www.privacyengine.io/resources/glossary/data-privacy-consent/> accessed 22 December 2025
Toor J, ‘What is Data Protection and Privacy?’ (Cloudian) <https://cloudian.com/guides/data-protection/data-protection-and-privacy-7-ways-to-protect-user-data/> accessed 23 December 2025
