Authored By: Nwakile Onyinyechi Frances
Nigerian Law School
- INTRODUCTION
The Nigeria Data Protection Commission (NDPC) has stated that the country’s data protection ecosystem is now worth more than 16.2 billion naira in value within three years, and has created more than 23,000 job opportunities, contributing to employment growth as Nigeria’s digital economy expands.[1] This disclosure was made by the National Commissioner and Chief Executive Officer of the Commission, Dr Vincent Olatunji, who further stated that the growth reflects rising enforcement, compliance activity and increasing confidence in Nigeria’s digital governance framework.[2]
On the 14th of June 2023, President Bola Ahmed Tinubu signed into law the Nigeria Data Protection Act 2023. The objective of the Act, among others, is to safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under Section 37 of the 1999 Constitution of Nigeria.[3] The Act establishes the Nigeria Data Protection Commission (NDPC), also referred to as “the Commission” to replace the Nigeria Data Protection Bureau (NDPB) established by former and late President Muhammadu Buhari.[4]
Data Protection in Nigeria has transitioned from a phase of awareness to a phase of active, stringent and punitive enforcement under the NDPA 2023, as the Commission is intensifying investigations, imposing significant fines, and emphasizing proactive accountability.[5] As businesses advance their operations employing technological innovations, which requires continual dependence on data-driven business policies, the processing of personal data has significantly evolved into an important consideration for organizations, which are now largely encouraged to adopt basic data protection practices, as firmly embedded in Nigeria’s legal and regulatory landscape.[6]
This article explores the legal framework of data protection in Nigeria, the current trends of regulatory enforcement, and suggests how organizations can be best positioned to thrive in Nigeria’s evolving regulatory environment through the establishment of strong data protection and corporate governance frameworks, and risk-based compliance.
- DEFINITION OF KEY TERMS
2.1 DATA PROTECTION
Data Protection is the practice of protecting sensitive data from unauthorized access, misuse, loss or exposure throughout its life cycle.[7] It covers the controls and safeguards used to keep data secure wherever it is created, stored, shared, or used, including across systems, users and AI-powered tools.[8] Data loss, mismanagement and corruption cost organizations billions every year. Hence the purpose of data protection is to stop data theft before an organization suffers from the costly aftermath of a successful compromise.[9] There are three fundamental elements of data protection and security that most organizations should acknowledge: Confidentiality, Integrity and Availability.[10] These three pillars, known as the CIA Triad, function as a framework to support resilient data protection solutions.[11]
2.2 DATA PRIVACY
Data Privacy and Data Protection are distinct, albeit interrelated terms. Data Privacy refers to a customer’s personal preferences regarding how businesses collect their sensitive data.[12] It advocates that people should have a say in how third-party companies collect, retain and utilize their personal information.[13]
- REGULATORY COMPLIANCE
This involves consciously determining and reviewing the relevant laws, instituting internal controls and processes to meet those regulatory obligations, and constantly assessing and appraising operations to ensure ongoing compliance.[14] It borders on various aspects, such as legal, financial, operational and ethical considerations, and aims to ensure that organizations function in line with statutory requirements, comply with ethical norms, and perform their responsibilities to stakeholders, customers and the public. Hence, regulatory compliance refers to the process by which corporations and entities comply with the obligations set forth by relevant laws, regulations and established professional standards.[15]
- LEGAL AND INSTITUTIONAL FRAMEWORK OF DATA PROTECTION IN NIGERIA
There are several statutory and subsidiary legislation that directly or indirectly regulate data privacy and protection in Nigeria, as follows:
3.1 THE NIGERIA DATA PROTECTION ACT 2023
The Nigeria Data Protection Act (NDPA) 2023 is the first major federal legislative instrument for the processing and protection of personal data in Nigeria.[16] With its enactment, Nigeria’s efforts to regulate data protection have advanced significantly. Influenced by the European Union General Data Protection Regulation, it seeks to provide a robust legal structure for protecting personal data, and incorporates many of its principles such as transparency, accountability and the rights of data subjects.[17] This transplantation of legal norms aims to elevate Nigeria’s data protection standards to international levels, thereby fostering trust and confidence among data subjects and enhancing Nigeria’s global competitiveness in the digital economy.[18]
3.2 NIGERIA DATA PROTECTION REGULATION 2019
In 2019, the Nigerian Information Technology Development Agency (NITDA) issued the Guidelines for Data Protection 2013, but this had little to no impact on the degree of knowledge and conformity with data protection obligations.[19] This state of affairs, alongside the increasing economic importance of data, necessitated the enactment of the NDPR 2019, which is the first comprehensive and robust effort to oversee the data supervision domain in Nigeria.[20]
The NDPR aims to protect the right of natural persons to data privacy, promote secure handling of transactions pertaining to exchange of personal data, and prevent unauthorized alterations to personal data. It imposes numerous compliance obligations on data controllers and processors in their collection and processing of personal data of natural persons, including financial institutions, telecommunication companies, electoral bodies, the Corporate Affairs Commission, among others.[21]
3.3 NIGERIA DATA PROTECTION REGULATION: IMPLEMENTATION FRAMEWORK 2020
In 2020, NITDA issued an Implementation Framework in respect of the NDPR to regulate personal data processing within public institutions. The Framework builds on the NDPR to ensure a tailored implementation of the data protection regime in Nigeria. It serves as a guide to data controllers and administrators/processors to understand the standards required for compliance within their organizations. The Framework is to be read in conjunction with the NDPR and does not supersede it.[22]
3.4 GENERAL APPLICATION AND IMPLEMENTATION DIRECTIVE 2025
On the 20th of March 2025, the Nigeria Data Protection Commission (NDPC) released the NDPA General Application and Implementation Directive 2025 (GAID), pursuant to its powers under Section 61 of the Act.[23] The GAID is designed to offer clear and actionable guidance on the enforcement of the NDPA.[24] It is nonetheless significant to note that where any discrepancy occurs between the NDPA and the GAID, the provisions of the NDPA will take precedence.[25] The GAID also highlights certain data subjects whose personal data and fundamental right to privacy it seeks to protect.[26]
By virtue of Article 3(3) of the GAID, the NDPR 2019 and consequently the NDPR Implementation Framework 2020 ceased to be functional as data protection rules. However, all acts carried out during their subsistence remain valid.[27] Some of the highlights of the GAID include compliance measures by Data Controllers and Processors, conduct of Compliance Audit Returns, introduction of the Data Subjects Notice to Address Grievance (SNAG), among others.[28]
3.5 NIGERIAN DATA PROTECTION COMMISSION (NDPC)
The Nigeria Data Protection Act established the NDPC, whose mandate, inter alia, is to oversee the implementation of the NDPA. The Commission is mandated to collaborate with stakeholders in achieving the objectives of the NDPA.[29]
In addition to the principal and subsidiary legislation mentioned, the Constitution of the Federal Republic of Nigeria and various sector-specific laws make different provisions for privacy and data protection matters.
- CASE LAW AND EVALUATION
Privacy is recognized as a fundamental human right across the globe, and closely tied to it is the right to protection of personal data, which has become especially difficult in today’s technologically sophisticated and interconnected world.[30] It therefore is no wonder that the enforcement of privacy has become a critical, high-stakes area of global law, transitioning from a niche legal issue to a central, heavily enforced pillar of digital policy.[31] Governments and regulators are treating data privacy violations with increasing severity, imposing substantial financial, legal and reputational consequences on organizations that fail to protect personal data. The enforcement action taken by the NDPC against MultiChoice Nigeria makes one of the most significant regulatory interventions under the Act, as the case raises critical questions about the scope of lawful data processing, cross-border data transfers, and the balance between regulatory oversight and commercial practicality.
The NDPC fined MultiChoice Nigeria the sum of 766,242, 500 (seven hundred and sixty-six million, two hundred and forty-two thousand, five hundred naira) for alleged violation of data privacy rights of subscribers through cross-border transfer of personal data of data subjects, data processing which was patently intrusive, unfair, unnecessary and disproportionate, and a grave affront to sections 24, 25, 27, 41-43 of the NDPA.[32]
Similarly, on the 21st of August 2024, the NDPC fined Fidelity Bank the sum of 555.8 (five hundred and fiftyfive million naira) for violating the Act by processing personal data without lawful basis and informed consent. The Commission’s investigation revealed non-compliance in the bank’s data processing tools and reliance on non-compliant third-party processors.[33] Further to the mandate, on the 18th of February 2025, the NDPC imposed both a reparative fee of 32,800,000 (Thirty-two million, eight hundred thousand US dollars) and eight remedial orders against Meta Platforms Inc., which was asserted to have infringed the fundamental privacy rights of its Nigerian users in relation to behavioral advertising on Facebook and Instagram, illegal data transfers and data misuse. However, both parties arrived at terms of settlement entered as consent judgment in the suit.[34]
There is little doubt that such organizations as above are likely to advance legal counterarguments when confronted with regulatory action. For example, Meta Platforms Inc. relied on defenses including denial of fair hearing, the imposition of unrealistic compliance requirements, and procedural irregularities. Beyond these, they may argue that their processing activities were grounded in a lawful basis, that personal data was voluntarily supplied by data subjects, that adequate safeguards governed cross-border data transfers, and that actions were undertaken in good faith, among others. These arguments underscore the legal and practical complexity of enforcing data protection obligations within a digital economy. On the other hand, Nigeria’s data protection history long lacked a comprehensive framework, relying on disjointed provisions in the 1999 Constitution, other sector-specific laws until the NDPR, and the NDPA subsequently in 2023. Hence, the position that Nigeria lacks a comprehensive data protection regime is no longer tenable. The operationalization of the Nigeria Data Protection Commission under the Act has crystallized legal obligations and enforcement mechanisms. Consequently, organizations are under a positive and enforceable duty to implement robust data compliance structures. Though they may undoubtedly face compliance challenges such as increased regulatory requirements, audit and registration obligations at the risk of real sanctions for non-compliance, they must identify and fix gaps in their approach.
The fundamental reality is that data privacy and protection have become a governance issue, and belong in the boardroom. It is no longer an IT or legal checkbox, but a leadership responsibility and competitive advantage, even as emerging technologies reshape business operations.
- CONCLUSION: THE WAY FORWARD
With the increasing prevalence of data-driven technologies, regulatory compliance frameworks emphasize the protection of personal information and privacy rights. The commitment of the NDPC towards fulfilling the objectives of the Act is evident in its proactive regulatory enforcement and capacity-building initiatives. Since the enactment of the NDPA, the Commission has intensified compliance audits, issued implementation guidelines, and sanctioned defaulting data controllers to reinforce accountability. It continues to promote public awareness to ensure that data protection principles are not merely aspirational, but practically embedded within Nigeria’s corporate ecosystem.
Hence, organizations that continue to treat compliance as discretionary expose themselves not only to regulatory sanctions, but also to reputational erosion, financial liability, and operational instability. In order to avoid such grave consequences, the following measures should be embraced:
- Internal Controls: This involves designing and implementing systems, processes, and checks that monitor and mitigate risks, detect and prevent non-compliance, and promote accountability.
- Institution of Risk Management Procedures: Providing procedures to assess and evaluate possible risks can help to prevent or mitigate at best, legal, financial and reputational damages.
- Monitoring and Auditing: There is need for active and adequate scrutiny to determine whether or not organizations conform with regulatory requirements. When these are regularly performed, organisations are better positioned to identify gaps, weaknesses and opportunities for enhancement.
- Sensitisation and Capacity Building: This emphasizes the education of employees on the importance of transparency in data handling processes, and the need to keep abreast with ethical borms, relevant regulations and compliance requirements.
From the foregoing, it is no doubt that organisations that seek to stay relevant and trustworthy, must embrace the need for continuous improvement, proactive compliance and a culture of accountability, even as operations continue in a technologically advanced world to enhance business functionality and avoid actual legal repercussions stemming from the need to preserve the fundamental right to privacy.
BIBLIOGRAPHY
Statutes
Nigeria Data Protection Act 2023
Nigeria Data Protection Regulation 2019
Nigeria Data Protection Regulation: Implementation Framework 2020
General Application and Implementation Directive 2025
Journals
Richard Fiene, ‘Importance of The Theory of Regulatory Compliance’ (2024) 25(1) JMPP https://rikinstitute.com/wp-content/uploads/2024/03/trc-importance-jmpp2.pdf accessed 21 February 2026.
Patrick Aloamaka, ‘A Critical Analysis of the Nigeria Data Protection Act 2023: Elevating Standards to Global Norms’ (2025) 4(2) UCCLJ https://jornal.ucc.edu.gh/index.php/ucclj/article/download/1724/816/5975> accessed 21 February 2026
Shikar Bhatnagar, ‘Right to Privacy and Data Protection’ (2025) 11(7) IJL https://www.lawjournals.org/assets/archives/2025/vol11issue7/11152.pdf accessed 21 February 2026.
Websites
https://ndpc.gov.ng/about-us/ accessed 21 February 2026.
Justice Okamgba, ‘Nigeria’s Data Protection Ecosystem tops N16.2bn’ Punch Newspaper (Nigeria, 3rd February, 2026) https://punchng.com/nigerias-data-protection-ecosystem-tops-n16-2bn/ accessed 21 February 2026.
Samson Akintaro, ‘NDPC says Nigeria’s Data Protection industry now worth N16.2 billion’ Nairametrics (2nd February 2026) https://nairametrics.com/2026/02/02/ndpc-sayanigerias-data-protection-industry-now-worth-n16-2-billion/#google_vignette accessed 21 February 2026.
KPMG, ‘Nigeria Data Protection Act 2023 Review’ (2023) https://assets.kpmg.com/content/dam/kpmg/ng/pdf/nigeria-data-protection-act2023_kpmg-review.pdf accessed 21 February 2026.
Mondaq, ‘Nigeria’s Data Protection Landscape: Key Developments And What to Expect In 2026 and Beyond’ (10 February 2026) https://www.mondaq.com/nigeria/data-protection-landscape-key-developments-and-what-to-expect-in-2026-and-beyond accessed 21 February 2026.
Proofpoint, ‘What is Data Protection?’ https://www.proofpoint.com/au/threat-reference/data-protection accessed 21 February 2026.
Coursera Staff, ‘Data Privacy vs Data Protection: What’s the Difference?’ (14 April 2025) https://www.coursera.org/articles/data-privacy-vs-data-protection accessed 21 February 2026.
Ido and Others, ‘Introducing the Nigeria Data Protection Act 2023’ (June 2023) https://www.aluko-oyebode.com/insights/nigeria-data-protection-act-2023-ndpa/ accessed 21 February 2026.
Andersen, ‘Data Protection Regulation 2019: An Emerging Frontier in Data Management in Nigeria’ (23 April 2019) https://ng.andersen.com/data-protection-regulation-2019-an-emerging-frontier-in-data-management-in-nigeria/ accessed 21 February 2026.
DLA Piper, ‘Data Protection in Nigeria’ (18 January 2025) https://www.dlapiperprotection.com/index.html?t=law&c=NG accessed 21 February 2026.
- Elias, ‘Highlights of the Nigeria Data Protection Act General Application and Implementation Directive, 2025’ https://www.gelias.com/images/Highlights_of_the_GAID.pdf accessed 21 February 2026.
Aluko & Oyebode, ‘Issuance of the Nigeria Data Protection Act- General Application and Implementation Directive 2025 (GAID)’ (April 2025) https://www.aluko-oyebode.com/imsights/general-application-and-implementation-directive/ accessed 21 February 2026.
NDPC, ‘Leading Nigeria’s Data Protection Journey’ https://ndpc.gov.ng/about-us/ accessed 21 February 2026.
RAPDP, ‘NDPC Fines MultiChoice Nigeria N766,242,500 for Violating NDP Act’ https://www.rapdp.org/index.php/en/node/222 accessed 22 February 2026.
Data Guidance, ‘NDPC Fines Fidelity Bank NGN 555.8M for Data Processing Violations’ (22 August 2024) https://www.dataguidance.com/news/nigeria-ndpc-fines-fidelity-bank-ngn-5558m-data accessed 22 February 2026.
The Guardian, ‘Meta Settles $32.8m Data Privacy Fine out of Court’ (4 November 2025) https://guardian.ng/news/nigeria-meta-settle-32-8m-data-privacy-fine-out-of-court accessed 22 February 2026.
[1] Justice Okamgba, ‘Nigeria’s Data Protection Ecosystem tops N16.2bn’ Punch Newspaper (Nigeria, 3rd February, 2026) https://punchng.com/nigerias-data-protection-ecosystem-tops-n16-2bn/ accessed 21 February 2026.
[2] Samson Akintaro, ‘NDPC says Nigeria’s Data Protection industry now worth N16.2 billion’ Nairametrics (2nd February 2026) https://nairametrics.com/2026/02/02/ndpc-says-nigerias-data-protection-industry-now-worth-n16-2-billion/#google_vignette accessed 21 February 2026.
[3] KPMG, ‘Nigeria Data Protection Act 2023 Review’ (2023) https://assets.kpmg.com/content/dam/kpmg/ng/pdf/nigeria-data-protection-act2023_kpmg-review.pdf accessed 21 February 2026.
[4] Ibid
[5] Nairametrics (n2)
[6] Mondaq, ‘Nigeria’s Data Protection Landscape: Key Developments And What to Expect In 2026 and Beyond’ (10 February 2026) https://www.mondaq.com/nigeria/data-protection-landscape-key-developments-and-what-to-expect-in-2026-and-beyond accessed 21 February 2026.
[7] Proofpoint, ‘What is Data Protection?’ https://www.proofpoint.com/au/threat-reference/data-protection accessed 21 February 2026.
[8] Ibid
[9] Ibid
[10] Ibid
[11] Ibid
[12] Coursera Staff, ‘Data Privacy vs Data Protection: What’s the Difference?’ (14 April 2025) https://www.coursera.org/articles/data-privacy-vs-data-protection accessed 21 February 2026.
[13] Ibid
[14] Richard Fiene, ‘Importance of The Theory of Regulatory Compliance’ (2024) 25(1) JMPP https://rikinstitute.com/wp-content/uploads/2024/03/trc-importance-jmpp2.pdf accessed 21 February 2026.
[15] Ibid
[16] Ido and Others, ‘Introducing the Nigeria Data Protection Act 2023’ (June 2023) https://www.aluko-oyebode.com/insights/nigeria-data-protection-act-2023-ndpa/ accessed 21 February 2026.
[17] Patrick Aloamaka, ‘A Critical Analysis of the Nigeria Data Protection Act 2023: Elevating Standards to Global Norms’ (2025) 4(2) UCCLJ https://jornal.ucc.edu.gh/index.php/ucclj/article/download/1724/816/5975 accessed 21 February 2026.
[18] Ibid
[19] Andersen, ‘Data Protection Regulation 2019: An Emerging Frontier in Data Management in Nigeria’ (23 April 2019) https://ng.andersen.com/data-protection-regulation-2019-an-emerging-frontier-in-data-management-in-nigeria/ accessed 21 February 2026.
[20] Ibid
[21] Ibid
[22] DLA Piper, ‘Data Protection in Nigeria’ (18 January 2025) https://www.dlapiperprotection.com/index.html?t=law&c=NG accessed 21 February 2026.
[23] G. Elias, ‘Highlights of the Nigeria Data Protection Act General Application and Implementation Directive, 2025’ https://www.gelias.com/images/Highlights_of_the_GAID.pdf accessed 21 February 2026.
[24] Ibid
[25] Article 3(2) GAID
[26] Article 1(4) GAID
[27] Aluko & Oyebode, ‘Issuance of the Nigeria Data Protection Act- General Application and Implementation Directive 2025 (GAID)’ (April 2025) https://www.aluko-oyebode.com/imsights/general-application-and-implementation-directive/ accessed 21 February 2026.
[28] Ibid
[29] NDPC, ‘Leading Nigeria’s Data Protection Journey’ https://ndpc.gov.ng/about-us/ accessed 21 February 2026.
[30] Shikar Bhatnagar, ‘Right to Privacy and Data Protection’ (2025) 11(7) IJL https://www.lawjournals.org/assets/archives/2025/vol11issue7/11152.pdf accessed 21 February 2026.
[31] Ibid
[32] RAPDP, ‘NDPC Fines MultiChoice Nigeria N766,242,500 for Violating NDP Act’ https://www.rapdp.org/index.php/en/node/222 accessed 22 February 2026.
[33] Data Guidance, ‘NDPC Fines Fidelity Bank NGN 555.8M for Data Processing Violations’ (22 August 2024) https://www.dataguidance.com/news/nigeria-ndpc-fines-fidelity-bank-ngn-5558m-data accessed 22 February 2026.
[34] The Guardian, ‘Meta Settles $32.8m Data Privacy Fine out of Court’ (4 November 2025) https://guardian.ng/news/nigeria-meta-settle-32-8m-data-privacy-fine-out-of-court accessed 22 February 2026.
