Data Protection Law Implementation in Enugu State Nigeria

Abstract

The digitisation of governance and commerce in Enugu State, under its ambitious “Smart City” and “Digital Economy” initiatives, has transformed personal data into a critical asset. While these advancements promise increased efficiency, they simultaneously heighten the risks of data breaches and privacy infringements. This research evaluates the implementation of data protection laws in Enugu State, focusing on the transition from the Nigeria Data Protection Regulation (NDPR) 2019 to the comprehensive Nigeria Data Protection Act (NDPA) 2023. Through a doctrinal analysis of constitutional, statutory, and case law frameworks, this paper examines how sub-national entities in Enugu are domesticating national standards. The findings reveal a significant gap between legislative aspirations and operational enforcement, primarily due to low public awareness and limited technical capacity. This study recommends localised administrative frameworks and intensified awareness campaigns to bridge these gaps.

1. Introduction

1.1 Background and Context

Enugu State, traditionally the administrative capital of Eastern Nigeria, is currently undergoing a rapid digital transformation. The state government has integrated electronic governance (e-governance) across multiple sectors, including land administration (Enugu State Geographical Information System — ENGIS), taxation, and human resources. These systems collect vast amounts of personally identifiable information (PII). In Nigeria, data protection was historically fragmented until the NDPA 2023 institutionalised a national framework. As a sub-national entity, Enugu State must navigate these national mandates while addressing its unique localised challenges.

1.2 Research Objective

This research aims to:

1. Analyse the legal and regulatory framework governing data protection in Enugu State.
2. Evaluate the level of compliance by state agencies and local private entities with the NDPA 2023.
3. Identify the barriers to effective implementation and recommend strategic solutions.

1.3 Significance and Justification

The shift to a digital economy in Enugu necessitates a secure legal environment to foster investment and public trust. Researching this implementation at a sub-national level is critical, as state governments are primary controllers of sensitive citizen data, including health, land, and identity records. This paper provides law students and practitioners with a contextualised understanding of how national privacy laws operate within state-level administrative structures.

1.4 Structure Overview

The paper begins with a literature review of the applicable legal framework — spanning constitutional, statutory, case law, and scholarly dimensions — followed by an analysis of specific implementation activities in Enugu State. It then presents findings regarding enforcement and concludes with targeted recommendations for strengthening compliance at the sub-national level.

2. Literature Review and Legal Framework

2.1 Constitutional Law

The bedrock of data protection in Nigeria is Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended), which provides for the fundamental right to privacy.¹ Although “data protection” is not explicitly mentioned in the constitutional text, this provision has been interpreted by Nigerian courts as protecting the privacy of citizens’ correspondence, communications, and personal affairs, thereby providing a constitutional anchor for data protection claims.

2.2 Statutory Law

Three principal statutes form the statutory framework applicable in Enugu State.

The Nigeria Data Protection Act (NDPA) 2023 is the principal legislation governing data processing across all 36 states, including Enugu. It established the Nigeria Data Protection Commission (NDPC) as the primary regulator with broad supervisory and enforcement powers.²

The Cybercrimes (Prohibition, Prevention, etc.) Act 2015 provides supplementary safeguards by criminalising unauthorised access to computer systems and identity theft, thereby reinforcing the NDPA’s data security objectives.³

A number of sector-specific laws also bear on data protection in Enugu State, most notably the National Health Act 2014, which governs the protection of medical records, and the Credit Reporting Act 2017, which regulates the processing of financial data.

2.3 Case Law

The key case in this area is Frank Ijege v Nigeria Data Protection Commission (FHC/KD/CS/34/2024), decided before the Federal High Court in Kaduna State. The applicant, Mr Frank Ijege, sought several reliefs including a declaration that an NDPC Guidance Notice violated his constitutional right to privacy. The court ruled in favour of the applicant, granting all reliefs sought except an injunction, thereby establishing a significant precedent for the enforceability of data subject rights in Nigeria.

It is noteworthy, however, that there is a scarcity of specific case law originating from Enugu State High Courts regarding data breaches in state-run systems. This suggests a possible reliance on administrative remedies rather than litigation as the primary dispute resolution mechanism at the sub-national level — itself a significant finding for implementation analysis.

2.4 Scholars’ Commentary

Scholars such as Abdulrauf and Anigbogu have critiqued the Nigerian framework for being “top-heavy,” focusing on federal regulation while lacking localised enforcement mechanisms at the state level.⁴ There is a prevailing scholarly consensus that, while the NDPA 2023 represents a milestone, its effectiveness in a state like Enugu depends critically on the creation of Data Protection Officers (DPOs) within state ministries and the development of sub-national compliance infrastructure.

3. Analysis and Discussion

In Enugu State, the implementation of data protection laws is currently characterised by a predominantly “federal-led” approach. The NDPC has taken strategic steps to localise national laws, most notably by unveiling the Igbo-language version of the NDPA 2023 in Enugu on 30 October 2025, a significant initiative aimed at ensuring linguistic inclusivity and grassroots awareness.⁵

Furthermore, state agencies such as the Enugu State Gaming and Lotto Commission have actively sought partnerships with the NDPC to protect the data of the over 60 million Nigerians engaged in gaming activities. The Office of the Surveyor General of the ENGIS has also published a comprehensive privacy policy that aligns with national standards, explicitly naming the Enugu State Government as the Data Controller.⁶

However, these are isolated examples of compliance rather than systemic adherence. Many other state ministries still lack published privacy policies or designated DPOs, leaving citizens’ data vulnerable during the ongoing e-governance transition. The gap between the agencies that are compliant and those that are not suggests that current implementation depends more on individual institutional initiative than on a coherent state-wide compliance regime. This institutional asymmetry is the central challenge facing Enugu’s data protection landscape.

4. Findings and Observations

Linguistic Inclusivity

The translation of the NDPA 2023 into Igbo — the principal language of South-Eastern Nigeria — is a significant and praiseworthy step toward localised compliance. By reducing the language barrier that has historically limited public engagement with formal legal instruments, this initiative has the potential to meaningfully expand awareness among citizens, local businesses, and lower-tier government officials who may not be fluent in the English of legislative drafting.

Institutional Gaps

While select agencies such as ENGIS are demonstrably compliant, the majority of small businesses and local government departments in Enugu State remain unaware of their obligations under the NDPA 2023. This awareness deficit is compounded by a shortage of affordable, locally available compliance advisory services — a gap that the recommendation on localised DPCOs (see §5.1) is specifically designed to address.

Low Enforcement Activity

To date, no high-profile penalties have been issued by the NDPC against Enugu-based entities. This indicates that the Commission’s current posture in the state is oriented toward awareness-building rather than strict enforcement. While this approach is appropriate in the early stages of a new legislative framework, it will need to evolve into meaningful accountability mechanisms to deter persistent non-compliance as the NDPA 2023 matures.

5. Conclusion and Recommendations

5.1 Recommendations

Establishment of a State Data Privacy Unit

The Enugu State Government should establish a dedicated Data Privacy Unit within the Ministry of Science and Technology, tasked with overseeing data protection compliance across all state Ministries, Departments, and Agencies (MDAs). This unit should have the authority to issue compliance directives, receive data breach notifications, and liaise directly with the NDPC.

Mandatory Training for Government Officials

All government officials handling public records must undergo mandatory data privacy training as a compulsory component of civil service reform. This training should cover the fundamental principles of the NDPA 2023, the legal consequences of data breaches, and the practical steps required to appoint and empower Data Protection Officers within each MDA.

Localised Data Protection Compliance Organisations

The NDPC should actively encourage the licensing of additional Data Protection Compliance Organisations (DPCOs) within the South-East geopolitical zone. A greater number of locally based DPCOs would reduce the cost of compliance auditing, making it accessible to small and medium-sized enterprises and local government authorities that currently lack the resources to engage national-level compliance consultants.

5.2 Conclusion

The implementation of data protection laws in Enugu State is in its formative stages. While the legal framework provided by the NDPA 2023 is robust and its constitutional foundations are well-established, the actual protection of citizens’ privacy ultimately depends on the operationalisation of these laws at the state level — through institutional structures, trained personnel, and a culture of compliance. By leveraging recent initiatives such as the Igbo-language translation of the Act and the ENGIS privacy policy model, Enugu State is well-positioned to lead the South-East in digital governance that is both innovative and rights-respecting.

References and Bibliography

Primary Sources

Legislation

Constitution of the Federal Republic of Nigeria 1999 (as amended), s 37

Nigeria Data Protection Act 2023, s 1

Cybercrimes (Prohibition, Prevention, etc.) Act 2015, s 14

National Health Act 2014

Credit Reporting Act 2017

Case Law

Frank Ijege v Nigeria Data Protection Commission (FHC/KD/CS/34/2024)

Secondary Sources

Official Publications and Online Sources

Nigeria Data Protection Commission, ‘NDPC Unveils Igbo Version of Data Act in Enugu’ (NDPC, 30 October 2025) <ndpc.gov.ng> accessed 30 January 2026

Enugu State Government, ‘Privacy Policy — Office of the Surveyor General’ (Enugu State Government, 2025) <survey.engis.en.gov.ng> accessed 30 January 2026

Journal Articles and Working Papers

Onyekachi Anigbogu, ‘Appraisal of the Legal Framework on Data Protection in Nigeria’ (SSRN, 2025) <https://ssrn.com/abstract=5097113> accessed 30 January 2026

[Note to Author: Please add the full citation for Abdulrauf’s work referenced in §2.4, including author forename, title, publisher, year, and access date, in accordance with OSCOLA formatting.]

Footnote(S):

¹ Constitution of the Federal Republic of Nigeria 1999, s 37.

² Nigeria Data Protection Act 2023, s 1.

³ Cybercrimes (Prohibition, Prevention, etc.) Act 2015, s 14.

⁴ Onyekachi Anigbogu, ‘Appraisal of the Legal Framework on Data Protection in Nigeria’ (SSRN, 2025) <https://ssrn.com/abstract=5097113> accessed 30 January 2026. [Note to Author: Please add corresponding Abdulrauf citation here.]

⁵ Nigeria Data Protection Commission, ‘NDPC Unveils Igbo Version of Data Act in Enugu’ (NDPC, 30 October 2025) <ndpc.gov.ng> accessed 30 January 2026.

⁶ Enugu State Government, ‘Privacy Policy — Office of the Surveyor General’ (Enugu State Government, 2025) <survey.engis.en.gov.ng> accessed 30 January 2026.