Authored By: Deborah Silas
Abstract
The digital economy thrives on data, but with opportunity comes danger. In Nigeria, personal information has become both an asset and a liability: corporations collect it, governments monitor it, and criminals steal it. The Nigerian Data Protection Regulation (NDPR) of 2019 was supposed to mark a turning point, yet enforcement has been slow, and citizens remain largely unaware of their rights. At the same time, cybercrime continues to rise, giving the state justification to stretch its surveillance powers. This article examines how Nigeria tries to hold the line between privacy and security. It asks whether the NDPR provides real protection or simply symbolic reassurance. By comparing Nigeria’s system with the European Union’s GDPR and looking at other African models, the article argues that progress is visible but fragile. For privacy and security to coexist, Nigeria must move beyond regulations into firmer legislation, independent oversight, and greater public awareness. Without these, security concerns may swallow privacy whole.
Introduction
Think about daily life in Nigeria today. A man in Lagos loses his savings overnight because he clicked on the wrong email. A journalist in Abuja gets a phone call, reminding her that the government has eyes everywhere. A start-up in Port Harcourt, working with sensitive health data, struggles to persuade its clients that their information will not end up for sale. These stories are scattered across the country, but together they paint a picture: our data is not as safe as we think.
Every moment online leaves a trail. Businesses see it as profit. The government sees it as control. Fraudsters see it as opportunity. For ordinary Nigerians, it is more personal than that. Data is identity. It is dignity. It is liberty. The challenge is not whether data matters; it is whether the law can shield people from abuse while still allowing the state to protect society from cybercriminals and terrorists.
Other nations wrestle with this balance too. The European Union takes a strong privacy-first approach with the GDPR. China, on the other hand, prioritises state security, often at the cost of individual freedoms. Nigeria stands in between, trying to walk both roads at once. The NDPR of 2019 was celebrated as a step forward, but enforcement and awareness lag behind. The tension remains: how do you protect privacy without weakening security, and how do you protect security without destroying privacy?
Privacy as a Constitutional Right
The Nigerian Constitution guarantees privacy. Section 37 states that the privacy of citizens, their homes, correspondence and communications shall be respected. On the surface, this looks reassuring. In practice, it is thin. Courts have rarely tested the scope of this right in the digital context. What does privacy mean when it comes to Facebook messages, biometric IDs, or banking apps? Nobody is certain, because the law has not drawn those lines yet.
Compare this with South Africa. Their constitution recognises informational privacy more clearly, and the Protection of Personal Information Act (POPIA) flows directly from that. In Nigeria, however, citizens depend mainly on the NDPR. A regulation is helpful, but it does not carry the full weight of legislation. Without strong constitutional interpretation and statutory backing, privacy in the digital space looks more like a promise than a guarantee.
The NDPR: Hope and Hesitation
The NDPR was Nigeria’s first serious attempt at a data protection framework. It introduced the idea of consent: organisations must ask before using your personal information. It placed limits on how data can be transferred outside the country. It also introduced Data Protection Compliance Organisations (DPCOs) to guide and monitor compliance.
On paper, it sounds ambitious. It borrows from the structure of the GDPR and signals that Nigeria is part of the global conversation. But paper and practice are not the same. Enforcement has been weak. Many companies treat compliance as a checklist exercise, nothing more. Regulators lack both resources and expertise. Worse still, most Nigerians do not even know they have rights under the NDPR. A 2022 survey by Paradigm Initiative confirmed this gap: the law exists, but the people it is meant to serve are largely unaware.
So while the NDPR is important, it risks being more symbolic than effective.
Cybercrime and the Security Argument
Nigeria’s cybercrime problem is real, and it gives the state a strong argument for surveillance. The Cybercrime (Prohibition, Prevention, etc.) Act of 2015 equips law enforcement with sweeping powers to intercept communications, monitor digital networks, and seize data. The justification is clear: protect national security, curb online fraud, stop terrorism financing.
The problem is in the details. The Act permits interception based on “reasonable suspicion.” That phrase is dangerously vague. Who decides what suspicion is reasonable? Without strict judicial oversight, the door opens for abuse. Journalists, activists, and even ordinary citizens risk being monitored under the guise of national interest.
In the hands of a trusted government, surveillance powers can be a shield. In the hands of an unrestrained one, they can become a weapon.
Learning from Elsewhere
The GDPR in Europe is often described as the gold standard. It empowers citizens to control their data, places clear limits on organisations, and enforces strict penalties for violations. Meta, Google, and other tech giants have paid billions in fines under the GDPR. That is not symbolism; it is enforcement.
Within Africa, examples also exist. Kenya’s Data Protection Act of 2019 is noteworthy. It created an independent Data Commissioner with authority to investigate and punish breaches. Nigeria, by contrast, still places regulatory responsibility in NITDA, an agency originally built for ICT development, not for protecting citizens’ rights. The African Union’s Malabo Convention also provides a continental framework, though Nigeria has been slow in adopting it.
From these comparisons, the weakness in Nigeria’s system is obvious. The concepts are fine. The structure is visible. What is missing is the backbone of strong, independent enforcement.
Walking the Tightrope
Privacy and security are not natural allies. Absolute privacy can shield criminals. Absolute surveillance can crush freedoms. Nigeria has to find a middle path, but that path is narrow.
Consider the National Identity Number (NIN) project. The government insists it is necessary to fight fraud and terrorism. Yet the more biometric data the state collects, the more vulnerable citizens become if that data is leaked or misused. Financial institutions also press for tighter KYC requirements. The aim is noble, but the public fears their sensitive information may fall into criminal hands.
What this shows is that balance cannot be achieved by choosing one side over the other. Instead, three steps are essential:
- Nigeria needs a proper Data Protection Act to anchor privacy in clear, enforceable law.
- Oversight must be independent. Regulators cannot serve both as promoters of ICT development and protectors of privacy at the same time.
- Citizens must be educated to see data not just as paperwork, but as an extension of their personal dignity.
The Role of the Courts
Ultimately, Nigerian courts will decide how far privacy stretches. Up to now, they have been cautious, avoiding bold pronouncements in digital privacy cases. But pressure is building.
India provides an instructive comparison. In the landmark Puttaswamy v. Union of India[1], the Supreme Court recognised privacy as a fundamental right and forced the government to rethink its biometric ID programme. Nigeria has not yet had its equivalent of that case. When it comes, the judiciary’s willingness to expand Section 37 will shape the future of digital rights.
Conclusion
Nigeria is standing on a fragile line. The NDPR gave the impression of progress, but without legislative strength and independent oversight, the promise of privacy remains unsteady. On the other side, cybercrime and digital fraud are not theoretical threats. They are present, daily, and damaging. The government cannot ignore them.
Yet choosing security at the expense of privacy is not sustainable. A society where everyone is watched may feel safe for a time, but it cannot remain free. And privacy without some level of security is equally hollow, because citizens will live exposed to digital predators.
The answer lies in designing a system where both can exist together. That requires law with teeth, institutions with independence, and citizens who understand that privacy is not an obstacle to security but part of it. True security protects not only lives and property but dignity. And in the digital age, dignity begins with the right to privacy.
Reference(S):
[1] (2017) 10 SCC 1
