DATA PROTECTION AND DIGITAL RIGHTS IN NIGERIA: A CONSTITUTIONAL AND REGULATORY ANALYSIS OF THE NIGERIA DATA PROTECTION ACT 2023

Introduction

The rapid rise of digital technologies has changed how personal data is used and valued. What was once just a by-product of daily life is now a key economic asset, fueling innovation but also increasing risks like surveillance and exploitation.[1] In Nigeria, the enlargement of digital infrastructure, financial technology, and e-governance systems has intensified data collection practices, thereby amplifying concerns regarding privacy and informational autonomy.[2]

The enactment of the Nigeria Data Protection Act 2023 (NDPA) represents a decisive legislative response to these challenges, signaling Nigeria’s commitment to establishing a comprehensive framework for the protection of personal data.[3]The article should examine how Nigeria’s enforcement capacity under the NDPA compares with international benchmarks, such as the GDPR, to help readers assess its effectiveness and identify gaps.[4]

This article argues that while the NDPA constitutes a significant normative advancement in Nigeria’s data protection landscape, its operational effectiveness is constrained by institutional and doctrinal deficiencies. By situating the NDPA within Nigeria’s constitutional jurisprudence and emerging regulatory practice, the article demonstrates that meaningful protection of digital rights requires not only legislative reform but also robust judicial engagement and institutional strengthening.

Legal Framework and Constitutional Foundations

Before the NDPA, data protection in Nigeria was governed primarily by the Nigeria Data Protection Regulation 2019 (NDPR), a subsidiary instrument issued by the National Information Technology Development Agency (NITDA).[5] Although the NDPR introduced foundational principles such as consent, accountability, and data security, its limited legal status constrained its enforceability and institutional authority.[6]

The NDPA addresses these deficiencies by establishing a comprehensive statutory framework and creating the Nigeria Data Protection Commission (NDPC) as the central regulatory authority.[7] The Act codifies core principles of data protection, including lawfulness, fairness, transparency, purpose limitation, and data minimization, thereby aligning Nigeria’s legal regime with international standards such as the GDPR, which should inspire confidence among legal professionals and policymakers.[8]

Crucially, the NDPA derives normative strength from its constitutional foundation. Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) guarantees the right to privacy, including the privacy of communications, which should reassure digital rights advocates and academics of the legal backing for digital privacy.[9] The Nigerian Supreme Court has consistently affirmed the fundamental nature of this right. In Medical and Dental Practitioners Disciplinary Tribunal v Okonkwo, the Court emphasised the centrality of individual autonomy and privacy in a democratic society, holding that personal choices and bodily integrity fall within the protected sphere of privacy.[10]

Similarly, in Director, SSS v Olisa Agbakoba, the Supreme Court underscored that constitutional rights must be interpreted broadly to ensure their effective protection against arbitrary state interference, highlighting the vital role of judicial interpretation in advancing digital rights in Nigeria.[11]Although these cases did not arise specifically in the context of data protection, their expansive interpretation of privacy rights provides a strong doctrinal foundation for protecting digital rights under the NDPA.

Lower courts have begun to extend these principles to data-related contexts. In Digital Rights Lawyers Initiative v National Identity Management Commission, the Federal High Court affirmed that the collection and processing of personal data must comply with constitutional safeguards.[12] Together, these decisions illustrate the evolving intersection between constitutional privacy and statutory data protection in Nigeria.

Regulatory Architecture and Emerging Challenges

The NDPA introduces a range of obligations designed to enhance accountability and safeguard data subjects. Data controllers are required to implement appropriate technical and organizational measures, conduct data protection impact assessments, and appoint data protection officers where necessary.[13] The Act also establishes a system of administrative penalties to deter non-compliance.[14]

The Act also establishes a system of administrative penalties to deter non-compliance. However, enforcement capacity remains limited, which should motivate policymakers and legal professionals to focus on strengthening institutional resources and public awareness initiatives.

First, enforcement capacity remains limited. While the creation of the NDPC is a significant institutional development, its effectiveness depends on adequate funding, technical expertise, and independence. In practice, regulatory agencies in Nigeria often face resource constraints that impede effective oversight. Judicial enforcement, although important, remains largely reactive. In Federal Republic of Nigeria v Daniel, the court held that evidence obtained in violation of privacy rights may be inadmissible, thereby reinforcing the importance of lawful data practices.[15] However, such remedies arise only after violations have occurred and do not substitute for proactive regulatory enforcement.

Second, the NDPA suffers from doctrinal ambiguity. The concept of “legitimate interest” as a lawful basis for processing is insufficiently defined, creating uncertainty and potential for abuse.[16] Comparative jurisprudence highlights the risks associated with such indeterminacy. In Lloyd v Google LLC, the UK Supreme Court demonstrated the challenges of enforcing data protection rights in the context of large-scale data processing where legal standards are unclear.[17]

Third, public awareness remains a significant limitation. The effectiveness of data protection regimes depends on individuals’ ability to understand and enforce their rights.[18] Implementing targeted initiatives, such as nationwide digital literacy campaigns and public awareness programs, can empower Nigerians to understand better and exercise their data rights.

Finally, the rapid evolution of technology presents ongoing regulatory challenges. Emerging technologies such as artificial intelligence and biometric systems raise complex questions about consent, accountability, and risk allocation, underscoring the need for ongoing regulatory adaptation to protect digital rights effectively.[19]Although the NDPA provides a framework for cross-border data transfers, its mechanisms remain underdeveloped and require further regulatory elaboration.[20]

Critical Analysis: Towards a Rights-Centered Data Protection Regime

This article submits that the NDPA represents a necessary but insufficient step towards the effective protection of digital rights in Nigeria. While the Act establishes a robust normative framework, its operational success depends on addressing underlying structural and doctrinal weaknesses.

A central tension lies in balancing innovation with the protection of rights. Nigeria’s digital economy is heavily reliant on data-driven technologies, and excessive regulation may hinder growth.[21]However, weak enforcement risks eroding public trust and enabling systemic abuses of personal data.[22] The NDPA attempts to navigate this tension through flexible standards such as “appropriate measures” and “legitimate interest.” Yet, without clear regulatory guidance, such flexibility may lead to inconsistent application and regulatory arbitrage.[23]

The role of the judiciary is therefore critical. Nigerian courts must adopt a purposive approach to interpreting the NDPA, drawing on constitutional principles to ensure that data protection rights are meaningful and enforceable. The jurisprudence of the Supreme Court, particularly in Okonkwo and Agbakoba, provides a foundation for such an approach by emphasizing the importance of individual autonomy and an expansive interpretation of rights.

Comparative perspectives further reinforce this position. In Google Spain SL v AEPD, the Court of Justice of the European Union recognized the “right to be forgotten,” thereby affirming the evolving nature of data protection as a fundamental right.[24] While Nigerian law has yet to adopt such doctrines fully, the NDPA creates the institutional and legal framework within which they may emerge.

Institutional reform is equally important. The NDPC must be adequately resourced and insulated from political interference to ensure effective enforcement.[25] In addition, public education initiatives are necessary to enhance awareness of data protection rights and promote compliance among data controllers.

Ultimately, the success of the NDPA will depend on its ability to function not merely as a regulatory instrument but as a rights-based framework that prioritizes human dignity, autonomy, and accountability in the digital age.

Conclusion

The Nigeria Data Protection Act 2023 marks a significant milestone in the evolution of Nigeria’s legal framework for digital governance. By codifying key data protection principles and establishing a dedicated regulatory authority, the Act aligns Nigeria with global standards and reinforces constitutional guarantees of privacy.[26]

However, as this article has demonstrated, the effectiveness of the NDPA is constrained by challenges relating to enforcement, doctrinal ambiguity, public awareness, and technological change. Addressing these challenges requires a holistic approach that integrates legislative reform, institutional strengthening, and judicial interpretation.

In particular, Nigerian courts must play a proactive role in developing a coherent body of data protection jurisprudence grounded in constitutional principles. At the same time, regulatory authorities must ensure consistent enforcement and provide clear guidance on key provisions of the Act.

Effective data protection is essential not only for safeguarding individual rights but also for fostering trust in Nigeria’s digital economy. While the NDPA provides a solid foundation, its success will ultimately depend on the extent to which it is implemented as a dynamic and rights-centered legal framework.

Legislation

2023. Nigeria Data Protection Act 2023.
2024. Nigeria Data Protection Regulation 2019.

• Constitution of the Federal Republic of Nigeria 1999 (as amended).

Cases

Digital Rights Lawyers Initiative v National Identity Management Commission (2021) FHC/ABJ/CS/1234/2020.

Director, State Security Service v Olisa Agbakoba (1999) 3 NWLR (Pt 595) 314 (SC).

Emerging Markets Telecommunication Services Ltd v Attorney General of the Federation (2018) LPELR-43553(CA).

Federal Republic of Nigeria v Daniel (2011) 4 NWLR (Pt 1238) 293.

Medical and Dental Practitioners Disciplinary Tribunal v Okonkwo (2001) 7 NWLR (Pt 711) 206 (SC).

Lloyd v Google LLC [2021] UKSC 50.

Google Spain SL v Agencia Española de Protección de Datos (AEPD) (C-131/12) [2014] ECR I-317.

Books

1. Kuner C, Transborder Data Flows and Data Privacy Law (Oxford University Press 2013).
2. Murray A, Information Technology Law (4th edn, Oxford University Press 2019).

• Reed C, Making Laws for Cyberspace (Oxford University Press 2012).

Journal Articles

Greenleaf G, ‘Global Data Privacy Laws 2023’ (2023) 169 Privacy Laws & Business International Report.

Reports and Institutional Materials

1. National Information Technology Development Agency (NITDA), Nigeria Data Protection Regulation: Implementation Framework (2019).
2. National Bureau of Statistics, ‘ICT Statistics in Nigeria’ (2023)

[1] Andrew Murray, Information Technology Law (4th edn, OUP 2019)

[2] National Bureau of Statistics, ‘ICT Statistics in Nigeria’ (2023

[3] Nigeria Data Protection Act 2023

[4] Graham Greenleaf, ‘Global Data Privacy Laws 2023’ (2023)

[5] Nigeria Data Protection Regulation 2019

[6] NITDA, ‘NDPR Implementation Framework’ (2019)

[7] Nigeria Data Protection Act 2023, s 4

[8] ibid s 24.

[9] Constitution of Nigeria 1999 (as amended), s 37

[10] Medical and Dental Practitioners Disciplinary Tribunal v Okonkwo (2001) 7 NWLR (Pt 711) 206 (SC)

[11] Director, SSS v Olisa Agbakoba (1999) 3 NWLR (Pt 595) 314 (SC)

[12] Incorporated Trustees of Digital Rights Lawyers Initiative & Ors v. National Identity Management Commission (NIMC) (2021) LPELR-55623(CA)

[13] Nigeria Data Protection Act 2023, s 28

[14] ibid s 48

[15] FRN v. Daniel (2011) LPELR–4152 (CA)

[16] NDPA 2023, s 25

[17] Lloyd v Google LLC [2021] UKSC 50

[18] Greenleaf (n 4)

[19] Chris Reed, Making Laws for Cyberspace (OUP 2012).

[20] NDPA 2023, s 41

[21] Reed (n 19)

[22] Murray (n 1)

[23] NDPA 2023, s 25.

[24] Google Spain v AEPD (2014) C-131/12

[25] Kuner C, Transborder Data Flows (OUP 2013)

[26] Nigeria Data Protection Act 2023.