Authored By: Moniyeoluwa Sola-Oyewole
Bowen University
Abstract
Nigeria’s transition from the Nigeria Data Protection Regulation (NDPR) to the Nigeria Data Protection Act (NDPA) represents a significant and progressive shift in the approach to digital rights and corporate accountability. As businesses increasingly rely on digital systems and data-driven decision-making processes, data governance has become a critical extension of corporate governance responsibilities. Companies are now required to implement policies that ensure the protection of consumer data, transparency in data processing, and the responsible use of personal information. However, this expectation exists within a legal environment where corporate accountability is often under-enforced and where limited case law and judicial guidance continue to create uncertainty in compliance standards, as it’s a relatively novel area. This article argues that robust data governance should be integrated into corporate governance in Nigeria to safeguard consumer data and digital rights. It explains how better oversight and compliance will ultimately reduce corporate risks, improve accountability, and boost investor confidence in the digital economy. The article concludes by recommending stricter enforcement and clearer governance standards to align Nigeria with global best practices.
Introduction
The 21st Century is the century of data, and data has become a core corporate asset in our fast-digitising economy. The way organisations collect, process, and protect personal information now directly influences governance, trust, and regulatory compliance. With the enactment of the Nigeria Data Protection Act 2023, new standards have been established that require companies to adopt and enforce robust data governance practices within their broader corporate accountability systems. With this, regulatory enforcement is also going to rise to ensure checks and balances within the corporate governance system.
The Nigeria Data Protection Commission recently fined Fidelity Bank ₦555.8 million for processing personal data without lawful consent, including the use of non-compliant third-party processors.[1] While Fidelity Bank insisted that it had not violated any laws, it emphasised its commitment to data protection and ethical governance. Regardless, the bank was found to rely on non-compliant third-party data processors, further breaching data protection laws.[2] Similarly, Meta has faced regulatory scrutiny in Nigeria for its data handling practices, signalling that both local and multinational corporations are now expected to meet higher compliance standards. These actions demonstrate the increasing pressure on organisations to adopt responsible digital practices that protect consumer rights.
Despite these somewhat progressive laws and the seemingly effective enforcement of those laws, corporate accountability in Nigeria remains weakened by limited enforcement capacity and scarce judicial precedent in this relatively new area of law. Integrating robust data governance into corporate governance structures is essential to protecting consumer data and digital rights while still ensuring stakeholder interests are prioritised to reduce risk exposure and build investor confidence in Nigeria’s digital economy. With the cases of Fidelity Bank and Meta, it is becoming increasingly needed that data governance in Nigeria needs to be taken seriously and with less levity. The public must be aware of their digital rights so they know when it is adversely affected and how to ensure the protection of those rights.
This article argues that incorporating strong data governance measures into corporate governance structures is essential to protect consumer data and digital rights, while simultaneously reducing corporate risks in Nigeria’s digital economy.
Research Methodology
This article uses a doctrinal and analytical research method. The Nigeria Data Protection Act 2023 and the Constitution of the Federal Republic of Nigeria 1999, alongside regulatory instruments such as NDPC, were the primary legal materials that served as guides. Case laws focused on privacy, data rights, and regulatory oversight were reviewed to evaluate the overall impact and synergy between data governance and corporate governance. This article also draws on secondary sources, including scholarly commentary and reputable law firm insights, industry, to assess how the law is interpreted in practice. A comparative perspective is introduced by referencing global data governance trends to highlight potential reform pathways for Nigeria. The research approach supports a critical evaluation of accountability gaps and governance challenges in the current enforcement landscape.
Legal Framework for Data Governance in Corporate Accountability
The Nigeria Data Protection Regulation (NDPR) 2019 was Nigeria’s first comprehensive regulatory instrument on data protection, developed by the National Information Technology Development Agency (NITDA). Modelled after key principles of the European Union’s GDPR, the NDPR established the foundational rules for the lawful collection, processing, and storage of personal data in Nigeria. To support effective compliance, NITDA also issued the NDPR Implementation Framework, which serves as a practical guide to data controllers and processors on the required safeguards, accountability measures, and governance structures expected under the Regulation.[3] However, being a regulation rather than an Act of the National Assembly, its legal force and regulatory authority were frequently questioned, which created a lot of uncertainty around long-term accountability and judicial enforceability. To rectify this, the NDPA came into effect in 2023.
In 2023, the Nigeria Data Protection Act (NDPA) formally took over the primary regulation of personal data processing, consumer digital rights, and data governance responsibilities within corporate governance structures. By giving data protection statutory authority, the NDPA elevates privacy compliance into a core organisational governance responsibility rather than an optional administrative policy as was the case under the NDPR.[4]
The Act:
- establishes the Nigeria Data Protection Commission (NDPC) as the main enforcement body.
- strengthens legal duties for transparency and responsible data use.
- enhances penalties and corrective powers over corporate non-compliance.
- aligns Nigeria with global data protection and cross-border trade standards.
Data governance obligations are reinforced by Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended), which guarantees the right to privacy.[5] The NDPA simply acts as an addendum and extension of the constitutional provision while emphasising that improper data handling is not only a corporate compliance issue but a fundamental rights concern. Data governance now intersects closely with broader corporate accountability frameworks. For example, the Companies and Allied Matters Act (CAMA) 2020 which states that directors owe fiduciary duties of care that will ensure the protection of stakeholder interests. As personal data becomes a core corporate asset, failures in data handling or security can amount to breaches of oversight and risk-management obligations.
Similarly, the Nigerian Code of Corporate Governance (NCCG) 2018 emphasises similar duties like transparency and stakeholder protection. These principles extend to digital operations, requiring boards and senior management to ensure effective data governance systems that prevent the misuse of personal information and manage technology-driven risks. Together, these legal instruments currently shape the digital landscape and the standards of responsible business conduct in Nigeria’s evolving digital marketplace, which reinforces data governance as an essential pillar of modern corporate governance.
Judicial Interpretation and Regulatory Enforcement
Nigerian courts and regulators are steadily shaping the legal world of data protection and corporate accountability; laws and boundaries, although the landscape remains uneven. Regulators have taken the early lead, issuing substantial sanctions that demonstrate clear enforcement intent, while the judiciary is only starting to explore how these laws translate into real-world events and how effective they can be. A major example of regulatory enforcement is the Nigeria Data Protection Commission’s action against Fidelity Bank, where a ₦555.8 million fine was imposed for multiple violations of the NDPA and NDPR. Since this resulted from administrative enforcement rather than litigation, it stands as a practical compliance precedent signalling that weak data governance now carries significant corporate accountability consequences.[6]
Similarly, enforcement has expanded beyond the NDPC. In 2024, the Federal Competition and Consumer Protection Commission fined Meta about $220 million for discriminatory and exploitative data handling affecting millions of Nigerian users. In April 2025, the Competition and Consumer Protection Tribunal affirmed the fine, reinforcing that multinational companies and digital platforms will face cross-sector enforcement where data governance impacts consumer protection in Nigeria.[7]
Courts are also beginning to refine and redefine the regulatory landscape. The Federal High Court recently set aside parts of an NDPC guidance on registration for exceeding the statutory framework established under the NDPA, confirming that regulators cannot expand obligations beyond legislative authority.[8]
Alongside regulatory oversight, courts are increasingly recognising privacy and data rights as actionable claims. Recent Federal High Court decisions such as Molehin v UBA[9] and related matters show growing readiness to provide compensation where unauthorised data disclosure or misuse occurs, making privacy protections more meaningful for Nigerian consumers.[10] The plaintiff, Miss Folashade Molehin, sued for violation of her privacy rights after UBA opened a domiciliary account in her name without her authorisation or consent. The bank argued that the matter fell under ordinary civil claims relating to banker-customer duties and was not enforceable as a fundamental rights action.
The Federal High Court (per Justice A. O. Faji) rejected that argument and held that unauthorised processing of personal data constitutes a breach of the constitutional right to privacy under section 37 of the 1999 Constitution. The court concluded that wrongful processing is not merely negligence but a violation of a fundamental right, especially since the NDPR 2019 is designed to safeguard data privacy. The court awarded ₦7.5 million in damages.
This ruling establishes that personal data is protected as part of the constitutional right to privacy, that consent is mandatory for any lawful processing, and that adaptation or internal use of data (not only disclosure to third parties) qualifies as “processing” under the NDPR.
Taking into account this case, three things stand out very clearly. First, enforcement is no longer a one-man show. The NDPC, FCCPC and even other sector regulators are actively issuing fines and compliance directives, making it harder for companies to ignore data governance responsibilities. Second, the courts are finally beginning to interpret the law. Judges are starting to define privacy rights and enforcement boundaries, even though there is still a long way to go before we have solid case law that directly frames data governance as a core corporate governance duty. Third, and most importantly, regulators are moving faster than the courts. Administrative actions are loud and attention-grabbing, but they still leave companies and their boards without binding judicial guidance on what compliance really looks like. Until the law catches up with the pace of digital transformation, uncertainty will continue to exist around what corporate accountability truly demands in the data-driven economy.[11]
How To Strengthen Corporate Accountability Through Data Governance
To strengthen corporate accountability through data governance in Nigeria, coordinated reforms across law, regulation, and practice are necessary. First, the NDPA should be supported with clearer subsidiary regulations that explicitly outline directors’ data governance responsibilities under existing corporate governance frameworks such as CAMA 2020 and the NCCG 2018. Doing so would bridge the current gap between administrative sanctions and enforceable judicial standards while helping boards understand their oversight duties in managing data as a strategic corporate asset.
Secondly, the judiciary should accelerate the development of data governance jurisprudence by issuing more detailed and precedent-driven decisions on privacy, consent, and corporate liability arising from data breaches. Specialised judicial training and the designation of data protection-focused judges or court lists could strengthen consistency and predictability in judicial outcomes.
Regulators also need to improve cooperation. Formal coordination mechanisms between the NDPC, FCCPC, NITDA, and sector-specific regulators would prevent overlapping mandates and create a more unified enforcement system. Additionally, enforcement should include not only penalties but also guidance and compliance support, particularly for SMEs that struggle with technical and financial capacity.
Civil society and consumer advocacy groups can contribute by increasing public awareness of data rights and by actively monitoring corporate practices to ensure alignment with global standards. Strengthening whistleblower protections and transparency reporting requirements would empower employees and consumers to speak up about harmful data practices.
Lastly, adopting global best practices such as mandatory data ethics committees, standardized data breach notification protocols, and stronger accountability mechanisms for digital service providers would better protect consumers and reinforce Nigeria’s credibility in the global digital economy.
Conclusion
Data is now a core asset in Nigeria’s digital economy, and how companies manage it has direct implications for consumer rights, market integrity, and investor confidence. This article has shown that integrating robust data governance into corporate governance structures should not merely be a compliance checkbox to make a company look good. Incorporating data governance is a necessary evolution of corporate accountability, driven by the Nigeria Data Protection Act 2023 and reinforced through active regulatory enforcement by the Judiciary. There are still gaps in judicial clarity, but strengthening oversight mechanisms and embedding data responsibility within corporate boards will ensure that digital innovation does not come at the cost of public trust. Ultimately, Nigeria’s transition into a competitive and trustworthy digital marketplace depends on whether stakeholders choose to treat data governance as a strategic governance priority rather than a reactive legal obligation and the country’s ability to make it so.
Reference(S):
[1] Nigeria Data Protection Commission (NDPC) vs. Fidelity Bank Plc
[2]<https://techafricanews.com/2024/08/22/fidelity-bank-fined-%E2%82%A6555-8-million-for-data-protection-violations-by-ndpcRESEARCH/> accessed 27 October 2025
[3] Nigeria Data Protection Regulation 2019: Implementation Framework November, 2020<Https://nitda.gov.ng/wp-content/uploads/2021/01/NDPR-Implementation-Framework.pdf> accessed 26 October 2025
[4]Egbedion Oghenekevwe, ‘Data Governance Framework In Nigeria Data Governance & Data Quality Specialist’ (2024) Iosr Journal Of Economics And Finance https://www.iosrjournals.org/iosr-jef/papers/Vol15-Issue5/Ser-5/C1505052127.pdf> accessed 26 October 2025
[5] Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended)
[6] Pamela Victor-Ibitamuno, ‘NDPC’s ₦555.8 Million Fine against Fidelity Bank over Alleged Data Privacy Violation: Insights and Lessons’ (August 31, 2024)
<https://infusionlawyers.com/2024/08/31/ndpcs-555-8-million-fine-against-fidelity-bank-over-alleged-data-privacy-violation-insights-and-lessons/?utm_source=chatgpt.com> accessed 26 October 2025
[7]Elisha Bala-Gbogbo and And MacDonald Dzirutwe, ‘Nigeria fines Meta $220 million for violating consumer, data laws’( July 19) <https://www.reuters.com/technology/nigerias-consumer-watchdog-fines-meta-220-million-violating-local-consumer-data-2024-07-19/?utm_source=chatgpt.com> accessed 26 October 2025
[8] ‘Analysing the Federal High Court Ruling in the Case of Frank Ijege v. Nigeria Data Protection Commission’ <https://www.aluko-oyebode.com/insights/federal-high-court-nullifies-ndpc-guidance-notice/?utm_source=chatgpt.com> accessed 26 October 2025
[9] Miss Folashade Molehin v United Bank For Africa PLC (FHC/L/CS/2625/2023)
[10] Ifeoma Peters, ‘Privacy as a Fundamental Human Right: A Review Folashade Molehin v. UBA’(November 21, 2024)<https://dnllegalandstyle.com/dnl/privacy-as-a-fundamental-human-right-a-review-folashade-molehin-vs-uba/> accessed 26 October 2025
[11] Privacy and Compliance – Federal High Court Nullifies Parts of the Nigeria Data Protection Commission’s GuidanceNoti<https://www.templars-law.com/knowledge-centre/privacy-and-compliance-federal-high-court-nullifies-parts-of-the-nigeria-data-protection-commissions-guidance-notice-for-registration/?utm_source=chatgpt.com> accessed 26 October 2025
