Authored By: SARAH CHIADIKA
Delta State University
OVERVIEW
The Nigerian Data Protection Act 2023 (NDPA) marks a decisive legislative development in Nigeria’s digital governance framework. Replacing the Nigerian Data Protection Regulation 2019, the Act establishes a comprehensive statutory regime for the protection of personal data and creates an independent supervisory authority to ensure regulatory oversight. This article critically examines the objectives of the Act, its governing principles, the rights of data subjects, and its implementation mechanisms, including the administrative redress framework. It further situates the Act within Nigeria’s constitutional privacy guarantees and emerging compliance structures under the General Application and Implementation Directive (GAID) 2025. The article argues that while the NDPA provides a robust normative structure aligned with global standards, its long-term effectiveness depends on regulatory capacity, institutional coherence, and sustained compliance culture.
1. INTRODUCTION
The rapid expansion of digital infrastructure, financial technology, biometric identity systems, telecommunications networks, and e-governance initiatives has transformed personal data into a central asset in Nigeria’s economy. However, this transformation has also intensified the risks associated with data misuse, unauthorised disclosure, cyber attacks, and exploitative profiling practices.
Nigeria’s first structured attempt at data governance emerged through the Nigerian Data Protection Regulation 2019, issued by the National Information Technology Development Agency pursuant to the National Information Technology Development Agency Act 2007.1 While the Regulation laid an important foundation, its subsidiary status limited enforcement depth and institutional independence.
The enactment of the Nigerian Data Protection Act 2023 (NDPA) represents a transition from regulatory guidance to full legislative codification.2 The Act establishes the Nigeria Data Protection Commission as an independent supervisory authority and provides a structured framework for accountability, enforcement, and redress.
2. CONCEPTUAL FRAMEWORK OF THE NDPA 2023
At its core, the NDPA regulates the processing of personal data relating to identifiable natural persons. The Act adopts a broad understanding of personal data, encompassing a wide range of identifiers — including names, numbers, location data, and any information that directly or indirectly identifies a natural person. Unlike the NDPR, which functioned primarily as regulatory guidance, the NDPA establishes a full compliance ecosystem.
3. OBJECTIVES OF THE NIGERIAN DATA PROTECTION ACT
The NDPA is underpinned by clear legislative objectives. Foremost among these is the safeguarding of the fundamental rights and freedoms of data subjects, particularly the constitutional right to privacy guaranteed under section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended).3
3.1. Judicial Recognition of Informational Privacy in Nigeria
In Digital Rights Lawyers Initiative v National Identity Management Commission, the Federal High Court affirmed that informational privacy forms part of the constitutional right to privacy.4 This judicial affirmation strengthens the normative force of the NDPA by anchoring it within constitutional jurisprudence.
Beyond rights protection, the Act seeks to promote responsible data processing practices, enhance consumer confidence in digital transactions, foster international data transfer compatibility, and strengthen Nigeria’s participation in the global digital economy. By creating an independent regulator, the Act also aims to institutionalise oversight and reduce fragmentation in enforcement.
4. GOVERNING PRINCIPLES AND KEY FEATURES OF THE NDPA
The NDPA is structured around foundational principles that guide lawful data processing. These include the following:
4.1. Lawful Processing
Personal data must be processed lawfully, fairly, and transparently.5 This requires controllers to identify a legitimate legal basis before processing begins — whether consent, contractual necessity, compliance with legal obligations, protection of vital interests, public interest performance, or legitimate interest.
4.2. Purpose Limitation
The principle of purpose limitation restricts data use to specific, explicit, and legitimate objectives. Data collected for one purpose must not be repurposed arbitrarily. In a digital economy increasingly driven by analytics and artificial intelligence, this principle safeguards against covert profiling and secondary exploitation.
4.3. Data Minimisation and Accuracy
Data minimisation and accuracy ensure that only data necessary for the stated objective is collected and maintained in correct form. Excessive data collection practices are inconsistent with the Act’s protective orientation.
4.4. Storage Limitation
Storage limitation prohibits indefinite retention. Controllers must implement retention policies that align with necessity and proportionality.
4.5. Integrity, Confidentiality and Accountability
The principle of integrity and confidentiality requires technical and organisational safeguards against breaches, cyber attacks, and unauthorised access. These safeguards are reinforced by accountability obligations, which require controllers to demonstrate compliance through documentation, audits, and internal governance mechanisms.
5. RIGHTS OF DATA SUBJECTS
The NDPA confers a range of enforceable rights upon data subjects, grounded in the constitutional right to privacy under section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) and affirmed by the Federal High Court in Digital Rights Lawyers Initiative v National Identity Management Commission.6 These rights are enforceable both administratively and judicially, thereby reinforcing their substantive character.
- Right to Erasure or Deletion: A data subject may require a controller to delete personal data where continued retention is no longer justified.
- Right to Rectification: A data subject is entitled to correct or rectify inaccurate personal data held by a data controller.
- Right to be Informed: A data subject has the right to be informed of the nature, purpose, and extent of the use of his or her personal data.
- Right to Data Portability: A data subject may have his or her personal data transferred from one controller to another where technically feasible.
- Right to Object to Processing: A data subject may object to the processing of his or her personal data in specified circumstances.
- Right of Access: A data subject is entitled to obtain access to, and copies of, personal data held by a controller.
- Right to Lodge Complaints and Seek Redress: A data subject may lodge a complaint with the Nigeria Data Protection Commission and seek appropriate administrative or judicial redress for violations of the Act.
- Right to Withdraw Consent: Where processing is based on consent, a data subject may withdraw that consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
- Right in Relation to Automated Decision-Making: A data subject has the right not to be subject to decisions based solely on automated processing — including profiling — that produce significant legal or similarly material effects.
Despite the above, legislation alone does not guarantee effective enforcement, hence the introduction of the General Application and Implementation Directive (GAID) 2025. The GAID addresses procedural gaps by clarifying reporting timelines, audit thresholds, digital filing mechanisms, and risk-based supervision models. It enhances transparency in regulatory expectations and promotes uniformity in compliance practices. The GAID further strengthens the principles of the NDPA, the rights of data subjects, and cross-border transfer oversight by establishing clearer adequacy assessment standards and safeguard mechanisms.
6. IMPLEMENTATION MECHANISMS
The NDPA establishes a structured implementation framework. Data controllers and processors are required to implement organisational measures, appoint Data Protection Officers where applicable, conduct data protection impact assessments for high-risk processing, and notify the Commission of data breaches within prescribed timelines.7
The Act empowers the Nigeria Data Protection Commission to issue compliance directives, conduct investigations, approve codes of conduct, and impose administrative penalties.8
7. ADMINISTRATIVE REDRESS MECHANISM
The NDPA establishes an administrative redress framework under the supervision of the Commission. This mechanism allows data subjects to lodge complaints regarding alleged violations without first resorting to judicial proceedings.9 The Commission is empowered to investigate complaints, invite responses from alleged violators, issue interim protective directives, and determine appropriate remedies within specified timelines. Administrative sanctions may include compliance orders, warnings, corrective directives, or monetary penalties.
Importantly, the availability of administrative redress does not extinguish the right of aggrieved persons to seek judicial remedies. This dual-layered enforcement structure enhances accessibility while preserving constitutional adjudication, strengthens regulatory responsiveness, and provides a specialised forum for data governance disputes.
8. CHALLENGES AND POSSIBLE SOLUTIONS
Despite its robust architecture, the NDPA faces implementation challenges. Compliance culture remains uneven, especially among small and medium-sized enterprises. Technological infrastructure gaps, cyber security vulnerabilities, and limited public awareness hinder the full realisation of statutory protections.
Regulatory capacity is equally critical. The Commission must maintain technical expertise, digital monitoring systems, and inter-agency collaboration to effectively supervise an increasingly complex digital ecosystem.
Judicial interpretation under the NDPA is still evolving. Continued jurisprudential development will clarify ambiguous provisions and strengthen doctrinal coherence.
To further strengthen the Act, nationwide awareness campaigns, capacity-building initiatives, regulatory sandboxes for innovation, and international cooperation agreements will be essential. Strengthened collaboration between regulators, financial institutions, telecommunications operators, and technology companies can further institutionalise compliance.
9. CONCLUSION
The Nigerian Data Protection Act 2023 represents a transformative moment in Nigeria’s legal and digital landscape. By codifying enforceable rights, institutionalising independent regulatory oversight, and embedding accountability within data processing practices, the Act aligns Nigeria with global data governance standards.
The integration of administrative redress mechanisms and the operational guidance provided by GAID 2025 enhance practical enforcement. However, the true measure of the Act’s success will depend on sustained regulatory capacity, judicial engagement, technological investment, and societal awareness.
If effectively implemented, the NDPA has the potential to strengthen constitutional privacy protections, foster digital trust, and position Nigeria as a responsible and competitive participant in the global data economy.
REFERENCE(S):
1 National Information Technology Development Agency Act 2007.
2 Nigerian Data Protection Act 2023.
3 Constitution of the Federal Republic of Nigeria 1999 (as amended) s 37.
4 Digital Rights Lawyers Initiative v National Identity Management Commission Suit No FHC/ABJ/CS/1248/2020 (Federal High Court, Abuja, 2021).
5 Nigerian Data Protection Act 2023, Part III.
6 Digital Rights Lawyers Initiative v National Identity Management Commission Suit No FHC/ABJ/CS/1248/2020 (Federal High Court, Abuja, 2021).
7 Nigerian Data Protection Act 2023, Part V.
8 Nigerian Data Protection Act 2023 (administrative penalties provisions).
9 Nigerian Data Protection Act 2023 (administrative redress framework provisions).
