Authored By: Adio, Favour Ayomide
Lagos State University, Ojo
Introduction
The digital era has transformed how personal information is collected, stored, and disseminated. While this connectivity offers vast opportunities, it also raises serious concerns about privacy and the permanence of digital records. Information that was once obscure or forgotten can now resurface with a simple online search, often with lasting consequences for individuals. To address these concerns, the Right to Be Forgotten (RTBF) has emerged as an important legal and ethical principle. It allows individuals to request the removal or suppression of personal data that is outdated, irrelevant, or no longer necessary, balancing personal dignity with the public’s right to information.
Although most prominently developed in European jurisprudence, the concept is gaining attention in Nigeria. Legal and policy debates are increasingly focused on whether individuals should be able to control their digital footprints and under what circumstances such a right can be exercised. This article explores the meaning of RTBF, its recognition within Nigerian law, the influence of case law, and the challenges and opportunities of enforcing this right in the country’s digital environment
Right to be forgotten Explained
The “right to be forgotten” (RTBF) is a legal principle that gives individuals the right to request that personal information about them be removed from certain sources, such as search engine results, databases, or websites, when that information is no longer relevant, accurate, or necessary.[1] In practice, this means an individual can ask a “data controller”[2], such as a search engine (like Google), to suppress links about them when the links no longer serve a legitimate public interest.
The right to be forgotten can be understood as an extension of the right to erasure, which is an offshoot of the right to privacy as entrenched in the Constitution of the Federal Republic of Nigeria[3]. It regulates the obligation of data controllers to delete or process personal data or make it publicly accessible.
The right to be forgotten is a basic data protection concept that gives individuals, often referred to as data subjects, the ability to ask for the deletion of their personal information in certain situations. It allows an individual the right to prevent his data from being accessed by others due to the data being already erased from the available database. It recognises that the permanence of online data can be unfairly punishing, thereby allowing an individual to erase part of their digital histories
This right is rooted in the protection of privacy, dignity, and control over personal information, but it is not absolute; rather, it is subject to balancing with competing interests such as freedom of expression, public health, and the wider public interest.
STATUTORY FRAMEWORK FOR THE RIGHT TO BE FORGOTTEN UNDER THE NIGERIAN LEGISLATION.
The RTBF traces its modern legal foundation to EU data-protection law. The RTBF traces its modern legal foundation to EU data-protection law. The RTBF is now codified in the EU’s General Data Protection Regulation (GDPR, Article 17)[4] as a right to erasure, subject to strict conditions and balancing with freedom of expression
In Nigeria, the first legislation addressing the right to be forgotten of a data subject was first mentioned in The Nigeria Data Protection Regulation (NDPR), 2019,[5] a subsidiary legislation made by the National Information and Technology Development Agency (NITDA). The NDPR contains provisions addressing the right to be forgotten.
The Nigeria Data Protection Commission (NDPC) was established to regulate the processing of personal data following the passage of the National Data Protection Act (NDPA),2023 (hereinafter referred to as ‘NDPA’).[6]
In the event that personal data is erroneous, deceptive, or outdated, it may be corrected or deleted
“(c) the correction or, if correction is not feasible or suitable, deletion of the data subject’s personal data that is inaccurate, out of date, incomplete, or misleading;”[7]
The NDPA also permits and recognises the right of a data subject to request erasure of personal data and the granting of such a request without undue delay.
“(d) the erasure of personal data concerning the data subject, without undue delay;”[8]
It went further to state the situation when a data controller will grant the request for erasure of a data subject.
“(2) A data controller shall erase personal data without undue delay, where
(a) the personal data is no longer necessary, in relation to the purposes for which it was collected or processed, or
(b) the data controller has no other lawful basis to retain the personal data.”[9]
The General Application And Implementation Directive (GAID) 2025[10] was published by the Nigeria Data Protection Commission (NDPC) makes a complete evaluation of the right to be forgotten in the data business arena.
JUDICIAL PRECEDENT
A notable case which laid down the foundation for the principle of the right to be forgotten within the European jurisdiction is the The Google Spain v. AEPD (Mario Costeja González) (2014)[11], which pavea way for the incorporation of the right to erasure into the EU GDPR
This CJEU case established the RTBF principle in EU law. Mario Costeja González had asked Google Spain to remove links to a 1998 newspaper auction notice about his foreclosed home, arguing it was irrelevant after he paid his debts. In May 2014 the Court held that search engines are “data controllers” and that individuals can require de-referencing of outdated or irrelevant personal data. The Court famously ruled that links should be removed if the information is “inadequate, irrelevant or no longer relevant, or excessive in relation to [the purposes]” – unless the person is a public figure or the information is of public interest. This set the criteria for RTBF requests (relevance, accuracy, and public interest balance). The Google Spain decision did not create a new fundamental right but interpreted existing EU law (Dir. 95/46) to allow delisting. The Court emphasized that de-listing only applies to name-based searches; the content itself is not erased from the web.
In Olatokun v. Polaris Bank Ltd[12], Mr. Tokunbo Olatokun requested his bank (Polaris Bank) to close his account and expunge his personal data, specifically his email address and phone number from their systems, and to cease further communications. Despite these clear instructions, Polaris Bank continued sending him unsolicited promotional emails. Mr. Olatokun invoked his fundamental right to privacy under Section 37 of the Constitution; The right to object to processing and to restrict further processing of his personal data[13], The right to restrict processing[14].
The High Court of Lagos State, presided over by Justice Y.A. Adesanya, ruled in favor of Olatokun: held that the unsolicited marketing messages, sent despite express instructions to cease, constituted a violation of the applicant constitutional right to privacy and his statutory rights under the NDPA, the right to object to further processing (Section 36) and the right to restrict such processing after request has been made[15]
CONDITIONS FOR EFFECTING RIGHT TO BE FORGOTTEN IN NIGERIA
The General Application And Implementation Directive (GAID) 2025 expressly establishes clear provisions on the Right to be Forgotten [16]. Under GAID 2025, every data subject has an explicit right to demand the erasure of their personal data if any of the following conditions are met:
- Data is no longer necessary: The personal data has fulfilled the purpose for which it was originally collected or processed and is no longer required.
- Consent is withdrawn: Where processing of the data was based on the individual’s consent, erasure must follow immediately once that consent is revoked.
- Objection to legitimate interests: If the processing is justified on the organisation’s legitimate interests but the data subject objects, processing must cease unless an overriding and demonstrable legal ground exists.
- Direct marketing: Where personal data is used for direct marketing purposes, erasure is mandatory upon objection by the individual.
- Unlawful processing: Any personal data processed in violation of the law must be erased without delay.
- Legal obligation: Erasure is compulsory where required to comply with a binding legal ruling or regulatory directive.[17]
At the same time, GAID 2025 establishes firm limitations and exceptions to the Right to be Forgotten. These safeguards ensure that individual privacy rights are balanced against broader legal, societal, and public interest imperatives:
- Freedom of expression and information: Data may be lawfully retained where its continued processing is essential to protect freedom of expression and information, as recognised under Section 45 of the 1999 Constitution and reinforced by the NDP Act.
- Legal and Public Interest Grounds: Data Processing may continue where strictly necessary to; Comply with binding legal obligations or court rulings, Perform tasks in the public interest or under official authority; Protect public health in the public interest; and to provide preventive or occupational medical services by licensed professionals under confidentiality.
- Research and Public Benefit: Data may be retained where necessary for scientific research, historical archiving, or statistical purposes, especially where erasure would seriously impair the objectives. Controllers must apply safeguards such as anonymisation or pseudonymisation.
- Legal Claims: Data may be retained where essential to establish, exercise, or defend legal claims, including ongoing or anticipated proceedings.
- Third-Party Erasure Obligations: Where data has been disclosed or made public, controllers are responsible for ensuring its erasure by third parties, either at the subject’s request or under Commission directive. Reasonable and enforceable measures must be taken to prove compliance.
- Public interest in disclosure: The right to erasure shall not apply where continued disclosure demonstrably serves the public interest. In such cases, the data controller bears the burden of proof to justify retention on public interest grounds[18]
Challenges and Prospects of the Right to Be Forgotten in Nigeria
The enforcement of the Right to Be Forgotten (RTBF) in Nigeria faces a number of complex challenges that cut across legal, institutional, technological, and socio-cultural dimensions. While the principle itself is rooted in safeguarding privacy and dignity in the digital age, its practical application in Nigeria has proven far from straightforward.
One of the foremost challenges is the issue of public awareness. A large segment of the Nigerian population remains unaware of their rights in relation to data protection and privacy. For many, the idea that personal information shared online could later be erased is unfamiliar, particularly in a society where digital literacy levels are uneven. Without adequate awareness campaigns and education, individuals are unlikely to invoke the right, and even where they do, they may lack the knowledge of the procedures required to exercise it effectively.
Another significant challenge lies in institutional and enforcement capacity. Although Nigeria has taken steps to establish regulatory bodies tasked with overseeing data protection and privacy, these institutions often face limitations in terms of funding, manpower, and technical expertise. Enforcing RTBF requests against powerful multinational corporations or even local data controllers can be daunting. Compliance monitoring remains a weak spot, and in the absence of strong sanctions or clear judicial guidance, many organisations may simply disregard requests for data erasure.
Despite these challenges, the prospects for the RTBF in Nigeria are nonetheless promising. The growing recognition of digital rights within the Nigerian legal framework suggests that RTBF is gradually gaining traction. As data protection becomes an increasingly important component of governance, the principle of erasure is likely to receive stronger legal backing and clearer guidelines for implementation.
In addition, the strengthening of regulatory institutions presents an opportunity for better enforcement. With proper resourcing and capacity-building, regulators can play a more assertive role in compelling compliance from data controllers and ensuring that individuals’ requests are taken seriously.
The rise in digital literacy and awareness also offers hope. As more Nigerians engage with digital platforms, they are becoming more conscious of issues surrounding privacy and personal data. This growing consciousness can drive demand for stronger recognition of RTBF and pressure regulators and courts to take a firmer stance on enforcement.
In sum, while Nigeria faces considerable hurdles in making the Right to Be Forgotten a reality, the trajectory is not entirely discouraging. With greater public awareness, institutional strengthening, judicial engagement, and technological adaptation, the principle could evolve into a powerful tool for protecting personal dignity and autonomy in the digital age.
Conclusion
The Right to Be Forgotten represents an evolving dimension of digital privacy, rooted in the desire to give individuals greater control over their personal information in an age where data permanence can cause lasting harm. In Nigeria, while the NDPR 2019, NDPA 2023, and GAID 2025 provide a statutory framework, the right is still at an early stage of development, with limited judicial interpretation and practical enforcement challenges.
Nevertheless, the prospects are encouraging. With growing awareness of digital rights, stronger regulatory mechanisms, and alignment with global best practices, Nigeria has the opportunity to entrench RTBF as a meaningful safeguard for privacy without undermining freedom of expression or the public interest. For this to happen, however, deliberate efforts will be required to strengthen enforcement, educate stakeholders, and ensure that Nigerian jurisprudence keeps pace with the digital realities of the 21st century.
Reference(S):
[1] “Nishith DeSai Associates: The Firm” <https://nishithdesai.com/research-and-articles/hotline/high-court-in-india-reaffirms-the-need-for-an-individuals-right-to-be-forgotten-4423> accessed September 10, 2025
[2] Data controller’ means an individual, private entity, public commission, agency, or any other body who, alone or jointly with others, determines the purposes and means of processing personal data (NDPA 2023, s 62)
[3]Constitution of the Federal Republic of Nigeria 1999 (as amended), s 37
[4] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.
[5] The Nigeria Data Protection Regulation (NDPR), 2019, a subsidiary legislation made pursuant to Section 6 of the National Information and Technology Development Agency Act of 2007, which vests in the National Information and Technology Development Agency (NITDA) the power to make regulations.
[6] Nigeria Data Protection Act 2023, s 4.
[7] NDPA s 34(1)(c).
[8] NDPA s 34(1)(d)
[9] NDPA s 34(2)
[10] General Application and Implementation Directive 2025, issued pursuant to s 61, Nigeria Data Protection Act 2023
[11] Case C-131/12 Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González [2014] ECR I-317
[12] Tokunbo Olatokun v Polaris Bank Limited (Federal High Court), Suit No LD/17392MFHR/2024, 5 December 2024)
[13] NDPA s 36(1) and (2)
[14] NDPA s 34(1)(c)
[15] NDPA s 34(1)(c)
[16] General Application and Implementation Directive 2025, art 38
[17] General Application and Implementation Directive 2025, art 38(1)
[18] General Application and Implementation Directive 2025, art 38(2)-(4)
