Nigeria Data Protection Act 2023: Canaan at Last or A Call to Show More Decisiveness to Privacy and Cyber Security


By Emmanuel Temitayo Ojo

Few days ago, Nigeria’s agonizing long walk to freedom eventually came to an end – the Nigeria Data Protection Act (NDPA) was finally signed by the President.[1] While Nigeria has experienced numerous developments in technological areas in recent years, with significant start-ups and Fin-Techs rising up in different spheres, even with the almost non-existent implementation of the NDPR which, by the way dummied the GDPR without considering the intricate differences that may so come up in its execution, the need for an all-encompassing law on data protection couldn’t be side-lined.

Without any doubt, data is the new oil[2], not because of the economic benefits alone but also and most importantly because it powers modern industries, that is, nothing in this age will ever work successfully, if not controlled – even the AI. Cognisance is given to the recent directives of the CBN as it relates to open banking[3]; this appreciable development will never fully make sense without a solid framework on data protection which ensures its workability and sustenance.

There was always going to be a need for the Act – as the NDPR couldn’t fill the vacuum that made mockery of Nigeria, giant of Africa yet crippled to incessant fear and lack of control or grip of cyber -insecurities, data breach, data leakages, lack of accountability in the handing of data of citizens not to talk of the economic consequences that were further assisted by the impotent laws on data protection – to show great concern for the right of privacy that had transformed from the archaic definition in s.37 of the constitution of the Federal Republic of Nigeria to a more branded and dynamic protection of data, information that defines a person, both online and offline.

With the NDPA now in force, the various laws that had inklings of right to privacy in them in all sectors now have the guarantee of a law, next to the grundnorm that would further substantiate the implementation and accountability of data protection in Nigeria, the duties of DPCOs, data processors and data controllers and the rights of data subjects.

The Act provides for the protection of the personal data of all data subjects as well as the establishment of the Data Protection Commission[4].  In addition to the need for accountability, the Act also provided for the national commissioner to oversee the implementation of the cores of the Act while the Act also spelt out the independence of the commission without which the act itself may be used against the purpose for which it was supposed to serve.[5]

Another key feature of the Act is that the Act now covers even non-citizens, so far domiciled, ordinary residents or ordinarily operating in the country. This may now be effectively used by tourists as well.

The act makes sure to provide for the lawful basis for processing the data of data subject in such a way that it aligns with the general principles of data protection while also defining what consent should be and that silence of the data subject doesn’t constitute consent[6]. Accordingly, children have no right to give consent except through parents and guardians[7], hence companies must ensure that in their dealings with various data subject, accuracy of the data collected must be ensured.

It stipulates that consent must be affirmative and not through any pre-selected means. This resonates with the common practice of Nigerians to find loopholes in statutes just to defeat the purpose and avoid the consequences of their non-compliance.

The act also provides for the rights of data subjects which includes but not limited to right to lodge complaints, to make request for the data so collected and to check into the processing of their data[8], withdrawal of consents, rights to object, automated decision making and data portability.

The NDPA mandates the registration of the controllers and processors of data[9] and fully provides for the steps to be taken in situations of personal data breach.[10] These important improvements that have finally seen the light of day is to create a bigger obligations on data controllers and processors due to the sensitivity of the data that they process, one that requires greater accountability.

The Act also makes provision for the further categorizing of personal data to sensitive personal data[11], which provides in furtherance to other provisions that such data is not disclosed without the explicit consent of the subject.

While in the past, one of the major challenges of the NDPR has been its reaction towards data breach, non-compliance and the sanction given, this Act provides for more stern approach to serve as deterrence. Giving part of the profits realised in the year, paying fine of 10 million naira for data controllers of major importance and 2 million naira for data controller of minor importance.[12]

The struggle to actually have this bill is an age-long one and its either that the government is tired of getting unnecessary attention for its failed duties or that it is indeed ready to give data protection its proper priority.

In conclusion, having enacted the NDPA, Nigeria as a nation should begin to work on its improvements.

For example, since May 2019, the EU gave operation to the regulation of the free flow of the Non-personal data[13], which allows companies and public administration to store and process non-personal data, whenever they choose. One of the benefits of such regulation is full synergy with countering cyber-insecurity.

Hence, we must not be deceived by the expected celebration of the Nigeria Data Protection Act, it must not be seen as the peak or finality to the enforcement of data protection but a wake-up call against complacency and readiness to control the dynamics of modern technologies in all ways that its intersects with the right to privacy.

Emmanuel Temitayo Ojo is a law graduate with passionate interest in Data protection, Fin-Tech, Employment law and Corporate And Commercial practice. He’s open to learning new Dynamics of the present while being committed to growth and development in areas of interest.




[4] Section 4,5 and 6 of the Nigeria Data protection Act provides for the establishment, functions and powers of the Data Protection Commission.

[5] Section 7 of the Nigeria Data Protection Act.

[6] Section 20 of the Nigeria Data Protection Act.

[7] Section 26 of Nigeria Data Protection Act

[8] Section 29  – 33 of Nigeria Data Protection Act

[9] Section 39 of the Nigeria Data Protection Act

[10] Section 35 of the Nigeria Data Protection Act.

[11] Section 25 of Nigeria Data Protection Act

[12] Section 43(3) of Nigerian Data Protection Act


Share on