Privacy Risks Associated with Blockchain and Biometric
Blockchain and biometrics have potential advantages but they present both risks for data privacy in Nigeria. Since biometric data is sensitive, strict precautions must be taken to avoid misuse and unauthorised access. Some of the privacy threats are; Data breaches, unauthorised access, and the possibility of surveillance and personalization.
- Data Breaches and Unauthorised Access
Biometric data is incredibly private and it can have serious ramifications if it is stolen. Even though blockchain is secure, there is still the risk of biometric data being exposed through breaches or misuse. Biometric traits are not replaceable in case of theft, unlike passwords. Identity theft, fraud, and other malicious activities may result from incidents causing biometric data to be intercepted. The security issues and suggestions for a secure biometric authentication system as detailed by Bhartiya et al have been effectively addressed in their study. To protect biometric data from breaches and undesirable access it is important to use multiple factors for authentication, secure storage, and encryption.
- Potential for Surveillance and Profiling
The integration of biometrics with blockchain could raise concerns about surveillance if governments or corporations misuse this technology to track individuals without their knowledge. Whilst those biometric and facial recognition systems are being used, they are also watched and monitored in real-time meaning that the monitoring that goes on with such technologies could lead to the normalisation of surveillance or always-on surveillance, adding to the invasion.[1] Blockchain’s transparency, while advantageous for security, may inadvertently erode anonymity if biometric data is linked to a public address.
- LEGAL CONSIDERATIONS
The Nigeria Data Protection Act 2023 is the legal framework governing data protection in Nigeria today. The Nigeria Data Protection Regulation 2019 was Nigeria’s first comprehensive regulation focused on data protection, it was issued by the National Information Technology Development Agency (NITDA) and came into effect on January 25, 2019.[2] The NDPR aims to protect the privacy rights of individuals by ensuring the proper handling and protection of personal data. The NDPA 2023 further strengthens data protection laws in Nigeria and provides a more robust legal framework, addressing some of the gaps in the NDPR. The NDPA establishes the Nigeria Data Protection Commission (NDPC) as the primary regulatory body for data protection in Nigeria.[3] The Commission is responsible for enforcing the provisions of the Act and overseeing data protection practices. It broadens the scope of data protection by covering both public and private sector entities, regardless of their size. It also extends protections to all types of personal data, including sensitive data.[4]
These regulations lay out comprehensive criteria for the collection, storage, and handling of personal data, including biometric data. For instance, the NDPA defines sensitive personal data to include personal data relating to an individual’s genetic and biometric data, to uniquely identify a natural person.[5] While these frameworks provide a robust foundation for data security, they fall short of addressing the complexities introduced by emerging technologies like biometrics and blockchain.
The immutable nature of blockchain technology, when juxtaposed with the DPA’s “right to be forgotten”,[6] presents significant legal challenges. Moreover, legislative updates often lag behind the swift advancement of biometric technologies, creating gaps in regulation and protection. Additionally, as blockchain and biometric data can easily cross national borders, enforcement and compliance become more complicated, highlighting the limitations of current laws in dealing with inter-jurisdictional issues.
- THE NEED FOR ROBUST LEGAL FRAMEWORKS
Big data analytics, AI profiling, IoT device telemetry, and blockchain immutability all test the scope and resilience of the Nigeria Data Protection Act (NDPA) 2023. While the Act codifies principles of fairness, transparency, and accountability, its practical application to emerging technologies presents significant cross-cutting risks.
- Data Localisation and Cross-Border Transfers
One of the most pressing challenges is cross-border data flow. Nigeria is increasingly integrated into global digital value chains, with cloud providers, AI training platforms, and blockchain nodes often hosted outside national borders. The NDPA requires adequacy decisions or appropriate safeguards for transfers, yet Nigerian businesses frequently rely on foreign service providers without conducting transfer impact assessments. Okoro observes that many firms “lack the governance structures to operationalise lawful transfer regimes,” resulting in a compliance gap between legal obligations and business practices.[7] This gap is particularly acute for SMEs and fintech start-ups that depend on global cloud infrastructure.
- Vendor and Third-Party Risk Management
AI and IoT deployments often involve complex supply chains of vendors, from software developers to device manufacturers and analytics service providers. Nigerian organisations typically fail to impose robust contractual safeguards, such as model clauses on data protection, encryption standards, or incident response coordination. This weakness amplifies liability in the event of a breach, as accountability under the NDPA extends to both controllers and processors.
- Lawful Basis and Purpose Limitation
Emerging technologies frequently blur the lines of lawful processing. For instance, IoT devices may continuously capture personal data without explicit consent, while blockchain systems may store transactional metadata indefinitely. Establishing a lawful basis, whether consent, contract, or legitimate interest, is more complex in these contexts. Adegoke argues that the NDPA’s principles “must be reinterpreted through the lens of technological functionality,” requiring regulators to issue sectoral guidelines clarifying lawful bases in AI, IoT, and blockchain contexts.[8]
- Incident Response and Cybersecurity
The Cybercrimes Act 2024 requires prompt reporting of breaches, while the NDPA mandates notification to the NDPC and data subjects. IoT networks, by design, expand the attack surface and increase the likelihood of breaches. Nigerian businesses often lack tested incident response playbooks or data breach simulation exercises, a shortfall that compounds regulatory and reputational risks when incidents occur.
These cross-cutting risks illustrate that compliance under the NDPA cannot be approached piecemeal. Instead, organisations must adopt enterprise-wide governance, embed privacy-by-design into technology procurement and deployment, and invest in capacity-building. Without such measures, compliance will remain reactive, fragmented, and ultimately insufficient.
Legal frameworks must change to meet the particular difficulties brought about by this fusion of technologies, guaranteeing that people’s rights and privacy are sufficiently safeguarded while encouraging innovation and uptake. Biometrics and blockchain require robust legal and ethical frameworks to tackle new challenges. Biometrics and blockchain are a challenge for accountability.[9] Furthermore, even if a Public Key Infrastructure (PKI) for biometrics is a good approach, it must be implemented with caution to avoid creating new issues or other weaknesses. The legal frameworks must be modified to address the specific challenges posed by the integration of technologies, guaranteeing the protection of privacy and people’s rights while also promoting innovation and adoption.[10]
CONCLUSION
The interaction of emerging technologies and data privacy protection regulations presents a landscape of immense opportunities and challenges. The journey towards enhancing data privacy in an age of technological innovation is a complex and ever-evolving one. There is a need to strike a balance between harnessing the potential of emerging technologies and safeguarding individuals’ fundamental right to data privacy. This study, delved into the transformative power of technologies such as AI, blockchain, IoT, and biometric authentication in reshaping the data privacy paradigm. These innovations have the potential to reinforce data protection, streamline user control over personal information, and ensure the integrity of data transactions. From AI-driven privacy-preserving techniques to the decentralization and transparency of blockchain, these technologies offer promising avenues for stronger privacy regulations.
However, vigilance is germane to addressing the complexities and challenges introduced by these technologies. The ethical use of AI, the mitigation of algorithmic bias, and the safeguarding of individual privacy in a world of IoT-connected devices are issues that demand strict attention. The potential for misuse, data breaches, and unauthorized surveillance stresses the need for robust security measures and clear regulatory guidelines that keep pace with advancement in technologies and incorporating them. Therefore, in this evolving landscape, a few fundamental principles must guide the approach to enhancing data privacy protection regulations. Technologies should be developed with privacy considerations as their core through privacy by design. Individuals must be informed about how their data is collected, used, and protection to achieve transparency and informed consent principle, and data minimization which ensures that only necessary data are collected and retained. The responsible and ethical use of technologies is imperative. Therefore, collaboration between governments, regulatory bodies, the private sector, and technology developers is essential in establishing clear and effective privacy regulations and standards.
——
About the Authors
This article was jointly authored by Ifeoma Peters, Hameedah Oshodi, Ahmed Hassan and Eniola Balogun, members of the legal team at DNL Partners, a Nigerian law firm with expertise in data protection, technology law, and regulatory compliance. The team provides advisory and compliance support across sectors on issues relating to privacy, cybersecurity, and emerging technologies under the Nigeria Data Protection Act (NDPA) 2023 and related frameworks.
For further enquiries, please contact:
DNL Partners
Phone: 08020710511
Email: info@dnlpartners.com
Website: www.dnlpartner.com
[1] S Wachter ‘Normative challenges of identification in the internet of things: Privacy, profiling, discrimination, and the GDPR’ (2018) 34 Computer Law & Security Review 436 https://doi.org/10.1016/j.clsr.2018.02.002. (Accessed 10th August 2024).
[2] Nigeria Data Protection Regulation 2019 https://nitda.gov.ng/wp-content/uploads/2020/11/NigeriaDataProtectionRegulation11.pdf (Accessed 10th August 2025)
[3] Nigeria Data Protection Act 2023 sec 4.
[4] Nigeria Data Protection Act 2023 sec 30.
[5] Nigeria Data Protection Act 2023 sec 65.
[6] Nigeria Data Protection Act 2023 sec 34 (d)
[7] Okoro, “Big Data Governance and the Law in Nigeria: Challenges of Compliance,” Journal of African Business and Technology 17, no. 2 (2023): 145–166.
[8] Adegoke, “Data Privacy and Protection in Nigeria: A Critical Review of the NDPA 2023,” African Journal of Law and Technology 6, no. 2 (2024): 61.
[9] C Tankard ‘What the GDPR means for businesses’ (2016) Network Security 5 https://doi.org/10.1016/s1353-4858(16)30056-3 (Accessed 10th August 2025)
[10] NB Truong and others, ‘GDPR-compliant personal data management: A blockchain-based solution’ (2020) 15 IEEE Transactions on Information Forensics and Security 1746 https://doi.org/10.1109/tifs.2019.2948287 (Accessed 10th August 2025).