INTRODUCTION
In the next ten years, we will reach the point where almost everything will be digitalised – Satya Nadella. Nigeria’s digital transformation has unfolded unparalleled opportunities; but at what cost to privacy? In an age where data is the new oil, the protection of this data has become a refining issue that needs a thorough appraisal.
An efficient data protection framework must be built on cardinal principles of good information handling, including: accuracy, adequacy, relevancy, consent, security, confidentiality, and non-transferability to another without adequate protection.
Recent happenings underscore the precarious tension with the violation of data privacy by Artificial Intelligence companies, and many organisations, including schools, fintechs, health institutions, and marketers; routinely collect and use data without consent, often through third-party bulk SMS vendors and online data harvesting. The question then arises: are Nigerians’ data verily protected, or are they being stilly exploited?
This article examines the strength of the Nigerian Data Protection Act, 2023, in protecting data privacy from being exploited amidst stirred tensions between digital activities and privacy issues.
CONCEPTUAL CLARIFICATION
To effectively appraise the strength of NDPA, 2023. It’s essential to understand the keystone that undergirds the discourse.
Data Privacy: Simply put, data privacy defines who legally has access to data.
Data Protection: Data protection is the tool, instrument, and policies created and aimed at protecting data privacy while restricting access to personal information.
Data privacy and data protection play a vital role in business operations, development, and finances. By protecting data, companies can prevent data breaches, damage to reputation, and can better meet regulatory requirements.
CONSTITUTIONAL FOUNDATION AND LEGAL FRAMEWORK OF DATA PRIVACY IN NIGERIA
In Nigeria, Data privacy is primarily governed by the Constitution of the Federal Republic of Nigeria, 1999 as enriched under section (37). The Constitution provides the fundamental right of privacy and guarantees protection for such privacy, thus:
“The privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications is hereby guaranteed and protected.”
Legislations are the main piece regulating data protection. In 2023, Nigeria Data Protection Act (NDPA), was signed into law which then overrides the existing law, Nigeria Data protection Regulations, (NDPR) 2019.
This was a watershed in Nigeria towards developing a framework which protects data privacy. The Act provides, among others, framework for processing personal data; rights of a data subject; data security; cross-border transfer of personal data; requirements for data controllers and data processors of major importance; compliance, infringements, penalties, and dispute resolution; and the establishment of the Nigeria Data Protection Commission (the “Commission”), as an independent body to superintend and regulate data protection matters, and enforce compliance with the provisions of the Act.
Furthermore, the Nigerian Data Protection Commission (NDPC) general application and implementation directive (GAID) 2025, of the Nigerian Data Protection Act, 2023.
Among others, Freedom Of Information Act, 2011. As provided under provision of section 14 of the act; clearly limits the power of the government from leaking personal data of any citizen except him/her consents to the disclosure. This is so, to curtail and put to check the powers of the government, as they are saddled with the responsibility of being at the disposal of the personal data of citizens.
KEY PROVISION OF THE NDPA 2023
The Nigeria Data Protection Act, 2023 introduces many distinct provisions that aim to regulate the collection, processing, use, storage, and even transfer of personal data. A few key provisions are:
• Personal Data Processing: as hinged in the water of Section 24 (1) a, thereon. it ensures that data are processed in a fair, lawful and transparent manner strictly used for purposes which it was collected.
• Consent Processing: under Section (26) thereon, which ensures that consent must be secured, freely given, informed, and unambiguously to maintain fairness and legality.
• Data Subject Rights: it ensures that individuals (subjects) have the right to be informed of the purpose of processing personal data, correction or deletion of data and data withdrawal. Section 34, 35 thereon.
• Among others are: Data Security under Section (39), Cross Border Transfer under Section (41) and Enforcement under Section (46) by seeking redress when their rights are infringed.
Many of these provisions reflect the framework of The General Data Protection Regulation (GDPR) which is the European Union regulation on information privacy. This portrayed Nigeria’s commitment to maintaining international standards. However, enforcement and awareness remain ultimately tests of their effectiveness.
TESTING THE STRENGTH: IMPLEMENTATION GAP OF THE LEGAL FRAMEWORK OF DATA PRIVACY
a. Resource Constraints: Lack of resources including unavailability of financial and technical resources to maintain the implementation of NDPA 2023 pose a significant roadblock to data protection in Nigeria.
b. Opaque Consent Culture: Consent must be freely given, specific, informed, and unambiguous. Opaque consent practices stand in contrast to this. Many websites today collect data unlawfully, bypassing due process. This practice lacks transparency and the implications are often not understood clearly by the individuals involved. Therefore, transparency is the fundamental key to data privacy.
c. Weak Enforcement Infrastructure: The existence of Legal frameworks is one thing and enforcement is another. Hence, the Nigerian data protection commission lacks the resources and personnel to oversee digital surveillance. Adversely, the violation of the Nigerian data protection act is rampant and remains wide.
d. Lack of Legal Awareness: Lack of knowledge of data protection has a great impact on the violation of data privacy. Many individuals are unaware of their right curbing their ability to enforce their right or lodge complaints.
e. Lack Of Judicial Precedent: There’s a little or less published judgement from the superior court regarding data protection infringement which defines key elements such as what constitutes valid consent, the threshold for a data breach, or the scope of the NDPC’s enforcement powers this does not only erode judicial integrity but also undermine consistency in the decision making.
f. Corporate Non-Compliance: Businesses and website owners in Nigeria, often fail to adhere to legal requirements for handling personal data which may pose significant risks to data privacy.
A CASE STUDY
A recent case is the legal tussle between Boluwatife Sanya and a school which was instituted before the High Court of Oyo State after receiving an unsolicited SMS from the school, advertising its admission programme.
The Applicant never provided the school with his data, particularly his mobile number, and did not consent to any form of marketing communication. Hence, the SMS constitutes a violation of Section 24 and 25 of the NDPA, 2023 which require that personal data must be collected and processed lawfully, fairly, and with the data subject’s informed consent. Additionally, Article 18(1) (a) of the NDPA General Application and Implementation Directive, 2025 explicitly provides that where personal data is processed for direct marketing, the consent of the Data subject is the only basis on which such personal data may be processed.
RECOMMENDATIONS AND CONCLUSION
Experts agree that using customer data improves marketing and profits. Consultants estimate this can lead to a 5-6% advantage over competitors. Companies spend a lot – $36 billion each year-collecting this data, which includes information like demographics, purchase history, and online behavior. If such important data gets into the hands of unwanted actors. It could cause atrocious damage.
While Data privacy in Nigeria faces significant challenges, however, there are opportunities for improvement. By strengthening the Nigeria Data Protection Commission (NDPC): this include pooling resources and increasing funds, by implementing these strategies, the NDPC can strengthen its capacity to effectively protect data and privacy in Nigeria.
Also, Foster Public and Employee Training and Awareness: by Funding multilingual campaigns under NDPA Section 2(b) via radio and social media, and partnering with NGOs for grassroots outreach. Most importantly, organizations must maintain flexibility in their compliance programs while ensuring adherence to requirements and this can be accomplished by training their employees and maintaining due corporate compliance with regulatory compliance.
Furthermore, Utilise Technology For Compliance And Security: technology plays a vital role in data protection compliance, and security. Implementing technical solutions like data encryption protects personal data.
CONCLUSION
In an age where Data is a new oil, protection should be accorded with utmost attention. Recent happenings have underscored the precarious tension with the violation of data privacy by Artificial Intelligence companies, and many organisations, including schools, fintechs, health institutions, and marketers.
Hence, Nigeria’s data protection framework anchored by NDPA, 2023 faces challenges like limited awareness, resource constraints, weak enforcement, amongst others. By implementing recommendations, NDPC can achieve effective compliance. When people’s personal information is kept private, their constitutional rights are protected.
REFERENCES:
1 Ursula Smartt, Media & Entertainment Law (3rd edn Routledge, 2017) 135
BarristerNG “Lawyer drags school to court over unsolicited sms, a test of the Nigeria data protection” https://barristerng.com/ibadan-lawyer-drags-school-to-court-over-unsolicited-sms-a-test-of-the-nigeria-data-protection-act/
4 Cloudian “What’s data protection and data privacy” https://cloudian.com/guides/dataprotection/data-protection-and-privacy-7-ways-to-protect-user-data/
Ibid
Cloudian “What’s data protection and data privacy” https://cloudian.com/guides/data-protection/data-protection-and-privacy-7-ways-to-protect-user-data/
Constitution of the Federal Republic of Nigeria 1999 s.37
Nigeria Data Protection Act, 2023
Nigeria Data protection Regulations, (NDPR) 2019
Banwo Ighodalo “Nigeria Data Protection Act” https://www.banwo-ighodalo.com/grey-matter/nigeria-data-protection-act-what-individuals-businesses-and-organizations-should-know/
Nigerian Data Protection Commission (NDPC) general application and implementation directive (GAID) 2025
Nigeria Data Protection Act, 2023
Freedom Of Information Act, 2011
Nigeria Data Protection Act, 2023 s. 24
Nigeria Data Protection Act, 2023 s. 26
Nigeria Data Protection Act, 2023 s. 34 & 35
Nigeria Data Protection Act, 2023 s 39, 41 & 46
The General Data Protection Regulation, 2018
Simon Victor “DATA PROTECTION AND COMPLIANCE IN NIGERIA:
CHALLENGES AND OPPORTUNITIES” 2025
GDPR “Consent” https://gdpr-info.eu/issues/consent/
Ibid
Ibid
BarristerNG “Lawyer drags school to court over unsolicited SMS, a test of the Nigeria data protection” https://barristerng.com/ibadan-lawyer-drags-school-to-court-over-unsolicited-sms-a-test-of-the-nigeria-data-protection-act/
Aderonke Alex-Adedipe and Promise Itah “Staying Ahead of The Curve: Navigating Nigeria’s Data Protection Compliance Landscape” 2025
BarristerNG “Lawyer drags school to court over unsolicited SMS, a test of the Nigeria data protection” https://barristerng.com/ibadan-lawyer-drags-school-to-court-over-unsolicited-sms-a-test-of-the-nigeria-data-protection-act/
Nigerian Data Protection Commission (NDPC) general application and implementation directive (GAID) 2025
Debo Akande LLP” The Legality of Nigerian Banks’ Utilization of Customer Data for Marketing Share and Rights Issues Under the Nigerian Data Protection Act 2023” robust date protection as mandated by NDPA is not only essential but an integral pillar for maintaining remain protected https://deboakandellp.com/2024/11/12/the-legality-of-nigerian-banks-utilization-of-customer-data-for-marketin
Simon Victor “DATA PROTECTION AND COMPLIANCE IN NIGERIA:
CHALLENGES AND OPPORTUNITIES” 2025
Ibid
Cloudian “What is Data Protection and Privacy?” https://cloudian.com/guides/data-protection/data-protection-and-privacy-7-ways-to-protect-user-data/
ABOUT THE AUTHOR
Ismail Abdrasheed is a law student at Ahmadu Bello University, Zaria, with a passion for legal writing. He offers a fresh perspective on complex legal issues, making them accessible and engaging for a broader audience. Beyond his legal studies, Ismail is a tech enthusiast, a dedicated legal researcher, and a skilled copywriter. You can reach him at 08163693382 or via email at [email protected].