Data Protection: An Overview of the Role of state and Non-State Actors


In 2017, The Economist published a bold statement claiming that the world’s most valuable resource is no longer oil, but data[1] At instant sight of this statement, there’s a tendency to argue and discredit it.

But with an enlightened and statistical view, it will be discovered that a majority of the most valued companies in the world deal with data. Top five of these companies include Microsoft, Facebook, Apple, Amazon and Alphabet Inc. (the parent company of Google).[2]

The amount of data we produce every day is so mind-boggling that according to Forbes, there are 2.5 quintillion bytes of data created each day.[3] The internet and smartphones have contributed significantly to making data more valuable, available and abundant.[4]

With the growing adoption of the internet and access to data in this digital age, it is imperative that laws and regulations be put in place to properly control and secure the information being shared online, as this information and data can both be used for beneficial purposes and be vulnerable to improper usage.[5]


It is as a result of this, countries around the globe now prioritize data protection and ensure it’s at the forefront of their agenda.

As part of a collective effort, State and Non-State Actors are saddled with certain roles they must play in ensuring the protection of data and information. Therefore, the objective of this paper is to review the role of State and Non-State Actors in data protection.

 Ensuring Data Protection: What Role Do The State And Non-State Actors Play?


State Actors been the governments of various countries in the world, have an important role to play in data protection. They play their role through legislation and policies. Only 66% of countries in the world have legislation in force, while an additional 10% have draft legislation.[6]

African countries are behind this global trend, with only 52 percent having data protection legislation in force.[7] For example, in Ghana, data protection is regulated under the Data Protection Act, 2012 (DPA) together with Article 18(2) of the 1992 Constitution, which provides citizens with a fundamental right to privacy.[8]

In 2019, Kenya passed Kenya’s Data Protection Act (DPA), which is the primary legislation governing the collection and processing of personal data in Kenya.[9]

In South Africa, the Protection of Personal Information Act 4 of 2013 (POPIA) is the comprehensive data protection legislation enacted to give effect to the constitutional right to privacy, whilst balancing this against competing rights and interests, particularly the right of access to information. [10]

In Nigeria, there has been no principal Act on data protection. The principal data protection regulation in Nigeria is the Nigeria Data Protection Regulation 2019 (“NDPR”) which is a subsidiary legislation issued pursuant to the National Information Technology Development Agency Act 2007. [11]

Some of the sector-specific legislation that also affects data protection in Nigeria are the Official Secrets Act 1962, the Nigerian Communications Commission Lawful Interception of Communications Regulations, 2019, etc.

The agency responsible for the enforcement of data protection regulations and for the administration of all related data protection matters in Nigeria is the Nigeria Data Protection Bureau (“NDPB”) .[12]

There are also other sector specific regulatory agencies like the Nigerian Communications Commission(NCC) and the Central Bank of Nigeria (CBN) which provide services relating to the protection of data.[13]

Data protection is a wake-up call to all other entities that are not State-owned, as they are not left out. In fact, with top 5 of the most valuable companies in the world dealing with data[14], it shows that a bulk of the data and personal information of people are in the hands of Non-state actors. And so they have a more important role to play in fostering data protection.

In the European Union (EU), the General Data Protection Regulation (GDPR) is also applicable to non-state actors whether the organization data subjects are in or outside the EU.[15]

Each non-state actor must incorporate the guiding principles of data processing prior to data collection, based on article 5 of the GDPR, which places emphasis on the principles of fairness and transparency.[16]

In South Africa, the POPIA regulates the manner in which personal information may be processed by non-state actors through the establishment of minimum threshold conditions that are in line with international standards.[17]

It also provides persons with rights and remedies to protect their personal information from data breaches by non-state actors through the establishment of an Information Regulator to enforce the provisions of the Act.[18]

In Nigeria, the NDPR is applicable to anyone or entity that collects, stores, uses, or shares the data of the citizens of Nigeria.[19]

Although yet to be decided is a suit instituted in 2020 by the Incorporated Trustees of Laws and Rights Awareness Initiative against Zoom Video Communications Inc for non-compliance of Zoom’s privacy policy with the NDPR.[20]

In tandem with the EU GDPR, after the Facebook incident with Cambridge Analytica,[21] it has now created a data policy that describes what information they collect and how it is used and shared.

With Non-State actors highly prone to cyber attacks which can result in the compromise, corruption, or loss of their data, they have a role to play in ensuring every data identified with them are classified and measures like Multi-Factor Authentication, regular renewal of passwords and strong password policy, review user access, etc are put in place to ensure the protection of the information of their data subjects.[22]


  1. Sensitization is needed to make people aware of their rights. The essence of regulation is in doubt if the citizens are unaware of the said regulation.[23]
  2. Creation and adoption of principal laws on data protection in countries all over the globe.
  3. A robust enforcement framework primed to give teeth to the provisions of these legislations should also be put in place.[24]
  4. All Non-State Actors with the personal information of individuals are to ensure such information is processed in compliance with the legislation and regulations in place in each countries in the world.
  5. The obligation to notify the regulatory authority and data subjects in the event of a breach must prescribe specific and certain time frames.[25]


As the concept of data protection continues to evolve, the necessity abounds for its adoption in countries all over the world. There has been the creation and adoption of data protection legislations in developed countries in the world who prioritize data protection.

However, certain developing countries and Africa in particular needs to do better as the concept of data protection still looks like a façade in certain countries in the continent. State and Non-State actors in countries without data protection legislations are to make collective efforts in ensuring laws on data protection are enacted and enforced.

This will go a long way in making data protection become a reality, and its realization sustained.


[1] The Economist, ‘The world’s most valuable resource is no longer oil, but data (The Economist , 6 May 2017) accessed 31 October 2022

[2] Oturu D, “Nigeria: An Overview Of Big Data And Data Protection In Nigeria” (Mondaq)  accessed October 31, 2022

[3] Marr B, “How Much Data Do We Create Every Day? The Mind-Blowing Stats Everyone Should Read” (Forbes)  accessed October 31, 2022

[4] International Network of Privacy Law Professionals , “AN EXTENSIVE ARTICLE ON DATA PRIVACY AND DATA PROTECTION LAW IN NIGERIA” (INPLP)  accessed October 31, 2022

[5] Omaplex , “THE IMPACT OF REGULATIONS ON DATA PROTECTION IN NIGERIA” (Omaplex Law Firm)  accessed November 2, 2022

[6] Mackenzie  J, “Data Security and Privacy Laws Develop across Africa” (Baker McKenzie)  accessed November 4, 2022

[7] Ibid

[8] “Data Protection in Africa: A Look at OGP Member Progress” (Open Government Partnership, OGP) accessed November 4, 2022

[9] “Data Security and Privacy Laws Develop across Africa” (MODERN GHANA) accessed November 4, 2022

[10] “Data Protection in South Africa” (MichaelPage),right%20of%20access%20to%20information accessed November 4, 2022

[11] Jumoke Lambo and Chisom Okolie , “Data Protection Laws and Regulations Nigeria 2022” (  accessed November 2, 2022

[12] Ibid

[13] “DATA PROTECTION LAWS OF THE WORLD” (DLA, Piper),to%20the%20protection%20of%20data. accessed November 2, 2022

[14] Oturu ( n  2)

[15] Gazi, T. “Data to the rescue: how humanitarian aid NGOs should collect information based on the GDPR.” Int J Humanitarian Action 5, 9 (2020). accessed November 4, 2022

[16] Ibid

[17] Johnstone  S, “The ‘Download’ on Personal Information: The Protection of Personal Information Act and Municipalities” (LOCAL GOVERNMENT BULLETIN)  accessed November 4, 2022

[18] Ibid

[19] “Nigeria – Data Protection Overview” (DataGuidance)  accessed November 4, 2022

[20] Ibid

[21] Confessore  N, “Cambridge Analytica and Facebook: The Scandal and the Fallout So Far” (The New York Times)  accessed November 4, 2022

[22] Cavanagh  C, “Why Is Data Privacy So Important For Media Companies In 2019” (Reuters)  accessed November 2, 2022

[23] Onyiuke  T, “How to Strengthen Nigeria’s Data Protection Regulation” (PUNCH) accessed November 3, 2022

[24] INPLP (N  4)

[25] OGP (n  7)


About the Author 

Stephen Agada is an undergraduate law student of Ahmadu Bello University, Zaria, an avid reader, researcher, and writer with about 2 years of offering bespoke writing and research services across academic fields like law, science & technology, humanities, etc. He can be reached via [email protected]; +2348060415486

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like