The Legal Framework for Data Protection in Nigeria and Possible Implications for Security and the Economy

The past few years have witnessed a buzz in the use of the words ‘data’, ‘big data’ and ‘data protection’. With Nigeria keying into this development, the first Big Data Economy Summit took place on October 12, 2017 and had representatives from Diamond Bank, MTN, Data Science Nigeria and other nationally prominent organisations.
The use of data or big data has however been around much longer. In fact, the earliest records of using data to track and control businesses date back to 7,000 years ago when accounting was introduced in Mesopotamia in order to record the growth of crops and herds.
What then is Data? The Cambridge Dictionary defines data as “information, especially facts or numbers, collected to be examined and considered and used to help decision-making or information in an electronic form that can be stored and used by a computer.”

These information can be anything from a name, an address, a photo, videos, audios, images, click streams, online transactions, logs, an email address, bank details, posts on social networking websites, medical information etc. The Forbes Technology Council noted that if we burned all of the data created in just one day onto DVDs, you could stack them on top of each other and reach the moon – twice.
This huge availability of data is what the term ‘Big Data’ refers to. Big data is a term that describes data available in high volume, high velocity, and/or high variety.

How does “who wins or loses a match” in the Premiership on a Saturday affect mobile data usage behaviour? How can Lagos traffic be optimised for effective logistic distribution? These questions and many more are some of the things big data can answer and solve. Companies are now taking advantage of data insights to improve decision-making, enter new markets, and deliver better customer experiences.

In Nigeria, has developed a chatbot that uses AI to understand user requests, understand user spending habits and prevent fraud. Telecommunications companies such as MTN and Globacom integrate data analysis in their business in order to better understand the customer.
With the importance ascribed to data, it is therefore important that laws be established to protect personal data and safeguard its security.


The following are legislations that impacts data protection in Nigeria and form the Nigeria data protection legal framework:
The 1999 Constitution of the Federal Republic of Nigeria (as amended): Data protection and privacy is an extension of the fundamental right of citizens to privacy guaranteed under Section 37 of the Constitution.
The Nigeria Data Protection Regulation 2019 (‘the Regulation’). The Regulation was issued by the National Information Technology Development Agency (NITDA) on the 25th of January, 2019. It is made by virtue of the NITDA Act 2007, the principal Act. The Regulation repealed the Data Protection Guidelines 2013 (‘the Guidelines’). The Regulation aims at protecting the personal data of all Nigerians and non-Nigerian residents in Nigeria.
The Regulation provides for the rights of the Data Subject, guides and put in check the Data Controller (the person or persons who determine how personal data is processed) and provides for the roles of the Data Protection Officer (a person designated by the Data Controller to implement the Regulation).
The Regulation provides and set the guidelines for the transfer of Data to third party countries and also provides for penalties for failing to comply with the Regulation.
The Freedom of Information Act 2011: The Freedom of Information Act is not a data protection law, but section 14 of the Act protects personal data.  The section restricts disclosure of personal records without obtaining consent.
The Nigerian Communications Act 2003: By virtue of the powers conferred by the NCA 2003 on the Nigerian Communications Commission (NCC), regulations that touch on data protection in the telecommunications industry have been made by NCC.  These regulations are the General Consumer Code of Practice Regulation, the Registration of Telephone Subscribers Regulations (‘RTS Regulation’) 2011, and the Nigerian Communications (Enforcement Process, etc.) Regulation 2005.
The Child Rights Act 2003: The Act through section 8 reinforces the constitutional rights of the child, including privacy rights under section 37 of the 1999 Constitution. 
The Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (Cybercrimes Act): Under the Cybercrimes Act, abuse and misuse of data for fraudulent purposes are criminalised.  Service providers have a duty of record retention and data protection. 
The National Identity Management Commission Act 2007 (NIMC Act): By virtue of section 31 of the NIMC Act, the National Identity Management Commission (NIMC) powers include the power to provide for the collection, collation, and processing of data and any other relevant information.
The Credit Reporting Act 2017: In the financial sector, the Act amongst other things protects the confidentiality rights of data subjects, including the right to consent and the right to accurate personal information.
The National Health Act 2014
: In Nigeria’s health sector, the Act requires health service providers to keep a record of patients’ personal information by storing every user’s health records safely and in strict confidentiality.
Consumer Protection Framework (the “Framework”) 2016: One of the provisions of this Act as introduced by the Central Bank of Nigeria (CBN) is that it protects consumer assets and privacy.

With the enormous data being generated in the world, estimated at 2.5 quintillion bytes every day, this huge value of data is increasingly becoming attractive to governments, companies and also hackers. Data is now subject to cyber threats. In September 2018, there were reports that a cyber-attack exposed Uber’s data from 57 million customers and drivers. Facebook also had its share of cyber-attack in September 2018 as 90 million Facebook user accounts were exposed by a security breach in the UK.

Coming home, due to a growing number of internet connected devices such as smartphones in Nigeria, the implication of data and data protection, as it relates to security is critical. If a huge volume of data gets to the wrong hands, this breach can wreak havoc to individual finances and the economy. Withdrawals can be made from bank accounts including widespread identity theft, impersonation amongst others.
This is why there is a general obligation to ensure the security of personal data. The NDPR requires that anyone involved in data processing or the control of data must have security measures to protect such data. These security measures include protecting systems from hackers, setting up firewalls and storing data securely etc.

Data can also be used as a shield in national security. The tracking and combating of terrorist group can be achieved through analyzing the data generated from their activities, which leave traces via phone calls, e-mail and logs from those networks.
Leveraging data can also boost Nigeria’s economy. The ability to draw information from millions of different sources is especially beneficial to developing countries with a predominance of rural areas and poor institutional capacity, as it has the potential to better lives by forecasting poverty and shared prosperity through mobile phone data, using satellite imagery to monitor and map electrification of rural areas, to better understand the targets of financial inclusion and climate smart agriculture, to name a few. Having a stable and broad data protection legal framework is therefore critical to attracting investments. A stable and elaborate data protection regime will ensure the availability and accessibility of more data which in turn results in effective service delivery and boosts investors’ confidence in the economy.

The 21st century is an era of data. Although there is no single principal data protection law in Nigeria which covers all areas of data, the author submits that economic growth can be achieved with the proper implementation and enforcement of all the available laws highlighted above. A careful concerted effort by data protection authorities is therefore required.

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like