EFENUDU ILUEZI, Studies Fellow, National Judicial Institute, Abuja (Email:  )



Data privacy is an increasingly critical issue in the digital age, with individuals’ personal information becoming more vulnerable to misuse and unauthorized access. In Nigeria, data privacy preservation holds significant importance in safeguarding citizens’ rights and ensuring a secure and trustworthy digital environment. As the country continues to embrace digital transformation and the widespread use of technology, protecting personal privacy becomes imperative to foster trust, facilitate economic growth, and uphold human rights.


In recent years, Nigeria has witnessed a surge in the adoption of digital platforms and services, from e-commerce and social media to mobile banking and telecommunication. While these advancements offer numerous benefits and conveniences, they generate vast amounts and categories of personal data which if mishandled can have severe consequences such as identity theft, financial fraud, and reputational damage. Therefore, it is crucial to establish robust legal and regulatory frameworks prioritizing data privacy and ensuring the responsible use and protection of personal information.


The Nigerian Constitution guarantees the right to personal privacy, protecting citizens’ homes, correspondence, telephone conversations, and telegraphic communications. The Nigeria Data Protection Regulation (NDPR) enacted in 2019 provides guidelines for data protection, consent, purpose limitation, data security, data subject rights, and enforcement mechanisms. Despite these legal protections, Nigeria faces challenges due to rapid technological advancements, evolving cyber threats, and limited awareness about data privacy rights.


In light of these considerations, this essay examines the legal framework for data privacy in Nigeria, the fundamental principles governing its protection, the challenges faced, and the measures necessary to enhance data privacy. A comparative analysis of data privacy frameworks in other jurisdictions will also be conducted to draw valuable insights and lessons that can inform and shape Nigeria’s data privacy landscape. By prioritizing the preservation of data privacy, Nigeria can establish itself as a leader in data protection, fostering trust and confidence in the digital ecosystem while respecting individuals’ right to personal privacy.



As stated in Section 37, the constitutional right to privacy aims to safeguard citizens’ homes, correspondence, telephone conversations, and telegraphic communications. It also serves to protect the overall rights and freedoms of citizens.


The Cybercrime Act of 2015 addressed the prevention, detection, response, investigation, prohibition, and prosecution of cybercrimes and related matters. The Act establishes criteria for law enforcement and security agencies when requesting and using private data information. Section 38 mandates service providers to retain traffic data and subscriber information for two years, using it solely for legitimate purposes with due regard to individuals’ constitutional right to privacy and appropriate measures to preserve data confidentiality. Additionally, the Act penalizes unauthorized access to computer systems, with hackers facing fines of up to N10 million or imprisonment of up to 5 years, depending on the nature of the hack. Recognizing ethical hacking as a legitimate profession, organizations holding sensitive data should be compelled to engage their services to identify vulnerabilities.


Numerous other government institutions have regulations addressing privacy within their specific domains. For instance, the National Identity Management Commission (NIMC) Act of 2007 prohibits the disclosure of registered information, except under particular circumstances, such as national security or crime prevention, as specified by the Commission. The 2016 Central Bank of Nigeria (CBN) Consumer Protection Framework ensures the confidentiality of customer information but allows disclosure in certain situations required by the CBN or other regulatory bodies. The Credit Reporting Act of 2017 safeguards credit information with consent requirements but permits disclosure for credit-related purposes or compliance with court orders or regulatory requirements.


Additionally, the Child Rights Act of 2003 guarantees children’s privacy rights, with provisions for parental supervision. The National Health Act of 2014 upholds healthcare users’ information confidentiality, laying down specific conditions for disclosure and measures to prevent unauthorized changes or copying of health records.


Primarily however, Data Protection Act 2023 was signed into law in Nigeria on June 12, 2023, marking an important step towards comprehensive data protection legislation. The Act introduces principles common to international data protection frameworks and includes special provisions. It establishes a new category of “data controllers and processors of major importance” and emphasizes a “duty of care.” The Act has extraterritorial reach, limits legitimate interest as a legal basis for data processing, and strengthens data subject rights. It also brings structural changes to the data protection authority and co-exists with the existing Nigeria Data Protection Regulation.


In all, individuals must control their data through informed consent, purpose limitations, protection obligations, and data subject rights. Organizations must obtain explicit consent before collecting and processing data and individuals should be allowed to withdraw consent.



 Misuse of “Valid Interests”: The Data Protection Act 2023 allows data processing based on “valid interests.” This provision might be exploited by some data controllers and processors to evade their responsibilities as outlined in the Act.

  • No Definite Timeframe for Rights Requests: The Act does not specify a clear and defined period within which data controllers are required to address rights requests from data subjects. This lack of a timeframe has the potential to hinder transparency and accountability in data processing.
  • Concerns over Commission’s Autonomy: There are concerns about the autonomy of the Nigeria Data Protection Commission due to the President’s authority to appoint and remove key members. This power dynamic could potentially influence the Commission’s decisions and compromise its independence.
  • Data Breaches: Data breaches pose a significant challenge in terms of threatening data privacy, exposing personal information to unauthorized access and misuse, potentially leading to identity theft and financial fraud.
  • Lack of Awareness: Many individuals lack awareness about their data privacy rights and responsibilities. This lack of awareness makes them vulnerable to privacy infringements and hinders their ability to effectively exercise their rights.
  • Inadequate Enforcement and Penalties: Inadequate enforcement mechanisms and penalties can weaken data privacy protection. Without strong enforcement, organizations may not have sufficient incentives to comply with data protection regulations, potentially leaving individuals’ data vulnerable to misuse.



To comprehensively address these identified challenges and contribute to strengthening data privacy protection in Nigeria, the following recommendations are made:

  • The Act is amended to provide a clear and comprehensive definition of what constitutes “valid interests” to prevent its misuse and oversight mechanisms be implemented to monitor and review data processing activities based on “valid interests” to ensure compliance with the Act.
  • The Act should specify a reasonable timeframe within which data controllers must address rights requests from data subjects, promoting transparency and accountability. Implement penalties for data controllers who fail to respond within the stipulated timeframe to incentivize timely responses.
  • Options are explored to enhance the independence of the Nigeria Data Protection Commission, such as limiting the President’s authority to appoint and remove key members and implementing mechanisms for external oversight of the Commission’s decisions and actions to ensure checks and balances.
  • Enforcement of stringent cybersecurity measures to prevent data breaches, including encryption, regular security audits, and regular employee training.
  • Prompt mandatory organisation report of data breaches to the Commission and affected individuals to facilitate timely action.
  • Launch comprehensive public awareness campaigns to educate individuals about their data privacy rights and responsibilities, the inclusion of data privacy education in school curricula and workplace training programs.
  • Review and increase penalties for non-compliance with data protection regulations to create stronger deterrents.
  • Allocate more resources and personnel to the Commission for effective enforcement and monitoring of data protection compliance.



Data privacy is paramount in Nigeria to protect individuals’ rights and foster trust in the digital ecosystem. The legal framework, including constitutional provisions and statutory laws such as the NDPR, provides a foundation for data privacy protection. However, technological advancements, data breaches, lack of awareness, and enforcement gaps must be addressed. Strengthening the legal framework, enhancing enforcement mechanisms, and promoting education are essential for adequate data privacy protection. By prioritizing data privacy, Nigeria can ensure the right to personal privacy and establish a secure and trustworthy digital environment for its citizens.




NOTE: The section on legal Briefs is a forum for frank and open scholarly notes by research staff and guest contributors. Views expressed in these notes are personal to the authors and are not to be attributed to the Centre.


JURITRUST Centre for Socio Legal Research and Documentation invites submission of short articles from VOLUNTEER CONTRIBUTORS who are interested in sharing their perspectives on salient issues in the administration and development of the Nigerian Criminal Justice System, comparative systems and related issues. CLICK HERE find out how to send us your articles. Thank you

Juritrustlaw We would like to show you notifications for the latest news and updates.
Allow Notifications