Data Protection in Nigeria



Data protection is the process of safeguarding important information from corruption, compromise or loss. Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of companies to use the data of individuals. 


Nigeria, till date, does not have a comprehensive legal framework on the protection of personal data. This does not mean that there are no laws that seek to protect the personal data of individuals and corporate entities, however. 

The 1999 Constitution of the Federal Republic of Nigeria (as amended)[1], the Child Rights Act 2003, the Freedom of Information Act 2011, theCybercrimes (Prohibition, Prevention, Etc.) Act 2015 and National Identity Management Commission Act, 2007 are different pieces of legislation that exist to protect the privacy of individuals and corporate bodies, with exceptions being in instances where consent has been given or the personal data of an individual is required in legal or judicial processes; particularly for the prevention and detection of crime.

Apart from the broad legislation highlighted above, there are industry specific regulations whose objective is to ensure the protection of the personal data of individuals as it pertains to that particular industry. Regulations like the Consumer Code of Practice Regulations 2007, the Consumer Protection Framework and the Nigerian Communications Commission Registration of Telephone Subscribers Regulation 2011 attempt at ensuring the protection of the personal data of individuals and corporate organisations in the telecommunications and financial industry respectively.

Furthermore, the NITDA, a statutory agency charged with the responsibility of developing information technology in Nigeria has pursuant to Section 6 of the NITDA Act created Guidelines. The most recent is the NITDA Guidelines of 2017. 

Also pending before the National Assembly are two data protection bills namely the Personal Information and Data Protection Bill and the Electronic Transactions Bill. These bills, if passed into law, would be most comprehensive legislation on data protection as they would extend to previously unchartered territory in the Nigerian data protection sphere. 

Unlike Nigeria which does not have a comprehensive framework on data protection, the European Union has, with the passing into law of the General Data Protection Regulation on the 25thday of May, 2018, taken a head start in the race to the protection of the personal data of individuals.

The GDPR aims to strengthen the control that individuals have over their data and improve transparency about how that data is processed. Its provisions apply extraterritorially to all business entities that target EU citizens and residents anywhere in the world. 

From the foregoing, the provisions of the GDPR are binding on all non-EU (including Nigerian) entities that offer goods and services to persons within the EU territory regardless of whether or not they have offices within the EU. Such entities are bound by the Regulation as long as they collect, process, store and control “personal data” or “sensitive personal data” of EU citizens and residents. 

This regulationprevents apps or websites from using your details without your consent having been sought and obtained, introduces new data subject rights like “the right to be forgotten” and “right to be informed”, puts limits on the use of the profiling of an individual’s data andprescribes heavy penalties for non-compliance.  

It is arguably, till date, the most comprehensive legal framework on data protection in the world.

The US, on the other hand, has about 20 sector specific or medium-specific national privacy or data security laws, and hundreds of such laws among its 50 states and its territories. Some of the most prominent federal privacy laws in the US are the Federal Trade Commission Act, the Financial Services Modernization Act, the Health Insurance Portability and Accountability Act, The Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act. These laws regulate the collection, use and disclosure of personal data in the financial, e-commerce and health industry. In addition, the Judicial Redress Act 2016 allows citizens of certain ally nations (notably, EU member states) the right to seek redress in US courts for privacy violations when their personal information is shared with law enforcement agencies.

In the United States, individuals are encouraged to sue in court for privacy violations in an individual or class action. The various laws also prescribe penalties which range from fines to prison terms, depending on the severity of the default.


A cursory look at the regimes in the European Union and the United States shows that there are several enforcement mechanisms in place which range from fines to prison terms, all of which are enforced appropriately. The Nigerian data protection regime pales in comparison as there is little or no penal structure in place. 

Also our data protection laws should encourage individuals to sue in court for privacy violations in the form of individual or class actions, as provided in various pieces of legislation in the United States of America and the EU’S GDPR. 

Furthermore, there should be an increased awareness on data protection; what it entails and how individuals can seek redress where their privacy rights are violated. Corporations should also be made aware of the need to protect the data of persons in their custody, and the consequences of a failure to do so.

There is also the need for a comprehensive legislative framework on data protection in Nigeria which would be in tune with the technological and telecommunication developments of the 21stcentury.

The relevance of comprehensive data protection legislation cannot be overemphasised. It would bring about transparency and accountability in the way and manner the industry operators deal with individual’s sensitive data. It would also introduce uniformity and certainty in the country's data protection regime.  

If ever there was any time to have a comprehensive data protection legislation, the time is now.


[1]Section 37

Published on Friday, September 14, 2018
Viewed 2789 times