The principal legislation governing data protection and privacy in Nigeria is the NDPA. Other primary data protection regulations in Nigeria are the NDPR and the Implementation Framework. Save for the aforementioned laws, there are generic and sector-specific rules on data protection and privacy in the following statutes:

• Constitution;
• Child Rights Act, 2003;
• National Identity Management Commission Act, 2007;
• Freedom of Information Act, 2011;
• National Health Act, 2014;
• Cybercrimes (Prohibition, Prevention, etc.) Act, 2015; 
• National Cybersecurity Policy and Strategy, 2021;
• Federal Competition and Consumer Protection Act, 2018;
• Nigerian Communications Commission (Consumer Code of Practice) Regulations, 2024; and
• Central Bank of Nigeria’s Consumer Protection Framework, 2016. 

The NDPA applies to a data controller or data processor: (a) who is domiciled, resident or operating in Nigeria; (b) who is not domiciled in Nigeria but is processing personal data of a data subject in Nigeria; or (c) if such processing of personal data occurs within Nigeria (NDPA, section 2).

A “data subject” is defined by the NDPA as an individual to whom personal data relates. Juristic persons are not contemplated under the definition of data subjects in the NDPA.

It is important to note that when determining who qualifies as a data subject, the primary consideration is their residence or domicile, not their nationality. The NDPA applies to Nigerian residents regardless of nationality as well as any data that is processed in Nigeria, regardless of residence and nationality (NDPA, section 2(2)). Essentially, all data processed in Nigeria is covered and protected by the NDPA.

A “data controller” means an individual, private entity, public commission, agency, or any other body who, alone or jointly with other persons, determines the purposes and means of processing personal data. A “data processor” means an individual, private entity, public authority, or any other body, who processes personal data on behalf of or at the direction of a data controller or another data processor. Consequently, both natural and juristic persons can be data controllers and data processors.

The NDPA applies to the processing of personal data which occurs both within and outside Nigeria provided the data subject in question resides in Nigeria. See Question 2, above. 

The term “processing” is used to refer to all acts and operations that are regulated by the NDPA. Under the NDPA, processing includes operations or set(s) of operations performed on personal data including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction (NDPA, section 65). The NDPA expressly excludes the mere transit of personal data originating outside in Nigeria as part of processing. 

The NDPA regulates “personal data” such as:

• a name; 
• an identification number;
• location data;
• an online identifier; 
• one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual (NDPA, section 65); and 
• sensitive personal data (defined in Question 6, below).

The NDPA recognises pseudonymisation and other methods of de-identification of personal data (such as anonymisation) as a security measure to be undertaken by data controllers and processors. The definition of pseudonymisation of personal data under the NDPA includes data that can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Yes, certain types of personal data are subject to a higher level of protection. These categories of personal data are described as sensitive personal data. The NDPA defines sensitive personal data as personal data relating to an individual’s: (a) genetic and biometric data, for the purpose of uniquely identifying a natural person; (b) race or ethnic origin; (c) religious or similar beliefs, such as those reflecting conscience or philosophy; (d) health status; (e) sex life; (f) political opinions or affiliations; (g) trade union memberships; or (h) other information prescribed by the NPDC (NDPA, section 65). Although the NDPA omitted criminal records as part of sensitive personal data, the criminal records of data subjects are still regarded as sensitive personal data by virtue of the NDPR (NDPR, regulation 1.3(xxv)).

In addition to what is required for the processing of personal data, the NDPA stipulates nine lawful bases for processing sensitive personal data. Under section 30(1) of the NDPA, a data controller or data processor cannot process or permit the processing of sensitive personal data unless the processing is:

• with the prior consent of the data subject for the specific purpose for which it is to be processed and the consent has not been withdrawn; 
• necessary for the performance of the data controller’s obligations or the exercise of the data subject’s rights under employment or social security laws;
• necessary to protect the vital interest of the data subject or another person, where the data subject is physically or legally incapable of giving consent;
• carried out in the course of its legitimate activities by non-profit organisations; 
• necessary for the exercise or defence of a legal claim or obtaining legal advice;
• necessary for reasons of substantial public interest;
• carried out for purposes of medical care or community welfare;
• necessary for reasons of public health and provides for measures to safeguard the fundamental rights of the data subject; and
• necessary for archiving purposes in the public interest. 

The NDPC also reserves the prerogative to prescribe further categories of personal data that may be classified as sensitive personal data, further grounds on which such personal data may be processed, and further applicable safeguards.

Before a data subject’s personal data can be lawfully processed, the data controller or processor must rely on specific lawful bases for the processing of personal data. Section 25(1) of the NDPA provides that personal data processing is lawful where the data subject has given and not withdrawn consent for the specific purpose or purposes for which personal data is to be processed or where it is necessary for:

• the performance of a contract to which the data subject is a party; 
• compliance with a legal obligation to which the data controller or data processor is subject;
• the protection of the vital interest of the data subject or another person;
• the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or data processor; or 
• legitimate interests. 

Data controllers and processors are obligated to inform the data subject of their right to withdraw consent before it is given (NDPA, section 26(4)), and ensure that the data subject can easily withdraw consent (NDPA, section 35(2)). Consent must be freely given, specific, informed, and form an unambiguous indication of the individual’s agreement to the processing of personal data.

While the NDPA and the NDPR do not state whether the request for consent must be separate from other terms and conditions for using a service, the NDPA requires that requests for consent are in a clear and simple language and accessible format (NDPA, section 26(6)). A data subject may give their consent in writing, orally, or through electronic means (NDPA, section 26(7)). The silence or inactivity of the data subject is not regarded as consent (NDPA, section 26(3)). If the data subject is required to consent to processing that is unnecessary in order to receive or use a service, such consent may not be considered to be freely given (NDPA, section 26(2)).

Before collecting personal data, data controllers and data processors are required to inform the data subjects of their residential or business address, the data subjects’ rights, and the retention period of the personal data (NDPA, section 27(1)–(2)). 

Furthermore, the consent of a parent or a legal guardian must be obtained before the personal data of a child (person younger than 18 years) or a person lacking the legal capacity to consent can be processed (NDPA, section 31(1)). The NDPA also mandates data controllers to use technology to verify the age and the consent of the data subject (NDPA, section 31(2)).

It is important to note that the NDPA exempts the consent requirement where the processing is necessary to protect the vital interests, is carried out for purposes of education, medical or social care, or is for proceedings before a court involving the data subject (NDPA, section 31(3)). 

We also note that certain categories of processing are exempt from the application of the NDPA. These include processing for crime prevention and prosecution, prevention or control of national public health emergencies, national security, journalism, education, and legal proceedings. Despite these exemptions, requirements such as compliance with the principles of personal data processing, having lawful bases for processing personal data, appointing a data protection officer, and providing notice of a personal data breach still apply to these categories of processing (NDPA, section 3(2)).

Data controllers and processors have the following obligations when processing personal data: 

• to ensure that personal data is processed in a fair, lawful, and transparent manner; 
• to ensure that personal data is collected and processed for specified, explicit, and legitimate purposes; 
• before the collection of personal data, a data controller is required to inform the data subject of the purpose of the processing, recipients of the personal data, the existence of the rights of the data subjects, and the retention period for the personal data;
• to ensure that personal data is adequate, relevant, and limited to the minimum necessary for the purposes for which the personal data was collected;
• to ensure that the consent of a data subject has been obtained without fraud, coercion, or undue influence; 
• where the processing of personal data may result in a high risk to the rights of a data subject, the data controller shall, prior to the processing, carry out a data privacy impact assessment;
• to ensure that personal data is accurate, complete and not misleading, and where necessary, kept up to date considering the purpose for the collection or processing of the personal data;
• to ensure that the processing of personal data is done in a manner that ensures appropriate security of personal data including protection;
• to ensure and regularly update security integrity and confidentiality measures such as pseudonymisation, encryption, and other forms of de-identification of personal data;
• to guard against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach;
• to use appropriate technical and organisational measures to ensure confidentiality, integrity, and availability of personal data;
• to erase personal data without undue delay where the personal data is no longer necessary for the purpose for which it was collected or processed, or the data controller has no lawful basis to retain the personal data;
• a data processor, upon becoming aware of a personal data breach, must notify the data controller or the data processor that engaged it of such breach, provide details of the records of personal data and data subjects, and respond to information requests from the data controller or the data processor, as applicable; and 
• within 72 hours of becoming aware of a personal data breach, a data controller must inform the NDPC. 

(NDPA, sections 24, 25, 27, 28, 30, 39, 40).

Under the applicable data protection laws in Nigeria, data subjects have the following rights:

• to obtain confirmation whether the data controller or data processor is storing or processing their personal data;
• to receive information about the purposes of the processing of personal data and the categories of personal data concerned;
• to be informed of the recipients or categories of recipients to whom the personal data has been or will be disclosed, particularly recipients in other countries or international organisations;
• to access their personal data;
• to withdraw, at any time, consent to the processing of personal data under the NDPA;
• to request the rectification or erasure of personal data by the data controller;
• to restrict or object to the processing of personal data;
• not to be subject to a decision based solely on automated processing of personal data, including profiling, which produces legal or similar significant effects concerning the data subject;
• to data portability which entitles the data subject to: (a) promptly receive personal data concerning the data subject in a structured, commonly used, and machine-readable format; and (b) transmit the personal data obtained under (a) above to another data controller without any hindrance;
• where the personal data was not collected from the data subject, the data subject has the right to receive information about the source of the personal data; and
• to lodge a complaint with the NDPC.

(NDPA, sections 34, 35, 36,37, 40). 

Personal data may be processed for commercial or direct marketing purposes where the data subject consents to such processing. Save for existing customers of the data controllers who have purchased goods and services from the data controllers, the prior consent of data subjects must be obtained for any direct marketing activity (Implementation Framework, paragraph 5.3.1). 

Where personal data is processed for direct marketing purposes, a data subject has the right to object, at any time, to the processing of their personal data, which includes profiling to the extent that it is related to such direct marketing (NDPA, section 36(3); NDPR, regulation 2.8). Where the data subject objects to processing for commercial or direct marketing purposes, the data controller or data processor must ensure that the personal data is no longer processed for such purposes (NDPA, section 36(4)). The data controller or data processor must also ensure they comply with the obligations imposed under the data protection laws in processing and storing personal data obtained for commercial or direct marketing purposes. The personal data obtained must not be kept longer than the period for which it is necessary and the data controller or data processor must ensure that the data is kept up-to-date. 

The applicable laws in Nigeria do not explicitly stipulate different rules for different means of direct marketing. Thus, the same obligations apply to all manner of direct marketing. 

Before personal data may be transferred from Nigeria to another country by a data controller or data processor, the recipient of the personal data should be subject to laws and regulations that afford an adequate level of protection to the personal data in accordance with the NDPA (NDPA, section 41(1)). Under the NDPA, a level of protection is deemed to be adequate if it upholds principles that are substantially similar to the conditions for the processing of the personal data provided for in the NDPA (NDPA, section 42(1)). 

In assessing the adequacy of protection afforded to the personal data, the following shall be considered: (a) availability of enforceable data subject rights; (b) existence of any appropriate instrument between the NDPC and a competent authority in the recipient jurisdiction that ensures adequate data protection; (c) access of a public authority to personal data; (d) existence of an effective data protection law and an independent and competent data protection or similar supervisory authority with adequate enforcement powers; and (e) international commitments and conventions binding on the relevant country and its membership of any multilateral and regional organisations (NDPA, section 42(2)). 

Conversely, where there is no adequacy of protection afforded to the personal data, a data controller or data processor may only transfer personal data from Nigeria to another country if: 

• having been informed of the possible risks of such transfer, the data subject has provided and not withdrawn consent to such transfer; 
• the transfer is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject, prior to entering into a contract;
• the transfer is for the sole benefit of the data subject, and it is not reasonably practicable to obtain the consent of the data subject or if it is reasonably practicable to obtain the consent, the data subject would likely give it; 
• the transfer is necessary for public interest or the exercise or defence of legal claims; or
• the transfer is necessary to protect the vital interests of a data subject or of other persons, where a data subject is physically or legally incapable of giving consent (NDPA, section 43(1)).

It is important to note that the transfer of personal data to a foreign country or to an international organisation is under the supervision of the NDPC (NDPA, section 41). The NDPC is empowered to determine whether a country, region or sector affords an adequate level of protection to the personal data of a data subject (NDPA, section 42(4)). The NDPC is also empowered to approve binding corporate rules, codes of conduct, certification mechanisms, or similar instruments for data transfer proposed to it, where the NDPC is satisfied that such instruments meet appropriate data protection standards under the NDPA (NDPA, section 42(5)).

The NDPC has the power to investigate: (a) complaints referred to it, where the complaints appear not to be frivolous or vexatious; and (b) on its own accord, where it reasonably believes that a data controller or data processor has violated or is likely to violate the provisions of the NDPA (NDPA, section 46(2) and (3)). For the purposes of investigation, the NDPC is empowered to order a person to: (a) appear before it for oral examination; (b) produce documents or record as may be required in relation to the matter being investigated; and (c) furnish written statements under oath setting out all relevant information (NDPA, section 46(4)). For the purpose of obtaining evidence in the course of an investigation, the NDPC may apply ex parte to a judge in chambers for the issuance of a warrant to, inter alia, enter and search any premises, stop and search persons found within the premises and seize, seal or remove anything which amounts to evidence of the commission of an offence under the NDPA (NDPA, section 58(1)). 

Where a data controller or data processor has violated or is likely to violate any requirement under any data protection law, the NDPC is empowered to make an order: (a) warning that the act or omission is likely to violate the data protection law; (b) requiring that the data controller or data processor complies with such requirements; or (c) requiring that the data controller or data processor stops or refrains from doing an act, such as the processing of personal data, which violates the statutory requirements (NDPA, section 47(1) and (2)). The NDPC also has the powers to issue enforcement orders or impose sanctions on data controllers or data processors where they violate the provisions of the NDPA or other applicable law (NDPA, section 48(1)). 

Non-compliance with data protection laws attracts civil remedies and criminal sanctions. A data subject, who has suffered injury, loss, or harm because of a violation of the NDPA by a data controller or data processor, may institute an action in court and recover damages from such data controller or data processor (NDPA, section 51). 

The NDPC is also empowered to impose penalties on defaulting data controllers or data processors and such penalties shall be either of: (a) the higher maximum amount (whichever is the greater of NGN 10 million (approx. USD 6,035) or 2% of its annual gross revenue in the preceding financial year) in the case of a data controller or data processor of major importance; or (b) the standard maximum amount (which is the greater of NGN 2 million (approx. USD 1,207) or 2% of its annual gross revenue in the preceding financial year) in the case of a data controller or data processor not of major importance (NDPA, section 48). 

The NDPC may also order that the data controller or data processor: (a) pays compensation to a data subject who has suffered loss, injury or harm as a result of the violation; or (b) accounts for profits realised from the violation (NDPA, section 48[2]). A person who is dissatisfied with an order of the NDPC may apply to the court for judicial review within 30 days after the order was made (NDPA, section 50).

Where the NDPC makes an order and the data controller or data processor fails to comply with such orders, the data controller or data processor shall be deemed to have committed an offence and shall be liable on conviction to: (a) a fine up to the higher maximum amount where the data controller or data processor is of major importance or standard maximum amount where the data controller or data processor is not of major importance; (b) imprisonment for a term less than one year; or (c) both (a) and (b).