Context and background

Nigeria, Africa's most populous nation with over 220 million citizens, also boasts the continent's largest economy, one increasingly propelled by a dynamic and rapidly expanding digital ecosystem. Digital transformation has reshaped how Nigerians access financial services, engage in commerce, and interact with government institutions. Nowhere is this transformation more evident than in the financial technology (fintech) sector, where innovations such as mobile money, digital lending, and online banking have extended financial inclusion to previously underserved populations across both urban and rural areas.

Yet, this rapid digital growth has simultaneously magnified concerns around personal data protection and privacy. Vast amounts of user information are being collected and processed daily by fintech firms, e-commerce platforms, telecommunications operators, mobile app developers, and government agencies. In an economy increasingly powered by data, the safeguarding of personal information has become not just a regulatory imperative, but a matter of public trust and national security.

The scope of data collection within Nigeria's digital economy is extensive, often reaching deeply into individuals' private lives. Fintech lenders, for instance, gather detailed personal information such as Bank Verification Numbers (BVNs), transaction histories, SMS logs, contact lists, device identifiers, and geolocation data to assess creditworthiness. E-commerce platforms compile comprehensive consumer profiles based on browsing histories, purchase behaviors, payment details, and demographic data. Telecommunications operators maintain vast subscriber databases containing call logs, location data, and financial transaction records via mobile money services. Meanwhile, government agencies collect citizen information through digital identity programs, tax and electoral systems, immigration services, and e-government platforms.

While this data-driven ecosystem supports financial inclusion, innovation, and improved service delivery, it also exposes individuals to significant risks when personal data is misused, inadequately protected, or accessed without authorization. Before the advent of comprehensive privacy legislation, Nigeria's regulatory environment was fragmented and ill-equipped to address these emerging challenges. Sector-specific rules such as confidentiality obligations under banking and telecommunications laws offered limited protection, lacking a coherent, cross-sector framework grounded in the principles of consent, purpose limitation, and individual rights.

These regulatory gaps were most visible in the digital lending sector, where numerous reports emerged of predatory practices involving unauthorized access to users' contacts, messages, and device data. Some lenders went so far as to harass borrowers' acquaintances when loans were overdue, exploiting the permissions granted during app installation. Such practices not only violated individual privacy rights but also eroded public confidence in digital financial services, undermining the very financial inclusion goals that digital innovation sought to advance.

Positive developments and emerging issues

Nigeria's data protection trajectory mirrors the broader dynamics of rapidly digitalizing economies in the Global South, where technological adoption often outpaces regulatory evolution and institutional capacity. Over the past decade, the country has undergone an extraordinary digital transformation, driven by mobile phone penetration exceeding 100%, widespread internet adoption, and a flourishing fintech ecosystem catering to the nation's large unbanked and underbanked population. This transformation has produced a complex data ecosystem that spans multiple sectors, regulatory mandates, and technological infrastructures. While it has accelerated economic inclusion and service innovation, it has also exposed deep vulnerabilities in privacy protection and data governance.

The financial technology sector encapsulates both the promise and the peril of Nigeria's digital transformation. Digital lending platforms have extended credit to millions of individuals previously excluded from formal banking systems, leveraging alternative data and machine learning algorithms to assess risk. Yet, these models often rely on highly intrusive data collection practices harvesting device information, social media activity, communication patterns, and geolocation data. Weak oversight and limited transparency around data use have intensified concerns about consent, proportionality, and the ethical deployment of emerging technologies.

Similarly, the e-commerce sector has grown exponentially, facilitating billions of dollars in annual transactions while compiling granular consumer behavior data. At the same time, Nigeria's government-led digitization efforts including the National Identity Management System (NIMS), the Bank Verification Number (BVN) scheme, and multiple e-government service platforms have established vast repositories of citizen information intended to streamline service delivery and reduce fraud.

However, incidents such as the 2024 XpressVerify scandal, in which sensitive data including National Identification Numbers (NINs), BVNs, driver's licenses, and passport records were discovered for sale online for as little as ₦100, underscored the systemic weaknesses in Nigeria's data governance architecture. The breach highlighted not only the inadequacy of security safeguards but also the urgent need for coherent, enforceable, and transparent data protection frameworks.

Nigeria's initial regulatory response began with the Nigeria Data Protection Regulation (NDPR) of 2019, issued by the National Information Technology Development Agency (NITDA). While the NDPR established foundational data protection principles and compliance obligations, its limited scope, weak enforcement mechanisms, and overlapping institutional roles restricted its impact. The absence of a dedicated authority hindered the regulation's effectiveness in addressing cross-sectoral privacy risks emerging across Nigeria's expanding digital economy.

The most transformative milestone in Nigeria's data protection landscape has been the enactment of the Nigeria Data Protection Act (NDPA) 2023, which replaced the NDPR with a comprehensive, legally binding framework aligned with international standards. The NDPA represents the culmination of extensive multi-stakeholder advocacy, legislative consultation, and policy development, establishing the Nigeria Data Protection Commission (NDPC) as an independent statutory regulator with expanded powers of oversight, investigation, and enforcement.

The transition from a regulatory instrument to a fully-fledged Act marks a paradigm shift in Nigeria's data governance approach from fragmented, sector-specific oversight to a unified, rights-based framework comparable to the EU General Data Protection Regulation (GDPR). The NDPA codifies seven core data protection principles: lawfulness and transparency; purpose limitation; data minimization; accuracy; storage limitation; security; and accountability. It also enshrines comprehensive rights for data subjects, including access, rectification, erasure, portability, objection to processing, and the right to lodge complaints with the NDPC.

The establishment of the NDPC as an independent enforcement authority has been pivotal in strengthening institutional capacity and regulatory credibility. Unlike NITDA, whose dual mandate created conflicts between technology promotion and data oversight, the NDPC operates exclusively to uphold privacy standards and protect citizens' rights.

Since commencing operations in 2024, the Commission has initiated more than 1,368 investigations across multiple sectors and imposed landmark penalties, setting new precedents for data accountability across Africa. These investigations address systemic issues affecting millions of Nigerian consumers and demonstrate the commission's focus on protecting vulnerable populations from predatory data practices.

A defining example of this enforcement momentum was the $220 million fine imposed on Meta Platforms in 2024 for discriminatory data practices and privacy violations, the largest such penalty ever issued by a regulator in the Global South. This unprecedented action underscored Nigeria's willingness to hold global technology firms accountable under domestic privacy standards. Similarly, Multichoice Nigeria was fined ₦766.2 million for unauthorized cross-border data transfers and inadequate user consent practices, reinforcing the NDPC's commitment to compliance and consumer protection.

Despite significant progress, Nigeria's data protection environment continues to face evolving challenges shaped by technological innovation, cross-border integration, and institutional capacity constraints. The proliferation of artificial intelligence (AI) and machine learning across both public and private sectors introduces complex risks related to automated decision-making, algorithmic bias, and the secondary use of personal data for model training. These technologies often involve extensive data processing that tests the limits of principles such as consent and data minimization.

Cross-border data transfers remain another critical area of concern. As Nigerian organizations increasingly rely on global cloud services and international technology partnerships, compliance with the NDPA's adequacy and safeguard requirements poses both operational and legal complexities. Nigeria's own adequacy recognition by other jurisdictions, particularly the European Union, remains pending, which may affect data flows essential to international trade and investment.

The digital lending sector continues to present persistent privacy risks despite efforts by the Central Bank of Nigeria and other financial regulators to curb abusive practices. The tension between financial innovation and privacy protection remains pronounced, as lenders depend on extensive personal data for credit scoring, raising questions about proportionality, informed consent, and users' ability to exercise their rights.

Government-led digital identity and data integration initiatives, while promising greater efficiency and reduced corruption, have also amplified privacy risks. Efforts to link national databases covering identity, taxation, immigration, and social services introduce single points of failure and magnify the impact of potential data breaches. The XpressVerify incident demonstrated the urgency of stronger cybersecurity measures, inter-agency coordination, and independent oversight.

Emerging technologies such as blockchain, cryptocurrency, and the Internet of Things (IoT) present additional regulatory frontiers. Their decentralized and data-intensive architectures challenge traditional legal frameworks, demanding ongoing dialogue between regulators, innovators, and civil society to ensure that privacy protections evolve in tandem with technological progress.

Legal and institutional framework

As earlier observed, the Nigeria Data Protection Act (NDPA) 2023 represents a landmark achievement in African digital governance, establishing one of the continent's most comprehensive and enforceable data protection regimes. Spanning 155 sections, the Act creates a robust regulatory structure encompassing legal principles, institutional arrangements, enforcement mechanisms, and individual rights. Its broad scope applies to all entities, public or private, local or foreign, that process personal data within Nigeria, or that process the data of individuals located in Nigeria, regardless of the processor's geographic location. This extraterritorial reach ensures that international organizations offering goods or services to Nigerian residents, or monitoring their online behavior, are subject to Nigerian data protection law. The provision aligns Nigeria with international best practice under the GDPR's "targeting and monitoring" test, reinforcing the principle of data sovereignty.

The NDPA harmonizes previously fragmented sectoral laws and embeds privacy protection as a fundamental right rather than a mere compliance requirement. By codifying clear obligations, it provides legal certainty to businesses while ensuring that data subjects retain meaningful control over their information.

The NDPA establishes seven foundational data protection principles that serve as the cornerstone of lawful and ethical data processing:

1. Lawfulness and Transparency – All processing must have a legitimate legal basis and be conducted in a transparent manner, ensuring that data subjects understand how their information is used.
2. Purpose Limitation – Data must be collected for specified, explicit, and legitimate purposes and cannot be repurposed in ways incompatible with those objectives.
3. Data Minimization – Processing should be limited to data that is adequate, relevant, and necessary for the intended purpose.
4. Accuracy – Data controllers are obligated to maintain accurate and up-to-date information, correcting or deleting inaccuracies promptly.
5. Storage Limitation – Data must not be retained longer than necessary for its intended use, and organizations must implement defined retention and deletion policies.
6. Security and Integrity – Controllers and processors must employ appropriate technical and organizational measures to safeguard data from unauthorized access, loss, or misuse.
7. Accountability – Organizations bear the ultimate responsibility for demonstrating compliance with all principles through documented governance frameworks and audits.

The NDPA also strengthens data subject rights, empowering individuals to:

• Access their personal data and understand how it is processed;
• Request rectification or erasure of inaccurate or unlawfully held information;
• Object to certain types of processing, including direct marketing;
• Restrict processing under specific conditions; and
• Request data portability where technically feasible.

These rights are supported by accessible redress mechanisms through the NDPC, which can issue binding decisions, enforce compliance, and impose penalties.

The creation of the Nigeria Data Protection Commission (NDPC) as an independent statutory body marks a pivotal advance in institutional governance. Freed from ministerial control, the NDPC possesses a focused mandate encompassing policy formulation, regulatory oversight, investigation, enforcement, and public education. The Commission's independence is safeguarded through secure funding provisions, transparent appointment procedures, and fixed tenures for its leadership. This design aligns Nigeria's institutional model with global regulatory standards, enhancing credibility, continuity, and enforcement autonomy.

Organizations that process large volumes of data or conduct high-risk processing are required to appoint Data Protection Officers (DPOs) with appropriate qualifications and independence. The DPO serves as the compliance focal point within the organization, responsible for monitoring adherence, advising management, and acting as the contact point for both data subjects and the NDPC. This requirement institutionalizes internal accountability and professionalizes data protection compliance as a distinct corporate function.

The NDPA mandates registration for all Data Controllers and Processors of Major Importance (DCPMIs), entities that process personal data of more than 20,000 individuals, generate annual turnover exceeding ₦100 million, or engage in cross-border data transfers. Registration includes submission of detailed processing inventories, risk assessments, and security frameworks. Organizations undertaking high-risk processing such as large-scale profiling, biometric data collection, or processing involving vulnerable groups must conduct Data Protection Impact Assessments (DPIAs) to identify, assess, and mitigate risks before commencing operations.

In the event of a personal data breach, the NDPA requires notification to the NDPC within 72 hours of discovery if the breach is likely to pose a risk to data subjects. Affected individuals must also be informed where the breach presents a high risk to their rights or freedoms. Notifications must outline the breach's nature, scope, likely consequences, and remedial actions taken.

Nigeria's approach to cross-border data flows seeks to balance data sovereignty with economic integration in the global digital economy. The NDPA prohibits transfers to jurisdictions without adequate protection unless appropriate safeguards such as binding corporate rules, standard contractual clauses, or explicit data subject consent are implemented. The NDPC is empowered to conduct adequacy assessments and may designate certain countries or regional frameworks as offering equivalent protection. Nigeria has expressed intent to pursue mutual adequacy arrangements with other African jurisdictions and, eventually, with the European Union, a move that would significantly strengthen its digital trade competitiveness.

The NDPA grants the NDPC a comprehensive suite of enforcement powers, including authority to:

• Conduct audits and on-site inspections;
• Demand access to relevant documents or systems;
• Impose administrative fines and compliance orders;
• Suspend or restrict data processing operations; and
• Refer criminal violations for prosecution.

Penalties are proportionate to the severity of violations. Corporations may face fines ranging from ₦10 million to ₦10 billion, or up to 2% of annual global turnover, whichever is higher, while individuals may be fined between ₦2 million and ₦10 million. Serious breaches involving national security, children's data, or large-scale violations may attract criminal sanctions of up to three years' imprisonment. By combining deterrent penalties with structured compliance support, the NDPC has demonstrated a balanced approach asserting regulatory authority while promoting collaboration and capacity-building.

However, despite these positive advancements, direct outreach to obtain specific enforcement data, institutional capacity details, and regulatory updates did not yield responses. The assessment sought insights into the following areas:

• Availability of a public register listing data controllers and processors, as well as statistics on active versus inactive registrations. While Tanzania has made efforts to establish a registration system, there is limited publicly available information on its implementation and accessibility.
• Information on complaints received, investigations conducted, and penalties imposed, particularly in high-profile cases, remains largely unavailable.
• An assessment of the NDPC's staffing levels, technological resources, budget allocations, and international collaborations to support enforcement efforts.
• Updates on operational guidelines, codes of conduct, and amendments to address emerging privacy and cybersecurity challenges.
• Efforts to educate citizens and businesses on their data privacy rights, complaint mechanisms, and compliance obligations. Nigeria has made commendable efforts in awareness-building initiatives, including training programs for data protection officers (DPOs).
•  Insights into compliance audits, proactive investigations, and risk-based monitoring, particularly for high-risk sectors like telecommunications, banking, and healthcare.

Despite these inquiries, regulatory responses were not forthcoming, making it difficult to fully assess the scope of enforcement actions and the overall effectiveness of Nigeria's data protection implementation.

In sum, Nigeria's evolving data protection landscape reflects a maturing digital governance ecosystem that balances innovation with rights protection. The NDPA 2023 and the establishment of the NDPC have positioned Nigeria as a continental leader in privacy regulation, offering a model for other African jurisdictions. Yet, sustained progress will depend on continued institutional strengthening, inter-agency collaboration, and international cooperation, particularly in addressing AI governance, cross-border data flows, and cyber resilience. If effectively implemented, Nigeria's data protection framework can serve not only as a legal safeguard but also as a strategic enabler of trust, inclusion, and sustainable digital growth across Africa.