Nigeria

The Nigerian Data Protection Regulations (NDPR) was passed in 2019. Two additional bills (the Data Protection Bill and the Digital Rights and Freedoms Bill) are currently being debated, however, that would add to the landmark legislation. The concept of data protection is still relatively new to Nigeria, though, and civil society efforts aim now to educate policymakers and the public to help guide enforcement and implementation.

To learn more about data protection topics and programming in Nigeria, take a look at the Bolivia resource page here, or browse resources via specific categories below

Nigeria Resources

Digital Rights and Privacy in Nigeria

Tags - Country Context, Introduction to Data Protection, Legal Framework
Nigeria
English

Paradigm Initiative, 2021

This report explores the state of digital rights and data privacy in Nigeria. It outlines how personal data is collected and retained, and how privacy can be breached by both private and state actors; the legal and regulatory framework, and how this functions in practice; and ongoing efforts and recommendations to better protect Nigerians' digital rights and privacy.

The Right to Privacy in Nigeria

Tags - Advocacy, Engaging Government, Strategic Litigation
Nigeria
English

Privacy International, 2018

Privacy International and Paradigm Initiative bring their concerns about the protection and promotion of the right to privacy in Nigeria before the Human Rights Council for consideration in Nigeria’s upcoming review. The document contains several observations on topics like state surveillance, lack of proper legislation on data protection, etc.

State of Internet Freedom in Nigeria 2019

Tags - Country Context
Nigeria
English

CIPESA, 2019

This research documents the trends in government internet controls between 1999-2019 in Nigeria, tracking key trends in recent years, analyzing the key risk factors, and mapping notable developments on data protection and privacy legislation and users’ understanding of protecting their privacy online.

Paradigm Initiative vs. NCC

Tags - Engaging Government, Strategic Litigation
Nigeria
English

Paradigm Initiative, 2020

Paradigm Initiative filed a complaint to a judicial court to order a stop to the blocking of SIM Cards that are not registered with the national identity document number. This is in order to protect the rights to privacy and access to communications.

Looking to understand existing case law to guide advocacy and strategic litigation?
Interested to learn more about the status of data protection in Nigeria?
Click below for more resources to inform advocacy, community building, enforcement, and other topics in support of rights-respecting data protections.
What does the legal landscape look like in Nigeria?

The following snapshot is intended to help identify and understand the various factors impacting the passage of rights-respecting data protection legal frameworks. This includes the roadblocks to establishing a dedicated law, the key issues being considered within the data privacy conversation, the political circumstances under which these developments take place, and the ongoing advocacy practices that aim to support data privacy regulations.

Exclusive Statute

There is no exclusive statute governing data protection at this point in time. There is, however, a subsidiary legislation called the Nigeria Data Protection Regulation (NDPR), 2019, under the NITDA Act.

The NITDA Act empowers the National Information and Technology Agency (NITDA) to issue guidelines to cater for electronic governance and monitoring the use of electronic data exchange. Deriving from this provision, NITDA then developed and issued the Nigeria Data Protection Regulation, 2019. A significant feature of the NITDA Regulation is that it is a data privacy and protection-specific body of rules as opposed to it being an ancillary provision in a legislation whose primary objective is not data protection.

Features of Regulation

The NDPR was passed with the objectives to safeguard the rights of persons to data privacy, to foster safe conduct for transactions involving the exchange of personal data, to prevent manipulation of personal data; and to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a just and equitable legal regulatory framework on data protection. The NDPR also lays down data subject rights, the importance of consent in data processing, the responsibilities and obligations of the data protection officers, and the norms for an audit process.

Related Draft Legislations

Three bills concerning the same have been issued. These are the Data Protection Bill, 2020, HB504 and HB564 (HB stands for House Bills). It is uncertain which of these bills will eventually be passed. There is, however, a subsidiary legislation called the Nigeria Data Protection Regulation (NDPR), 2019.

On 11 July 2019, the NITDA issued a draft version of the Nigeria Data Protection Regulation 2019: Implementation Framework (the “Draft Framework”). The Draft Framework focuses on the implementation of the Data Protection Regulation particularly in the areas of compliance and enforcement. The Draft Framework provides for the registration of Data Protection Compliance Organizations (DPCOs), who will provide auditing and compliance services for data controllers by the NITDA. Under the Draft Framework, the categories of persons who can be DPCOs include professional service consultancy firms, information technology service providers, Audit firms and law firms subject to certain qualifications. Its latest version is dated November 2020.

Although the NDPR is aimed at covering a “data protection” gap in Nigeria, the scope of application is very limited. It applies mostly to private sector organizations that deal with personal data and only has the power to impose fines. Some of the biggest data processors in Nigeria are Government agencies and no laws exist to particularly check and sanction any indiscriminate use of personal data.

Features of the Draft Bill 

Of the three draft bills, the (Draft) Data Protection Bill, 2020, has provisions very similar to the NDPR.  The Bill would apply to the collection, storage, processing and use of personal data relating to persons residing in Nigeria and persons of Nigerian nationality, by automated and non-automated means. However, Section 35 of the Bill would provide exemptions in situations of public order, public safety, public morality, national security, public interest, the prevention or detection of crime, the apprehension or prosecution of an offender, the assessment or collection of a tax or duty or of an imposition of a similar nature; or publication of a literary or artistic material. Generic terms such as “public safety and security” are often used by governments to justify usually unjustifiable actions.

The Bill provides that an independent Data Protection Commission may make regulations and guidelines to prescribe exemptions for the processing of personal data to assess a person’s suitability for employment by government or appointment to a public office.  The 2020 draft bill was the most relevant of all previous attempts because it is the most recent, the one that seems to have more political will attached and  varied stakeholder interests inputted. However in November 2021 the Federal Government called for consultants to draft a new bill.

Related and Sector-Specific Laws

The Nigerian Constitution protects the rights of citizens to their privacy and the privacy of their homes, correspondence, telephone conversations and telegraphic communication. Data privacy and protection are thus extensions of a citizen’s constitutional rights to privacy.

Other laws that contain sector-specific provisions for data protection include:

 

The National Identity Management Commission (NIMC) Act, 2007

The Child Rights Act (CRA), 2003

The Freedom Of Information Act, 2011 (FOIA)

Cybercrimes (Prohibition, Prevention Etc) Act, 2015 (CPPA)
Central Bank Of Nigeria Consumer Protection Framework, 2016 (CPF)

The Nigeria Communications Commission (Registration Of Telephone Subscribers) Regulations, 2011 (NCC Regulations)

The Credit Reporting Act, 2017 (CRPA)

Features of Enforcement 

In enforcing the NDPR, the NITDA has its focus entirely on private institutions within certain sectors where the only sanctions are fines. Meanwhile,there is excessive personal data collection by the government that is yet to see the legal scrutiny of data protection principles.

Composition and oversight of the regulatory body

The National Information Technology Development Agency (NITDA), can be said to be the “self-appointed” data protection regulator in Nigeria. Its operations fall under the Ministry of Communications and Digital Economy, this means that the agency is not independent of the government. This means that the sanctions outlined under the regulation cannot be used against the biggest data controllers in Nigeria, which are other government agencies.

The NITDA has the mandate to create frameworks for the planning, research, development, standardization, application, coordination, monitoring, evaluation and regulation of Information Technology practices in Nigeria. In line with this mandate, issued the Nigeria Data Protection Regulation (NDPR) in January 2019.

Exclusive Statute

There is no exclusive statute governing data protection at this point in time. There is, however, a subsidiary legislation called the Nigeria Data Protection Regulation (NDPR), 2019, under the NITDA Act.

The NITDA Act empowers the National Information and Technology Agency (NITDA) to issue guidelines to cater for electronic governance and monitoring the use of electronic data exchange. Deriving from this provision, NITDA then developed and issued the Nigeria Data Protection Regulation, 2019. A significant feature of the NITDA Regulation is that it is a data privacy and protection-specific body of rules as opposed to it being an ancillary provision in a legislation whose primary objective is not data protection.

Features of Regulation

The NDPR was passed with the objectives to safeguard the rights of persons to data privacy, to foster safe conduct for transactions involving the exchange of personal data, to prevent manipulation of personal data; and to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a just and equitable legal regulatory framework on data protection. The NDPR also lays down data subject rights, the importance of consent in data processing, the responsibilities and obligations of the data protection officers, and the norms for an audit process.

Related Draft Legislations

Three bills concerning the same have been issued. These are the Data Protection Bill, 2020, HB504 and HB564 (HB stands for House Bills). It is uncertain which of these bills will eventually be passed. There is, however, a subsidiary legislation called the Nigeria Data Protection Regulation (NDPR), 2019.

On 11 July 2019, the NITDA issued a draft version of the Nigeria Data Protection Regulation 2019: Implementation Framework (the “Draft Framework”). The Draft Framework focuses on the implementation of the Data Protection Regulation particularly in the areas of compliance and enforcement. The Draft Framework provides for the registration of Data Protection Compliance Organizations (DPCOs), who will provide auditing and compliance services for data controllers by the NITDA. Under the Draft Framework, the categories of persons who can be DPCOs include professional service consultancy firms, information technology service providers, Audit firms and law firms subject to certain qualifications. Its latest version is dated November 2020.

Although the NDPR is aimed at covering a “data protection” gap in Nigeria, the scope of application is very limited. It applies mostly to private sector organizations that deal with personal data and only has the power to impose fines. Some of the biggest data processors in Nigeria are Government agencies and no laws exist to particularly check and sanction any indiscriminate use of personal data.

Features of the Draft Bill 

Of the three draft bills, the (Draft) Data Protection Bill, 2020, has provisions very similar to the NDPR.  The Bill would apply to the collection, storage, processing and use of personal data relating to persons residing in Nigeria and persons of Nigerian nationality, by automated and non-automated means. However, Section 35 of the Bill would provide exemptions in situations of public order, public safety, public morality, national security, public interest, the prevention or detection of crime, the apprehension or prosecution of an offender, the assessment or collection of a tax or duty or of an imposition of a similar nature; or publication of a literary or artistic material. Generic terms such as “public safety and security” are often used by governments to justify usually unjustifiable actions.

The Bill provides that an independent Data Protection Commission may make regulations and guidelines to prescribe exemptions for the processing of personal data to assess a person’s suitability for employment by government or appointment to a public office.  The 2020 draft bill was the most relevant of all previous attempts because it is the most recent, the one that seems to have more political will attached and  varied stakeholder interests inputted. However in November 2021 the Federal Government called for consultants to draft a new bill.

Related and Sector-Specific Laws

The Nigerian Constitution protects the rights of citizens to their privacy and the privacy of their homes, correspondence, telephone conversations and telegraphic communication. Data privacy and protection are thus extensions of a citizen’s constitutional rights to privacy.

Other laws that contain sector-specific provisions for data protection include:

 

The National Identity Management Commission (NIMC) Act, 2007

The Child Rights Act (CRA), 2003

The Freedom Of Information Act, 2011 (FOIA)

Cybercrimes (Prohibition, Prevention Etc) Act, 2015 (CPPA)
Central Bank Of Nigeria Consumer Protection Framework, 2016 (CPF)

The Nigeria Communications Commission (Registration Of Telephone Subscribers) Regulations, 2011 (NCC Regulations)

The Credit Reporting Act, 2017 (CRPA)

Features of Enforcement 

In enforcing the NDPR, the NITDA has its focus entirely on private institutions within certain sectors where the only sanctions are fines. Meanwhile,there is excessive personal data collection by the government that is yet to see the legal scrutiny of data protection principles.

Composition and oversight of the regulatory body

The National Information Technology Development Agency (NITDA), can be said to be the “self-appointed” data protection regulator in Nigeria. Its operations fall under the Ministry of Communications and Digital Economy, this means that the agency is not independent of the government. This means that the sanctions outlined under the regulation cannot be used against the biggest data controllers in Nigeria, which are other government agencies.

The NITDA has the mandate to create frameworks for the planning, research, development, standardization, application, coordination, monitoring, evaluation and regulation of Information Technology practices in Nigeria. In line with this mandate, issued the Nigeria Data Protection Regulation (NDPR) in January 2019.

Predominant Hurdles In Implementation

The lack of independence of the NITDA is a major issue in proper implementation of the subsidiary regulation, given that the government collects large swathes of citizens’ personal data. Red-tapism, rigidity, centralization, excessive bureaucratic layers are an issue in every aspect of governance.

Furthermore, the proposed Draft Data Protection Bill, 2020 makes way for excessive government intervention and control.

Key National Issues in the Field

Chief among data protection issues in Nigeria is excessive government collection of biometric data. The Federal Road Safety Corps (FRSC) collects biometric data of individuals before issuing drivers’ licenses. The Nigeria youth service corporation (NYSC) collects biometric data for every Nigerian graduate of higher institutions who must undergo a mandatory youth service. The Nigerian Immigration Service also collects data for passports, while the Independent National Electoral Commission (INEC) has the data of people who apply for voters’ cards. Banks and, by extension, the Central Bank of Nigeria also harvest biometric data through the process of providing Bank Verification Numbers (BVN). Yet, the governance structure of data protection and privacy seems unreliable. Private sector actors handle data as well, however tech players in Nigeria are not operating on a large enough scale to be of concern yet.

An updated SIM card policy published by the NCC in May 2021 has highlighted that it intends to implement a Centralised Equipment Identity Register. This was dropped after a substantial public outcry against the idea.

It is worth mentioning that data protection does not rank high in political discussions, as in a developing country matters like electricity, job creation, water, affordable health care and housing are the most pressing.

Key National Issues in the Field

Chief among data protection issues in Nigeria is excessive government collection of biometric data. The Federal Road Safety Corps (FRSC) collects biometric data of individuals before issuing drivers’ licenses. The Nigeria youth service corporation (NYSC) collects biometric data for every Nigerian graduate of higher institutions who must undergo a mandatory youth service. The Nigerian Immigration Service also collects data for passports, while the Independent National Electoral Commission (INEC) has the data of people who apply for voters’ cards. Banks and, by extension, the Central Bank of Nigeria also harvest biometric data through the process of providing Bank Verification Numbers (BVN). Yet, the governance structure of data protection and privacy seems unreliable. Private sector actors handle data as well, however tech players in Nigeria are not operating on a large enough scale to be of concern yet.

An updated SIM card policy published by the NCC in May 2021 has highlighted that it intends to implement a Centralised Equipment Identity Register. This was dropped after a substantial public outcry against the idea.

It is worth mentioning that data protection does not rank high in political discussions, as in a developing country matters like electricity, job creation, water, affordable health care and housing are the most pressing.

Data protection is a relatively new concept in Nigeria that is gaining more traction with time. With various government initiatives that have collected biometric data, new private actors and tech companies on the scene, data protection advocacy has become a necessity.

Goals

Current advocacy focus is on increasing awareness about data protection and pushing for the passage of the Data Protection Bill.

Challenges

Lack of political will when it comes to implementing the Data Protection Bill, pervasive government interference in civil society work, and a restrictive bureaucracy stall advocacy efforts in Nigeria.

Hear from Paradigm Initiative

Paradigm Initiative has been conducting advocacy promoting data privacy in the country with ADAPT since early 2021. Check out their blogs and podcasts that showcase some of the core elements of their work and the issues that they prioritize.

Nigeria Podcasts

EPISODE 3

Pushing Towards Data Protection: An Advocate’s Guide by Privacy is Global

EPISODE 2

A Three Tier Look into Data Protection in Nigeria

Nigeria Blog Posts

25 minutes /
This report is one of three reports funded through the ADAPT project that explore how data is used and abused by governments and non-state actors alike, and how users can better advocate for their privacy. How does one build resistance to datafication with those already at the front lines of fighting gender inequality? The report, based on research conducted by...
Chenai Chair

Chenai Chair

30 minutes /
Since 2018, over sixty countries around the world have enacted or proposed new data protection laws, with those numbers steadily increasing each year. Data protection regulatory bodies and agencies are entrusted with massive responsibilities to enforce these newly passed laws across all sectors of society- often while significantly under-resourced with small budgets and skeleton staff. Many countries continue to grapple...
ADAPT

ADAPT

12 minutes /
The fourth workshop of the Data Privacy Learning Series took place on March 10th, 2022, and discussed regional coordination among civil society organizations in the Global South to advance data protection. The discussion departed from concrete cases and built on some of the points made in previous workshops, especially regarding advocacy strategies and campaigns carried out by ADAPT partners which...
Data Privacy Brazil

Data Privacy Brazil

12 minutes /
When discussing data protection regulations, particularly the passage of comprehensive data protection laws, the issue of what falls within scope and what exemptions exist to circumvent them often arises. This comes into focus in reviewing the cases in which personal data processing for the purposes of public security, national defense or criminal persecution are weakened or completely excluded from the...
Data Privacy Brazil

Data Privacy Brazil