Data Protection Regulation in Nigeria and Prospect in Digital Age

Data Protection

Now that the world has gone digital, data is believed to be the new oil of the 21st century. Due to this increase in the value of data over the years, it became imperative that a law be created to regulate its use.

Laws and Regulatory Agency

  1. The 1999 Constitution
  2. The National Information Technology Development Agency (NITDA)
  3. Nigeria Data Protection Regulation 2019

The 1999 Constitution

Section 37 of the 1999 Constitution states that;

The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.

The 1999 Constitution which is the ‘grundnorm‘ recognizes and provides for the right to privacy of the citizens of Nigeria. This right to privacy forms the basis for the creation of laws that will help perpetuate and or protect the privacy of Nigerian citizens.

The National Information Technology Development Agency (NITDA)

The National Information Technology Development Agency (NITDA)

This is an agency created by the National Information Technology Development Agency Act. They function as the ICT arm of the Federal Ministry of Communication under the Federal Republic of Nigeria. Their services ranges from Data Protection to Domain Registration.

They are the body responsible for the creation of the Nigeria Data Protection Regulation (2019).

Recognizing that many public and private bodies have migrated their respective businesses and now drive service delivery through digital systems, the National Information Development Agency (NITDA) was statutorily mandated by the NITDA Act 2007 to inter alia, develop regulations for electronic interchange and other forms of electronic communication in different sectors of government. This was in the hopes that the use of electronic communication may improve the exchange of data information.

Thus information system has indeed become critical information infrastructure which must be safeguarded and regulated and protected against atrocious breaches. 

The Nigeria Data Protection Regulation (2019)

The Nigeria Data Protection Regulation (2019)

There are four things to note when reading the Nigeria Data Protection Regulation 2019.

  1. The definition of Data under the Act.
  2. The meaning of Personal Data.
  3. Who are Data Subjects?
  4. Who are Data Controllers.

Definition of Data under the Act

The Act defined Data as;

characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device.

What is Personal Data?

Personal Data is defined by the Act to mean;

any information relating to an identified or identifiable natural person whether it relates to his or her private, professional or public life. It includes any information which can be used to distinguish or trace an individual’s identity such as names, addresses, photographs, email address, bank details, social networking details, medical information or computer IP address.

Article 2.1 of the Nigeria Data Protection Regulation (2019) laid down rules regarding Personal Data;

In addition to the procedures laid down in this Regulation or any other instrument
for the time being in force, Personal Data shall be:
a) collected and processed in accordance with specific, legitimate and lawful
purpose consented to by the Data Subject; provided that:
i. a further processing may be done only for archiving, scientific research,
historical research or statistical purposes for public interest;
ii. any person or entity carrying out or purporting to carry out data
processing under the provision of this paragraph shall not transfer any
Personal Data to any person;
b) adequate, accurate and without prejudice to the dignity of human person;
c) stored only for the period within which it is reasonably needed, and
d) secured against all foreseeable hazards and breaches such as theft,
cyberattack, viral attack, dissemination, manipulations of any kind, damage by
rain, fire or exposure to other natural elements.

(2) Anyone who is entrusted with Personal Data of a Data Subject or who is in
possession of the Personal Data of a Data Subject owes a duty of care to the
said Data Subject;
(3) Anyone who is entrusted with Personal Data of a Data Subject or who is in
possession of the Personal Data of a Data Subject shall be accountable for his
acts and omissions in respect of data processing, and in accordance with the
principles contained in this Regulation.

By this Article, the Act not only protects Personal Data and its use, it also holds accountable all those who are entrusted with Personal Data in the event that they breach the duty of care owed by them.

Who are Data Subjects?

Data Subjects are defined by the Act as;

an identifiable person or one who can be identified directly or indirectly by reference to an identification factor this contemplates only natural persons legal persons such as companies are exempted controversially.

Article 2.3 of the Act mentions the need for the consent of Data Subjects (among other things) to be given before Personal Data can be collected from the Data Subject.

Article 2.4 states;

No consent shall be sought, given or accepted in any circumstance that may engender direct or indirect propagation of atrocities, hate, child rights violation, criminal acts and anti-social conduct.

By doing this, the Act protects people from Data Controllers who have improper motives towards their Data Subjects and holds them accountable to their third parties.

Who are Data Controllers?

They are;

any organisation that controls data, persons or entity who whether alone or with another determines the purposes and means of processing personal data.

Article 2.5 of the Act requires Data Controllers to display a privacy policy which is clear, simple and conspicuous to their targeted Data Subject. It also mentioned relevant information (in addition to the ones included by the Data Controller) that must be contained in the Privacy Policy.

The Data Controller is responsible for the Data Security of the Personal Data of its Data Subjects. Article 2.6 of the Act

Breach of Data Privacy

Article 2.10 of the Act provides the penalty for breach of the Data Protection Regualtion;

Any person subject to this Regulation who is found to be in breach of the data privacy right of any Data Subject
shall be liable, in addition to any other criminal liability, to the following:

a) in the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of
Annual Gross Revenue of the preceding year or payment of the sun of 10 million Naira, whichever is greater;

b) in the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira, whichever is greater.


It is clear that the world has gone digital and there is no slowing down as more and more technological breakthroughs and applications keep popping up. It would be detrimental to us not only individually but as a community to not ride the coattails of digitalization. Now that people no longer need to earn money the traditional way, let us get acquainted with the laws and regulations guiding this fast moving train we call Technology.

Written by:

Maurice Oru Ebam and Onyinyechi Ezeoke

Leave a Reply

Your email address will not be published. Required fields are marked *