Nigeria rises to the occasion: Nigeria’s Data Protection Act (short history)

Raise your hand if (before reading the title of my post) you thought Nigeria had no data privacy legislation. 

Two weeks ago, both my hands would have been high in the air. To my rescue, I assumed Nigeria probably had some legislation but not a very comprehensive one. And six years ago, I would have been right.

Before 2019, Nigeria had no dedicated data protection and privacy laws. Instead, we relied on two things: (1) A constitutional provision in Section 37 of the 1999 Constitution guaranteeing: 

“The privacy of [Nigerian] citizens, their homes, correspondence, telephone communications and telegraphic communications.”

And (2) a patchwork of sector-specific regulations, for example legislation on financial institutions, children’s rights, cyber crimes, telecoms and so on.

The problem? First the sector-specific regulations only applied to certain entities (mentioned above). Thus many data collectors who are popular in Nigerian economic life were excluded from compliance. For example, fintech startups like Flutterwave, digital lending and money conversion platforms, online marketplaces like Jumia, all of these entities that collect massive amounts of data from Nigerians were essentially given free roam to collect, process, and store our data.

As for the constitutional provision that guarantees citizen privacy, it was too broad to be used as safeguard in Nigeria’s judicial system. What does citizen privacy mean? Do entities require a legitimate interest before collecting citizen data? Can citizens request their data to be forgotten/ erased? Under what circumstances is the privacy of citizens not guaranteed? The constitution was silent on these important questions; thus, making it difficult for Nigerians to challenge corporations and take control of their privacy.

Well… that all changed in 2019.

Nigeria introduced its first comprehensive privacy regulation: the Nigeria Data Protection Regulation (NDPR). It was a major step forward.The NDPR provided a guideline with obligations specifying how data collectors/processors could collect a citizen’s data. It also granted data subjects, within Nigeria, several rights, such as the right to access, correct, and delete their personal data.

However, the NDPR had its weaknesses. Most importantly, it did not have extraterritorial reach. This simply means that companies outside Nigeria, e.g Facebook, or any foreign app, were not legally bound by it even though they process the personal data of Nigerians. For example, think about when you create an instagram account within Nigeria, or as a Nigerian citizen living in another country, if Instagram mishandled your data (as a Nigerian citizen), you could not hold them accountable using Nigeria’s laws.

So Nigerian lawmakers went back to the drawing board.

What emerged was Nigeria’s ambitious attempt to protect its citizens’ digital rights through an overarching consumer data protection regulation: the Nigeria Data Protection Act (NDPA), enacted in 2023. This law officially replaced the NDPR and represents Nigeria’s entry into the global data-protection arena.

In the next post we will dive deeper into Nigeria’s 2023 Data Protection Act, its most important provision, how it compares to global heavyweights like Europe’s General Data Protection Regulation (GDPR), and what this law means for Nigerian citizens and the increasing salience of Artificial intelligent systems in our world.