Data Privacy and Protection under the Nigerian Law – Francis Ololuo

Data Privacy and Protection under the Nigerian Law – Francis Ololuo


The 21st century,
commonly dubbed “the information age” with its greatest invention, the
internet, has brought about fast and easy dispensation of personal information
or data. With an estimated 2.96 billion social media users worldwide, social
media is the greatest accomplice to the speedy dispensation of personal
information around the world.[2] Virtually everybody on the planet has
their personal data i.e., name, address, pictures, email address, bank details,
or medical information online. These data reveal sensitive personal information
that can be exploited to harm users unscrupulously for economic gain. Thus, it
is has become important to protect these data and regulate the way data is
used. One should be able to decide whether or not they want to share some
information, who has access to it, for how long, for what reason and to be able
to modify some of this information, if necessary.[3]

The information age has seen
data exchange become a common feature and an integral part of commercial
transactions. Considering that five of the six largest companies in the world
(Apple, Microsoft, Amazon, Google and Facebook) deal in data and profit off
processing the data of its consumers,[4] it has become imperative to regulate how
that vast amount of personally identifiable data is managed. For instance, the
Google-owned YouTube’s algorithm feeds off personal data (e.g. user
information, likes, searches, etc.) to suggest what videos users may like or
find interesting.

“Knowledge is power, information is

This statement by Robin Morgan became more glaring and profound in the light of
the Facebook-Cambridge Analytica Data Privacy Scandal[5] that shook the world in 2018. Here,
Cambridge Analytica, a political consulting and strategic communication firm
was found to have illicitly collected the personal data and information of
about 87 million Facebook users without their consent for political advertising
purposes (especially in the run-up to the 2016 US Presidential elections). This
scandal amongst other previous data privacy breaches[6] signaled the urgent need to protect
personal data. It prompted the immediate implementation of the EU General Data
Protection Regulation (GDPR)[7] in 2018.

In similar vein, Nigeria has had its own fair share of data privacy breaches.
Notably, the recent case between NITDA[8] and TrueCaller (2019) as well as the case
involving MTN Nigeria Communications Ltd v Barr. Godfrey Eneye (2013) are a few
instances.[9] Data protection is becoming a risk issue
discussed at negotiation stages between companies in different jurisdictions
and data protection has become a tool to encourage confidence in businesses. In
essence, it is important that companies and persons in Nigeria know the laws
governing Data Privacy and Protection in Nigeria and the scope of rights,
duties and responsibilities available to them.

The Legal Framework of Data Privacy and
Protection Laws in Nigeria

Although Nigeria does not
have a specific statute regulating Data Privacy and protection, the NITDA
commendably came up with the Nigeria Data Protection Regulations (NDPR) in 2019
which specifically addresses Data Privacy and Protection in Nigeria. Asides
from the NDPR, there are other laws which touch on Data Privacy and Protection
in Nigeria, which are briefly highlighted below.

The Constitution[10]

Section 37 of Nigeria’s 1999
constitution forms the foundation of data privacy rights and protection in
Nigeria. Section 37 guarantees and protects the right of Nigerians to privacy
with respect to their homes, correspondence, telephone conversations and telegraphic
communications. It deems Privacy in this respect a fundamental right which is
enforceable in a court of law when breached. Prior to the NDPR, most cases of
data privacy breaches were enforced under this section.[11]

The Nigeria Data Protection Regulation
(NDPR) 2019[12]

Albeit a subsidiary
legislation, the NDPR is the major law specifically aimed at addressing data
privacy and protection in Nigeria. The regulation was issued by the National
Information Technology Development Agency (NITDA) in 2019 to comprehensively
regulate and control the use of data in Nigeria.[13] A copycat of the EU GDPR, the
regulation touches on principles of data processing, the requirement of Data
Compliance Officers, requirement of data subject’s consent for collecting and
processing data, requirements for international transfers of data and rights of
data subjects, inter alia. It also prescribes penalty for non-compliance
with the regulation. [14]

The NCC Consumer Code of Practice
Regulation 2007[15]

Part VI of the Nigerian
Communications Commission (NCC) regulation, generally deals with the protection
of consumers’ data in the telecoms sector. Reg. 35 requires all licensees to
take reasonable steps to protect the information of their customers against
improper or accidental disclosures. It prescribes that licensees shall not
transfer this information to a third party except as permitted by the consumer
or commission or by other applicable laws or regulation. Data collected by the
licensee must be such that is reasonably required for business purposes and not
to be kept for longer than necessary. This law extends not only to electronic
or written data but also to verbal data recorded by the licensee.[16] It also provides for notification of the
consumer of the use and disclosure of data obtained from them.

The NCC Registration of Telephone
Subscribers Regulation 2011[17]

Regulation 9 and 10 of the
NCC Registration of Telephone Subscribers Regulation 2011, deals with the data
privacy and protection of subscribers. It provides for confidentiality of
personal information of subscribers stored in the central database or a
licensee’s database.[18] It also provides that these information
shall not be released to a third party nor transferred outside Nigeria without
the prior written consent of the subscriber and commission, respectively. This
regulation also regards the information stored in the Central Database as the
property of the federal government of Nigeria.[19]

The Freedom of Information Act 2011[20]

Section 14 of the Freedom of
Information Act protects personal data. It restricts the disclosure of
information which contains personal information by public institutions except
where the involved data subject consents to its disclosure or where the
information is publicly available. The Act also provides that a public
institution may deny the application for disclosure of information that is
deemed privileged by law (e.g. Attorney-client privilege, doctor-client privilege).

The Cybercrimes (Prohibition,
Prevention, etc.) Act 2015[21]

The Cybercrimes
(Prohibition, Prevention, etc.) Act, Nigeria’s foremost law on cybercrimes
criminalizes data privacy breaches. Generally, this Act prohibits, prevents and
punishes cybercrimes in Nigeria. It prescribes that anyone or service provider
in possession of any person’s personal data shall take appropriate measures to
safeguard such data. [22]

The Child Rights Act 2003[23]

The Child Rights Act
protects the privacy rights of children.[24]  The Act protects and guarantees
the right of every child to privacy, family life, home, correspondence,
telephone conversation and telegraphic communications subject to the
supervision or control of the parents or guardians.[25]

10. The
Consumer Protection Framework 2016[26]

The Central Bank of
Nigeria’s Consumer Protection Framework prohibits financial institutions from
disclosing the personal information of their customers. It also ensures that
these financial institutions take appropriate measures to safeguard customers’
data and necessitates the prior written consent of their customers before
sharing these data with anyone.

11. The
National Identity Management Commission (NIMC) Act 2007[27]

Section 26 of this Act
requires the approval of the Commission before a corporate body or anybody can
have access to data stored in their database. The Act also empowers the NIMC to
collect, collate and process data of Nigerian citizens and residents.

12. The
National Health Act (NHA)2014[28]

The NHA which regulates
health users and healthcare personnel restricts the disclosure of the personal
information of users of health services in their records. It also ensures that
healthcare providers take the necessary steps to safeguard such data.

13. The
Federal Competition and Consumer Protection Act 2019[29]

This Act stipulates that the
Federal Competition and Consumer Commission shall ensure that business secrets
of all parties concerned in investigations conducted by it are adequately
protected during all stages of the investigation or inquiry.[30]

14. Case

Just like many other common
law jurisdictions, judicial decisions are an integral source of law in Nigeria
and although, very few, there are court decisions on data privacy and
protection. Some of these include the cases of Godfrey Nya Eneye v MTN
Nigeria Communication Ltd
[31] and Barr. Ezugwu Anene v Airtel
Nigeria Ltd
.[32] In the former case, the court held that
the unauthorized disclosure of the claimant’s mobile phone number by his
telecommunications service provider (the defendant) and subsequent unsolicited
text messages he received from unknown third parties were violations of his
constitutional right to privacy. A similar verdict was given in the latter
case. Both claimants were awarded damages of N5,000,000 (five million naira),

15. Conclusion

It is laudable that Nigerian authorities through their laws and various
regulations are taking bold steps to protect the personal data of her citizens.
However, despite the array of laws and regulations on data privacy and protection,
the only law that specifically and comprehensively deals with this phenomenon
is the recently announced NDPR by NITDA.

Prior to the NDPR, most laws on data privacy and protection in Nigeria were
industry specific. For instance, the various NCC regulations protect consumers
in the telecommunications sector; the provisions in the Child Rights Act
protects persons under the age of 18 and the Freedom of Information Act
protects personal data in records of public institutions. Therefore, the
establishment of a data privacy and protection law in the form of the NDPR that
transcends industries and category of persons is highly commendable.

The quick implementation and enforcement of the NDPR by NITDA has shown its
seriousness in ensuring compliance with data privacy and protection laws by
data controllers and processors in Nigeria. [33] Another evidence of this is the current
investigation of TrueCaller by NITDA for data privacy breaches[34] alongside the recent investigation of
the Lagos Internal Revenue Service (LIRS) for publishing some Lagos State
taxpayers’ personal information on its website.[35] The establishment of the NDPR and the
activities of NITDA have also helped create awareness about data privacy and
protection amongst Nigerians.

Despite being a huge step in the right direction, the NDPR is not without
criticism. The regulation solely “applies to all transactions intended for the
processing of personal data and to actual processing of personal data
and to natural persons residing in Nigeria or residing outside Nigeria
but of Nigerian descent.”[36] The NDPR applying solely to personal
and natural persons means the regulation excludes other forms
of data and corporate organisations respectively.

Furthermore, some quarters believe the NDPR being a regulation and not a
statute enacted by the National Assembly lacks the requisite force of law
sufficient for addressing such an important subject. Some also believe the NITDA
is not empowered by law within the ambit of Section 6 of the NITDA Act to make
such a regulation.

Nonetheless, Nigeria is one of the few countries that can boast of having data
privacy and protection laws in the world.[37] It is thus apparent the country is
heading in the right direction although there is still room for improvement.


For further information on
this article and area of law, please contact

Francis Ololuo at:
S. P. A. Ajibade & Co., Lagos by

Mobile (+2348112491286) or


Francis Ololuo, Associate Intern Intellectual Property & Technology Law
Department, SPA Ajibade & Co., Lagos, Nigeria.

    Estelle Masse “Data Protection: Why it matters and how to
protect it” (January 25, 2018) available online at:
on January 20, 2020.

    “Facebook data privacy scandal: A cheat sheet” by James
Sanders and Dan Patterson (July 24, 2019) available online at:
accessed on January 20, 2020.

    For instance, in 2014 the personal information of over
3billion Yahoo users was unlawfully accessed by hackers – CNN Business: “Every
Single Yahoo Account  was Hacked – 3 Billion in all” (October 4, 2017)
available online at
accessed on 4TH February, 2020

    The European Union General Data Protection Regulation
2016/679 is the EU’s major law on Data Protection and Privacy is aimed at
protecting natural persons within the EU with respect to the processing of
personal data and on the transfer of such data outside the EU.

    National Information Technology Development Agency (NITDA)
is Nigeria’s foremost agency responsible for regulating data privacy and
protection in Nigeria.

    CA/A/689/2013 (Unreported).

   The Constitution of the Federal Republic of Nigeria 1999 (as
amended). Act No. 24, 5 May 1999.

   See the case of Barr. Ezugwu Emmanuel Anene v. Airtel Nigeria Ltd,
Suit No: FCT/HC/CV/545/2015 (Unreported).

   A regulation made by the NITDA pursuant to Section 6 of the NITDA
Act. Available on
accessed on 27th January, 2020.

NITDA is empowered by section 6(a) of the NITDA Act (2007) “to create a
framework for the planning, research…evaluation and regulation of Information
Technology practices, activities and systems in Nigeria.”.

   For a review of the NDPR, see “Data Protection Regulation 2019 –
The New Law” by Yimika Ketiku and Dolapo Bolu, available online at:
accessed on January 20, 2020.

   Nigerian Communications Act 2003, Federal Republic of Nigeria
Official Gazette No. 87 (10th July, 2007) Vol. 94.

   Regulation 35(3), CPC 2007.

   Federal Republic of Nigeria Official Gazette No. 101 (7th November
2011) Vol. 98.

   Regulation 9(2).

   Regulation 5.

   Federal Republic of Nigeria Official Gazette (28th May)
Vol.98. Available on
accessed on 28th January, 2020.

   Federal Republic of Nigeria Official Gazette (15th May)
Vol. 102. Available on
accessed on 28th January, 2020.

   Section 21.

   Child’s Rights Act No 26 of 2003 (Federal Republic of Nigeria
Official Gazette No 26, Vol.90). Available on
accessed on 28th January, 2020.

   persons under the age of 18.

   Section 8.

   Pursuant to its powers under section 2(a) and 33(1)(b) of the CBN
Act 2007, the CBN released the Consumer Protection Framework 2016 on 7th
November 2016. Available on
accessed on 28th January, 2020.

   National Identity Management Commission Act No 23 of 2007 (Federal
Republic of Nigeria Official Gazette No 23, Vol. 94). Available on
accessed on 28th January, 2020.

   Federal Republic of Nigeria Official Gazette No. 145 (27th
October, 2014) Vol. 101.

   Federal Republic of Nigeria Official Gazette No 18 (1st
February 2019) Vol. 106.
accessed on 28th January, 2020.

   Section 34(6).

   Appeal No: CA/A/689/2013 (Unreported).

   Suit No: FCT/HC/CV/545/2015 (Unreported).

In December 2019, NITDA threatened to issue a Notice of Non-compliance and to
publish the names of companies that default in filing their Initial Data
Protection Audit Report within the prescribed timeline. See
, accessed on 30th January, 2020.

   Wole Olayinka “The People v Big Tech: Nigerian takes TrueCaller to
Court for Alleged Violation of Privacy Rights” 30th September 2019
accessed on 30th January,2020.

   James Kwen “NITDA says LIRS breaches Nigeria Data Protection
Regulation” 27th December, 2019
accessed on 30th January, 2020.

   Article 1.2 of the NDPR 2019.

   Other countries/regions include the EU, Canada, Brazil, China,
Angola, Argentina, Australia and Cape Verde.

First published here 

Duty of service providers to reveal customer information

Duty of service providers to reveal customer information

The right of individuals
to protect their data is very sacred and fundamental. Section 37 of the 1999
Nigerian Constitution provides that; “the privacy of citizens, their
homes, correspondence, telephone conversations and telegraphic communications
is hereby guaranteed and protected”.

The Nigerian Communications
Commission also provides
that all licensees must take reasonable steps to protect customer information
against “improper or accidental disclosure” and must ensure that such
information is securely stored. It also provides that customer information must
“not be transferred to any party except as otherwise permitted or required by
other applicable laws or regulations”.

 This right is however constantly at logger
heads with government intrusion, as governments and security agencies are always
looking for ways to collect, intercept and interpret user data for security and
administrative reasons. 
An international
illustration was the legal battle between mobile phone giant, Apple and the U.S
government, when Apple refused to help F.B.I investigators gain access to an
iPhone used by Syed Rizwan Farook in the December, 2015, mass shooting in San
Bernardino, Calif. Apple argued, that such access could create a permanent way
to bypass iPhone password protection for law enforcement officials or even the
spy agencies of other countries[i]
Sadly, if the above
scenario were to play out in Nigeria, the outcome may not have been as eventful
as the Apple case, as service providers in Nigeria usually cooperate with
directives from security agencies to give out customer user information and
data. This is as a result of the provisions of the Cybercrimes Act, 2015 which
mandates the service providers to do so. 
Does this mean all user
data are not protected? Certainly not. User information is protected in-line with
the fundamental right to privacy under the Nigerian Constitution. However, does
this mean all user data is accessible by security agencies in Nigeria? The
answer is yes. 
By virtue of Section 38 of
the Cybercrimes Act, 2015, service providers are mandated to keep all traffic
data and subscriber information as may be prescribed by relevant authority, for
a period of 2 years. Furthermore, service providers shall, at the request of
the relevant authority or any law enforcement agency preserve, hold or retain
any traffic data, subscriber information, non­-content information, and content
data; and release any such information upon request.  It is worthy of note that the law prescribes
that any person who contravenes the above mentioned law shall be liable to 3
years imprisonment or  fine of up to N7,000,000 (Seven Million Naira) or both. 
Section 39, also empowers
security agencies by virtue of a court order, to request that electronic
communications of service users be intercepted, collected or recorded. The
above makes it clear that security agencies most likely have unbridled access
to customer information in Nigeria and if Mr. Syed Rizwan Farook had been in Nigeria,
the service providers will most likely have handed his information on a platter
to the FBI. 
As seen in Section 40 of
the Cybercrimes Act, service providers have a duty to disclose information
requested by any law enforcement agency or otherwise render assistance
howsoever in any inquiry or proceeding under this Act. Such duties include – 
(a) the identification, apprehension and prosecution of
the identification, tracking and tracing of proceeds of any offence or any property,
equipment or device used in the commission of any offence; or
the freezing, removal, erasure or cancellation of the services of the offender which
enables the offender to either commit the offence, hide or preserve the proceeds
of any offence or any property, equipment or device used in the commission of
the offence. 
Any service provider who
contravenes these provisions commits an offence and shall be liable on conviction
to a fine of not more than N10,000,000.00.
Also, each director, manager or officer of the service provider shall be liable
on conviction to imprisonment for a term of not more than 3 years or a fine of
not more than N7,000,000.00 or to both
such fine and imprisonment. With such stringent statutory provisions of the
law, hardly will any service provider put up a fight in Nigeria as Apple did in
the US. 
In Conclusion, the court
held in FRN V. DANIEL, (2011) LPELR-4152(CA); that –
“Undoubtedly, by virtue of the provision of
section 37 of the 1999 constitution, the privacy of every Nigerian Citizen, the
home, correspondence, telephonic and other telegraphic communications are
cherishingly guaranteed and protected. However, notwithstanding the provision
of section 37 (supra), section 45(1) of the 1999 constitution has provided in
unequivocal terms that nothing in sections 37, 38, 39, 40 and 41 thereof shall
invalidate what appears to be reasonably justifiable in a democratic society –
(a) in the interest of defence, public safety,
public order, public morality or public health; or
(b) for the purpose of protecting the rights and
freedom of other persons.”
Adedunmade Onibokun, Esq.
Adedunmade is the Principal
Partner of Adedunmade Onibokun & Co., a corporate commercial law firm
located in Lagos, Nigeria. He can be reached via and

[i] [i] New York
Times. (2016). Breaking Down Apple’s iPhone Fight With the U.S. Government.
Last accessed 29th November, 2016.