Sep 29, 2020

Cementing Data Protection In Nigeria | Assumpta N. Nwaogwugwu*



The novel coronavirus struck in December 2019, and by March 2020, the World Health Organisation (WHO) declared it a pandemic[1]. This declaration inspired nations to impose a lockdown, thus disrupting patterns and methods of living. Although for the good of all, this act was a great inconvenience to people. Ranging from education, to movement, to economic activities, everything stood still. But life is progressive, and as COVID became the world’s new normal, technology and digitalisation were utilised for the advancement of society. Schools for instance embraced online learning, dispute resolution employed the virtual space, social interactions, commercial transactions, webinars, colloquium etc., all recruited internet applications.  Remarkably, the effective operation of all of these is hinged on the processing and security of an essential element called Data. It is the manner of protection afforded to a vital substance like this in Nigeria that is the crux of this work.


Data elevates from minor details easily divulged about ourselves such as our names, age, sex etc. to classified information such as our medical history, trade secrets, credentials etc. however, data in itself is meaningless, it is empowered upon processing. The likes of Facebook, Google, Microsoft, Amazon etc., exemplify the economic benefits to be realised from proper processing of data. Even artificial intelligence owes its efficiency to data processing, but data means different things for different persons.

The National Aeronautics and Space Administration (NASA) defines data to include: observation data ,metadata, products, information, algorithms, including scientific source code, documentation, models, images, and research results.[2] A basic definition provided by the Cambridge dictionary is that: data is information, especially facts or numbers, collected to be examined and considered and used to help decision-making or information in an electronic form that can be stored and used by a computer[3]

 Alarming then it is to know that while such an element could yield beneficial results, misplacement or unauthorised divulgement of it could wreak a great havoc. Does this mean that data should be withheld, unprocessed? No. Instead it should be ensured that persons are informed of who has access to and control over their data. This is of utmost importance because data protection is an extension of the internationally, regionally and nationally guaranteed right to privacy. [4] Data protection has been unanimously agreed to be a measure necessary to deter and curb the abuse of the personal information of individuals, especially children(whom are the most vulnerable category), either by natural or artificial persons; including the government.[5] The non-protection of data is tantamount to the violation of privacy.[6]  So dire is the need for this, that in some climes, data protection has been conferred the status of a right.[7]


Asides from instruments guaranteeing the right to privacy, some instruments specifically govern the protection of data and they include:

                      Organisation for Economic Co-operation and Development (OECD)

                      OECD Guidelines Governing the Protection of Privacy and Trans Border Flows of Personal Data 2013

                      African Union Convention on Cyber Security and Personal Data Protection 2014

  • The Economic Community of West African States Data Protection Act 2010
  • The European General Data Protection Regulations (GDPR)

Thus far, the European GDPR is adjudged the most comprehensive data protection legislation because it fully empowers citizens right to access and erasure of their data. It subjects all data controllers to a legal obligation and penalties for breach of this obligation. Put shortly, this Regulation contains the eight principles of data protection, considered to be the foundation of all data protection legislations. This has earned the Regulation the status of a model for other legislations.

In my dear country Nigeria, data is protected by a plethora of legislations; all limited to an extent. Some of them include: Section 37 of the 1999 Constitution of the Federal Republic of Nigeria, the Freedom of Information Act, the Cybercrimes Act 2011, The Consumer Protection Framework, the National Identity Management Commission Act, Child’s Right Act etc.

 However, a rather notable framework is the National Data Protection Regulation (NDPR) formulated by the National Information Technology Development Agency (NITDA). Clause 1 of this regulation states that it is to safeguard the rights of natural persons to data privacy, to ensure the safe conduct of transactions involving the exchange of personal data, to prevent manipulation of personal data, to ensure that Nigerian businesses remain competitive in international trade; through the safeguards, afforded by a just and equitable legal regulatory framework on data protection and which regulatory framework is in tune with global practices.

The above provision explicitly shows that the drafters of this regulation set out to achieve a regulation strong enough to respond to the global challenges of data protection. To a large extent, this was achieved for as it stands now the Regulation is the most comprehensive legislation on data protection that the country can boast of.  Regrettably, it too is not without flaws.



In order to spell out the loops in the country’s data protection legislation, it is important that we trace it to its roots. Which in this case would be the constitution, the grundnorm. section 37 of the constitution expressly provides that the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected. This provision is incomprehensive because it does not explicitly mention data protection. Only a liberal interpretation of this guarantees data protection. But unfortunately, asides from cases such as and MTN Nigeria Communications Ltd v Barr. Godfrey Eneye[8],  there is a dearth of such application.

The NITDA is a very beautiful initiative enacted in 2007, but as clearly stated in section 6 (c) the act only monitors electronic dissemination of information. This directive was reiterated again in the preamble of the NDPR. The distress here is thus that in a society like Nigeria where citizens are predominantly illiterate and lack access to technology, this Regulation neglects paper-based communications; the manual mode of doing things.

Section 1(a) of the NDPR gives the objective of the Regulation to be the safeguarding of the rights of natural persons to data privacy, but our law also recognises artificial persons to be entitled to legal rights. It would thus be required that as they engaged in digital transactions entailing the transfer of information, they are afforded the protection of the law in securing the data.

 Section 1 (2) (b) also states that this Regulation applies to natural persons of Nigerian descent only. Such provision might hamper the development of the nation’s economy as multinationals are likely to invest in nations with strong data protection laws to guarantee their data security.

Also sections 1 (3) (l) and 2 (13) (3) (a) mention that the data subjects may be requested to pay a reasonable fee for some services. It is uncomfortable that in cognisance of Nigeria’s history of corruption in numerous sectors, such provision should be included without a fixed amount or criteria for arriving at this reasonable amount. Such provision will only lead to the encouragement of bribery amongst the officials and the exploitation of the masses.


The first suggestion is that our courts adopt a liberal approach to section 37. Courts should dismiss the claims of citizens to their rights under this section, as section 6(6)(b) of the constitution empowers the judiciary to act upon all actions and proceedings relating to the determination of any question as to the civil rights and obligations of that person.

As regards the payment of fees by data subjects, it is suggested that the NITDA explicitly states a standard fee to be paid or a standard formula for the calculation of this. This will be resourceful in preventing the extortion of citizens as well as promoting transparency and accountability amongst officials.

In all ramifications, the NDPR is not a holistic legislation because it does not contain the basic eight principles of data protection. it is therefore suggested that there should be the enactment of a data protection act which not only comprises these essentials, makes provisions for children and foreign residents, but also, provides remedies for data subjects when their rights are violated. After all, it is ubu jus, ibi remedium.

Lastly, there should be a defined mechanism for enforcement. This lies in the arm of the executive arm of the government and I suggest that this should be allocated to a neutral body and not the police force since the latter is yet to undergo a reform for the proper discharge of its duties and the protection of lives.



The right to privacy and digital protection is jealously guarded because it is fundamental to the security of life, property and reputation of individuals and even organisations. But as the world becomes a global village and data transfer cuts across geographical boundaries, the violation of this right is highly plausible. Data scandals are reportedly very embarrassing and brand denigrating situations to experience. To prevent further occurrences, it is necessary that Nigeria puts in place robust data protection laws and an effective mechanism. This will defend the rights of citizens and rekindle their passion for the country. Entrenchment of data protection is also a great boost for foreign investment and the revival of the economy.




*Law student of the University of Lagos

[1] Archived: WHO Timeline-COVID-19, 27 April 2020 (accessed 27th September 2020)

[2] EOSDIS GLOSSARY (accessed 27th September 2020)

[3][3] DATA (accessed 27th September 2020)

[4]Article 12 of the Universal Declaration of Human Rights, Article 17 of the International Covenant on Civil and Political Rights, Article 8 of the European Convention on Human Rights etc. 

[5] GVZH ADVOCATES Data protection vs. the right to privacy (accessed 27th September 2020)

[6] Yvonne McDermott, 2017, Conceptualising the right to data protection in an era of Big Data, SAGE Journals,  

[7] Article 8 of the European Convention on Human Rights for instance

[8] CA/A/689/2013 (unreported)