Your Rights Under Nigeria’s Data Protection Act

Every day, we click “I agree.”

We accept privacy policies we have not read, we allow cookies onto our devices without thinking about what they collect, and in all honesty, the only cookies that most of us truly understand are the edible kind.

Behind those annoying pop-ups and quick taps, however, sits a legal framework that now governs how your personal information is handled in Nigeria.

In 2023, the Nigeria Data Protection Act was enacted to provide a comprehensive structure for the protection of personal data and to establish the Nigeria Data Protection Commission as an independent regulator.

Before this act, data protection was governed mainly by a regulation issued in 2019. It introduced useful compliance expectations, but it did not create a fully independent statutory commission or a detailed enforcement regime backed by primary legislation.

The 2023 Act changed that. It places data protection squarely within federal law and creates an institutional authority empowered to investigate, issue compliance orders, impose penalties, and receive complaints.

What Counts as Personal Data

The Act applies broadly to the processing of personal data, whether automated or not, and whether carried out by Nigerian entities or foreign entities processing data of people in Nigeria.

Personal data includes any information that can identify you directly or indirectly. Your name, phone number, email address, NIN, BVN, location data, IP address, employment history, health information, and biometric identifiers. If it can reasonably be linked back to you, it falls within scope.

Certain categories such as health data, biometric data, and other sensitive information are subject to stricter conditions. These cannot be processed freely and generally require explicit consent or another clearly defined legal basis.

The Rules That Govern Data Processing

At the heart of the act are principles that apply to anyone handling personal data.

Data must be processed lawfully, fairly, and transparently. It must be collected for specific and legitimate purposes, limited to what is necessary, should not be retained longer than required, and must be accurate and protected against unauthorized access, loss, or misuse.

Organizations cannot simply collect data because it is convenient or commercially useful. They must rely on a lawful basis. That basis may be consent, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a public task, or legitimate interests that do not override your rights.

Consent is not implied, and silence does not count. Pre-ticked boxes do not automatically satisfy the requirement, and statutorily, the organization relying on consent bears the burden of proving that it was freely and properly given.

Your Rights as a Citizen

The Act gives individuals clear rights in relation to their personal data.

You have the right to know whether an organization is processing your data and why. You can request access to the data held about you and obtain a copy in a usable format. You can ask for corrections where the information is inaccurate or incomplete. (S34 (1) (a))

You may request deletion where the data is no longer necessary or where there is no lawful basis for continued retention. You may withdraw consent at any time, and it must be as easy to withdraw as it was to give. (S34 (1) b))

You also have the right to object to certain forms of processing, particularly direct marketing. If a company is profiling you or making decisions solely through automated systems that significantly affect you, the law provides safeguards, including the possibility of human intervention. (S36(1))

The Act establishes a complaint mechanism before the Nigeria Data Protection Commission and provides for enforcement measures and civil remedies. (S46 — S50)

Security and Breaches

Organizations are required to implement appropriate technical and organizational measures to secure personal data. This includes protections against unauthorized disclosure, destruction, or loss. (S39)

Where a data breach occurs and it poses a risk to individuals, the Commission must be notified within a defined timeframe. In serious cases, affected individuals may also need to be informed. (S40(2))

Large-scale data controllers are required to designate a data protection officer to oversee compliance internally. Data protection is meant to be embedded within corporate governance structures, not outsourced to the fine print. (S32)

The Courts Are Beginning to Engage

Privacy litigation is also beginning to take shape in Nigeria. In Falana v. Meta Platforms Inc. & Ors., issues around cross-border processing, profiling, and the commercial use of personal data have come into sharper focus.

We will examine that decision in a forthcoming #casefiles entry because it raises important questions about jurisdiction, enforcement reach, and the economic value of personal information.

I anticipate that we will see more data protection and consumer privacy-related cases and decisions in the coming years, which will only serve to create a more robust jurisprudence in this field.

Why This Matters

A few months ago, a friend of mine reached out to me, telling me that a loan app had started circulating his images widely across numerous social platforms and sending messages to his contacts, informing them that he was homosexual and a carrier of a sexually transmitted infection (STI), both of which, of course, are untrue and, either way, would be a breach of his privacy.

For a very long time, fraudulent and misleading practices like this have been allowed to run amok, unchecked and unfettered. The promulgation of this act (with proper enforcement, of course) allows persons who have fallen victim to uncouth companies such as the one in this scenario to pursue legal remedies under a more robust framework.

When a loan app accesses your contacts without a clear legal basis, the act is implicated. When a hospital mishandles medical records, the act is implicated. When a company retains your employment file indefinitely, the act is implicated. When a platform uses automated systems to profile you for targeted advertising, the act is implicated.

Data protection is no longer an abstract concept; it governs everyday interactions between individuals and institutions.

Of course most of us will still click “I agree" to whatever data collection policies are presented to us upon the installation of an app. I sincerely don’t reckon that this habit will disappear overnight.

However, the fact that you click does not mean organizations can do whatever they like. The law now sets boundaries, and those boundaries are enforceable.