Population: 206,139,587

Capital: Abuja

President: Muhammadu Buhari

2021 Freedom House Score: 45/100

Data protection law? No (the Nigeria Data Protection Regulation, issued as an executive regulation, is not an Act of the National Assembly; however, in October 2022, the Nigeria Data Protection Bureau released a new Draft Data Protection Bill, 2022). Under the NDPR, the Nigeria Data Protection Bureau has been established.

Privacy enshrined in Constitution: Yes, Section 37 of the 1999 Constitution of the Federal Republic of Nigeria, provides for the right to privacy.

DPA legislation: In 2019, the National Information Technology Development Agency (NITDA) released the Nigeria Data Protection Regulation (NDPR) to safeguard the rights of Nigerian citizens and to keep Nigerian businesses competitive globally. As of April 25, 2019, all public and private organisations that process personal data must publicise their NDPR compliant data protection policies, and as of July 25, 2019, organisations must also conduct an initial audit of their privacy and data protection practices. In July 2019, NITDA released the Nigeria Data Protection Regulation 2019: Implementation Framework to assist organisations with complying with the NDPR. In addition, two draft Bills have been tabled: the Draft Data Protection Bill, 2020, which was eventually abandoned, and the Draft Data Protection Bill, 2022. The NDPR has been criticised for being limited in its efficacy and enforceability because it is not an Act of the National Assembly.

In terms of the NDPR, data subjects have the right to:

• object to the processing of their personal data for marketing purposes;
• access their personal data (and have personal data transferred to another data controller);
• obtain information about the processing of their personal data;
• have their personal data deleted (where certain criteria are met);
• have their personal data corrected;
• restrict the processing of their personal data (where certain criteria are met);
• withdraw consent to the processing of their personal data; and
• lodge a complaint with the NITDA or another relevant regulator.

While the principles in the NDPR appear to be well-considered, most countries that enact comprehensive data protection legislation simultaneously create an independent regulatory body to enforce and oversee the regulation. Nigeria has not done so, instead tasking NITDA with the enforcement of the NDPR. It remains to be seen whether the statutorily-mandated scope of NITDA’s authority (to, “develop Regulations for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions as an alternative to paper-based methods in government, commerce, education, the private and public sectors, labour and other fields, where the use of electronic communication may improve the exchange of data and information”) may not be broad enough to allow the agency to perform responsibilities such as charging fines to entities that violate the NDPR. Furthermore, because NITDA is an executive agency, NDPR provisions can be superseded by any act of Parliament.

Under the NDPR, the Nigeria Data Protection Bureau has been established, but the 2022 Draft Bill would also establish the Nigeria Data Protection Commission.

The analysis that follows is based on the 2022 draft Bill unless otherwise specified.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: Signed

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: Yes

Law enforcement exclusion: Yes

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: Yes

Temporary copies exclusion: No

Other exclusion(s): Yes

Broad or vague exclusions: Yes

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: No

Personal data means any information relating to an individual who can be identified or is identifiable, directly or indirectly, by reference to an identifies such as a name, an identification number, location data, an online identified, or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that individual.

Sensitive personal data means data relating to:

• genetic and biometric data, for the purpose of uniquely identifying a natural person;
•  race or ethnic origin;
• religious or similar beliefs, such as those reflecting conscience or philosophy;
• health status;
• sex life;
•  political opinions or affiliations;
•  trade union memberships; or
• any other personal data prescribed by the Commission as sensitive personal data

Personal data must be collected and processed for a specified, explicit, and legitimate purpose and not further processed in a way incompatible with those purposes and:

• adequate, relevant and limited to the minimum necessary for the purposes;
• retained for no longer than is necessary;
• accurate, complete, not misleading and, where necessary, kept up to date; and
• processed in a manner that ensures appropriate security 

For personal data processing to be lawful, at least one of the following must apply:

• The data subject has consented to the processing of personal data for one or more specific purposes.
• Processing is necessary for the performance of a contract to which the data subject is party.
• Processing is necessary for the controller or the data subject to comply with a legal obligation.
• Processing is necessary to protect the vital interests of the data subject or another individual.
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or data processor.
• For the purposes of the legitimate interests pursued by the data controller or data processor.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Partial

Notification to data subject in event of data breach: Partial

Timeframe for notification is specified: Yes

Exceptions exist to breach notifications: Yes

Requires a data processing register: No

Register is publicly available: NA

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: Unclear

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): Yes

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: Yes

Number of members in DPA: 7

Maximum term length for members of the DPA (years): 10 (for the National Commissioner; 8 for part-time Members)

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: No

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: Yes

For an extra-territorial transfer of personal data to occur, the recipient of the data must be subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection, or alternatively, if the data subject has consented, the transfer is necessary for the performance of a contract to which the data subject is party, the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject, is for the sole benefit of the data subject and it is not reasonable to give consent, is necessary for the public interest or the establishment, exercise or defence of legal claims, or is necessary to protect the vital interests of the data subject or other persons incapable of giving consent.

Provides a right not to be subject to automated decision-making: Yes