Unveiling some salient features of Nigeria’s novel Nigeria Data Protection Act (NDPA) 2023.

For a period, the Nigeria Data Protection regulation (NDPR) 2019 was the reference point for data privacy and protection compliance in Nigeria. The enactment of the Nigeria Data Protection Act (“NDPA”) on June 12 2023 launched a new era in data privacy and protection regime. The Act laid to rest several controversial provisions, brought clarity to uncertainties, and contained several brand new provisions which shall form the crux of this article.

 As earlier noted, the NDPA resolved several controversies stemming from the NDPR 2019, and contained several new provisions. In this article, the most notable salient provisions in the NDPA shall be examined.

a) Creation of a Data Protection Protection Authority

The National Information Technology Development Agency (NITDA) issued the Nigeria Data Protection Regulation (NDPR) 2019, and was the supervising authority for the NDPR from 2019 until 2022. Any breach of the NDPR was construed as a breach of the National Information Technology Development Agency (NITDA) Act 2007. The Federal Government of Nigeria in February 2022 approved the establishment of the Nigeria Data Protection Bureau (NDPB), and the NDPB acted as the data protection authority until the Nigeria Data Protection Act was enacted in June 2023. The NDPB was widely regarded as lacking the statutory backing to legitimately enforce the NDPR while it existed. This issue has been laid to rest by section 4 of the NDPA which establishes the Nigeria Data Protection Commission (NDPC), and clothes it with independence by virtue of section 7 of the NDPA. The NDPC is responsible for the implementation of the NDPA and has powers to issue fines, and carry out searches and seizures among others, upon obtaining a warrant from a Judge.

b) Alteration of the categories of Sensitive Personal Data

The categories of personal information that constituted sensitive personal data under Article 1.3 of the NDPR was expanded by section 65 of the NDPA to include genetic and biometric data. This was a significant introduction as the processing of biometric data in Nigeria is a key activity that allows individuals gain access to critical financial and social services with financial institutions. It was also a requirement to exercise several civic rights such as the right to vote, and also access to public tertiary education. It is worth noting that the NDPA excluded criminal records from the sensitive personal data category, but the NDPC by virtue of section 30(2) of the NDPA reserves the right to expand the categories of personal data that will constitute sensitive personal date.

c) Legitimate Interest Provision

Legitimate Interest as a legal basis for processing personal data was introduced into the Nigeria data privacy and protection regime by virtue of section 25(1)(v) of the NDPA to the relief of data controllers. This basis was absent under the NDPR 2019 and data controllers could only rely on consent, the performance of contract, compliance with a legal obligation, vital interests and public interest as the basis for processing personal data. It must be noted that processing on the basis of legitimate interest will only be considered valid if such processing does not override the fundamental rights, freedoms and the interests of the data subject; is not incompatible with other lawful basis of processing under; or the data subject has a reasonable expectation that the personal data would be processed in the manner envisaged.

d) Data Privacy Impact Assessment (DPIA)

In view of the large amounts of personal data processing that goes on in Nigeria in the private and public sectors, and against the backdrop of being the most populous black nation in the world, this introduction was a necessary innovation in the NDPA. Section 28(1) of the NDPA compels data controllers to conduct data privacy impact assessments (DPIA) when the scope, nature, context, and purpose of an envisaged processing will constitute high risk to the rights and freedoms of data subjects. A DPIA must contain a systemic description of the envisaged processing, purpose, legal basis, and proportionality of the processing in relation to the purposes for processing such data. A DPIA must also contain an assessment of what risks that the envisaged processing may pose to the rights and freedoms of the data subject, as well as the measures and safeguards proposed to mitigate and address the identified risks. If it remains the case that high risk will be posed to the rights and freedoms of data subjects irrespective of the mitigating measures and safeguards envisaged by the data controller, the data controller must consult the NDPC prior to commencement of the processing. The NDPC is empowered by section 28(3) of the NDPA to make further regulation in regards of this provision when necessary

e) Cross Border Personal Data Transfer

The NDPA modified the obligations of the data controller and data processor from its previous position under the NDPR. Under the NDPR the Attorney General of the Federation was mandated to supervise cross border data transfer among others. This provision has been eliminated, and section 41 of the NDPA prohibits cross border personal data transfer unless there is an adequate level of protection of personal data within the jurisdiction where the would-be recipient is located, or any of the derogations under section 43 of the NDPA are present.

The adequate level of protection listed as an exception to the prohibition on personal data transfer can be afforded in the available laws of the recipient’s jurisdiction, binding corporate rules, codes of conduct, contractual clauses or certification mechanisms. The derogations listed in section 43 of the NDPA include consent of the data subject; performance of contract; sole benefit of the data subject where the data subject is unavailable to give consent and it is reasonable that the data subject would likely have given consent; public interest, establishment, exercise and defence legal claims, and vital interest of data subject. Data controllers and processors are required by the NDPA to record the basis for any cross border transfer.
The provisions of sections 42(4) and 42(5) of the NDPA empower the NDPC to make adequacy of protection decisions, approve corporate rules, codes of conduct or similar instruments, and issue guidelines regarding the assessment of adequacy of protection.


It is beyond peradventure that the introduction of the Nigeria Data Privacy Act 2023 represents a significant stride toward addressing the ever-evolving challenges present in data processing activities in the digital age. However, it is crucial to emphasize that the pace of technological advancement will demand ongoing innovation within the legal framework to ensure that data privacy remains robust and adaptable to emerging technologies. It is within this context that the powers of the NDPC to issue regulations further to the NDPA is appreciated. Irrespective of the above, and to avoid further controversies in future, the NDPA will require continuous monitoring and potential amendments to keep pace with the dynamic landscape of data privacy, always with due regard for existing laws, regulations, and the pursuit of innovative solutions when required.

Article provided by INPLP member: Uche Val Obi SAN (Alliance Law Firm, Nigeria)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)