The 1999 Constitution of the Federal Republic of Nigeria (as amended) somewhat provides for Data Protection in Section 37 for the protection and guarantee of the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications[1], but this section doesn’t cover electronic data or personal.

Every day, millions of Nigerians use the Internet to share ideas, conduct financial transactions, and keep in touch with family, friends, and colleagues there-by sending and storing business communications and even start intimate conversations over this global network.

But for the Internet to grow and thrive, users must continue to trust that their personal information will be secure and their privacy protected.[2]

No doubt technological innovations are here to stay as they transform the old/traditional way of transacting business and help ease the stress of our everyday life, thereby making the world a global village.

This trend is also present in Nigeria, as several online driven businesses have sprung up and changed the way in which traditional business or buying and selling is being done. “Alat” by Wema bank is an example of such an innovation in the financial sector.

While they are welcomed innovations, they pose a potential danger in the area of handling personal data of users signed up to their platform, the reason being that Nigeria lacks a comprehensive legal framework that guarantees and protects the privacy of data of citizens.

There is no denying the relevance of affording protection for customers’ sensitive information, as it forms the crux of most data protection legislation in this digital age, as it deals with preventing the abuse of private information/data of citizens by private organizations.

Data in this digital age has been referred to “as the oil of the digital era”[3] as it is presents “A Trillion Dollar Opportunity”[4] for data collectors and collators. This is evidenced in the fact that the five most valuable listed firms/companies are those who deal in data of individuals.

Facebook, for example, has made millions and is still making millions over the data of individuals signed up to its platform by offering “advert targeting” to businesses and companies.

In terms of Personal data, privacy issues arises from the exponential growth in consumer and mobile technologies, with an increasingly connected planet and mass cross border data flows, should spur any country to rethink its data protection legislation or, in the case of Nigeria, create a comprehensive legal framework, to ensure that these fundamental rights are fully protected in today’s digital economy.

Data protection is a form of human right protection legislation and not about technology and the need to develop its use or prevent the abuse thereof.[5] A person has the right to determine whether his/her personal data may be disclosed and how it may be used.


The definition of personal data will be discussed under two countries legislation, USA and UK. In the United States of America, Personally identifiable information (PII), a term similar to data protection, is defined as follows[6]

“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

While in the United Kingdom, Personal Data is defined as[7]:

“Data that relates to a living individual who can be identified from such data, or and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”

The following questions have been use deduced to determine whether data (electronic or manual) is personal data for the purpose of the UK Data Protection Act[8];

1.     “Can a living individual be identified from the data, or, from the data and other information in the possession of, or likely to come into the possession of, the data controller?” If the Answer is Yes, we move to the second question, if No, then the data is not a personal data.[9]

2.     “Does the data ‘relate to’ the identifiable living individual, whether in personal or family life, business or profession?” If Yes, the data is ‘personal data’. To determine in what ways data ‘relates to’ an individual, the questions below will be determined.

3.     Data ‘obviously about’ a particular individual: Is the data ‘obviously about’ a particular individual? If Yes, then its ‘personal data”. [10]

4.     “Is the data ‘linked to’ an individual so that it provides particular information about that individual?” If Yes, the data is ‘personal data’. [11]

5.     “Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?”  If Yes, then the data is ‘personal data’.[12]

6.     Does the data have any biographical significance in relation to the individual? If Yes, the data is ‘personal data’.

7.     “Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?” If Yes, the data are ‘personal data’.[13]

8.     “Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity?”[14]

In Nigeria, the NITDA Guidelines defines personal data as any information relating to an identified or identifiable natural person (‘data subject’); information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.

In summary for electronic data to be personal it must contain the following elements:

a)     It must relate to a living individual; and

b)     The data must be used in the identification of that living person.

Thus, any opinion or information which can identify such an individual, irrespective of a lack of name attached to it, qualifies as Personal Data and must be afforded the necessary legal protection.


Under the definition used by the United State National Institute of Standards and Technology, the following data are often used for the express purpose of distinguishing individual identity which clearly classify as PII or Personal data;

1.     Full name (if not common)

2.     Home address

3.     Email address (if private from an association/club membership, etc.)

4.     Passport number

5.     IP address (when linked, but not PII by itself in US)

6.     Vehicle registration plate number

7.     Driver’s license number

8.     Face, fingerprints, or handwriting

9.     Credit card numbers

10. Digital identity

11. Date of birth

12. Birthplace

13. Genetic information

14. Telephone number

15. Login name, screen name, nickname, or handle

The following are considered as traits shared by many people, so they are less often used to distinguish individual identity. However, they can be combined with other personal information to identify an individual which then makes them potential PII or Personal Data;

1.     First or last name, if common

2.     Country, state, postcode or city of residence

3.     Age, especially if non-specific

4.     Gender or race

5.     Name of the school they attend or workplace

6.     Grades, salary, or job position

7.     Criminal record

8.     Web cookie


Data protection involves the implementation of administrative, technical or physical measures to guard against unauthorised access to any such data listed above, as it involves the protection of personal data, which covers both facts and opinions about an individual[15].

The need for such a law was also emphasised by Cynthia Yav, stating that the law will provide for the legal protection of a person in instances where his or her personal information is being collected, stored, used, disseminated or communicated by another person or institution. It will afford individuals the right to know what information about them is being held; and then provide a framework to ensure that personal information is handled properly; and it will safeguard a person’s right to privacy.”[16]

In essence, data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for the purposes of their business.[17]


There are no extensive or comprehensive law on data protection in Nigeria but there are industry specific regulations and rules of professional conduct that offer some sort of protection and privacy.


The Child Rights Act regulates the protection of children (persons under the age of 18 years). This Act limits access to information relating to children in certain circumstances.


This regulation was issued by the Nigerian Communications Commission (NCC), the regulator of the telecommunications industry in Nigeria. The NCC Regulations provide that all licensees must take reasonable steps to protect customer’s information against “improper or accidental disclosure” and must ensure that such information is securely stored.

It also provides that customer’s information must “not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations“. Unfortunately this code of practice applies only in the Nigerian communications industry.


The ‘FOI Act’ which seeks to protect personal privacy, provides in section 14, that a public institution is obliged to deny an application for information that contains personal information unless the individual involved consents to the disclosure, or where such information is publicly available.

Also, Section 16 states that a public institution may deny an application for disclosure of information that is subject to various forms of professional privilege conferred by law (such as lawyer-client privilege, health workers-client privilege, etc).


In 2011, the NCC issued the Registration of Telephone Subscribers Regulations which represented a wider perspective and afforded some protection of the data collected, collated, retained and managed by telecommunication companies and independent agents in respect of their obligations to collate and retain data of subscribers under the Regulations.

Section 9 of the Regulation provides that subscribers information contained in the Central Database shall be held in strict confidentiality basis and no person or entity shall be allowed access to any subscriber’s information that is on the Central Database except as prescribed by the Regulation. The Regulation defined Central Database to mean subscriber information database, containing the biometric and other registration information of all Subscribers. Section 21 of the Regulation provides penal sanctions for violators.


The NITDA is the national authority that is responsible for planning, developing and promoting the use of information technology in Nigeria. The NITDA guidelines prescribe guidelines for organisations that obtain and process personal data of Nigeria residents and citizens within and outside Nigeria for protecting such personal data.

It is currently the only set of regulations that contains specific and detailed provisions on the protection, storage, transfer or treatment of personal data in Nigeria. The Guidelines apply to federal, state and local government agencies and institutions as well as private sector organisations that own, use or deploy information systems within the Federal Republic of Nigeria.

But a closer look into the guidelines shows that it is not more than a “draft guidelines” with little or nothing to show legislative authority or thoughtfulness as it looks more like a set of advisory principle that data collectors are expected to follow with no coercive sanction or threat of punishment where the guidelines are violated.


This was enacted to fill up the gaping hole in tackling cybercrimes. Its enactment was a welcomed development, even though some of its provisions are riddled with errors and verbose language, as it solved the issue of how to tackle crimes perpetuated through a computer system or on the internet.

The Act in Section 38 provides for the retention and preservation of traffic data and subscriber information[18] by Service providers for a period of 2 years[19], which is a standard practice in developed world. The Act defines a Service Provider as

(i) any public or private entity that provides to users of its services the ability to communicate by means of a computer system, electronic communication devices, mobile networks; and

(ii) any other entity that processes or stores computer data on behalf of such communication service or users of such service[20]

This provision helps law enforcement in carrying out proper investigation on crimes committed with the aid of the internet or to help them in the prosecution of their case in court because through this they can collect evidence from the network data of an accused person or suspect when such evidence is hard to come by from the accused computer system.

The section further provides in subsection (5) that the data retained by these service providers should be accorded the Constitutional right to privacy as enshrined in the constitution and all appropriate measures should be taken to protect the data. The subsection goes thus;

Anyone exercising any function under this section shall have due regard to the individual’s right to privacy under the Constitution of the Federal Republic of Nigeria, 1999 and shall take appropriate measures to safeguard the confidentiality of the data retained, processed or retrieved for the purpose of law enforcement.[21]

The effect of this subsection created a measure of privacy and protection only on the data retained by these Service Providers and not on general data collected, collated and processed by these Service Providers.

What this means is that any entity that provides a means of communication through a computer system, phone, tablets or any form electronic communication fall under this section which include communication companies, ISP companies, social media websites, chat applications on phones or any software or app or websites that enables users to communicate with one another can be compelled by a Law enforcement agent to retain and preserve data and also protect the privacy of such data retained by them.

While this is a welcomed provision, it doesn’t help solve the lacuna of a data protection and privacy law in Nigeria.


In countries where Data Protection law exist, there are 8 basic principles enshrined in their law which governs the use of personal information, which companies handling data must comply with[22]. They are called codes of good practice for processing personal data, which ensures that data/information is:

  • used fairly and lawfully
  • obtained only for one or more specified and lawful purposes
  • used in a way that is adequate, relevant and not excessive in relation to the purpose for which they are processed
  • accurate, and where necessary, kept up to date
  • kept for no longer than is absolutely necessary for that purpose
  • handled according to people’s data protection rights
  • kept safe and secure against unauthorised or unlawful processing of personal data
  • not transferred outside of the country without adequate protection

The effect of just having guidelines and industry based regulations is that, they are by nature two-sided documents which are regarded largely as sets of dos and don’ts a party gives to another, meaning that they don’t create rights and liabilities which legislation has, as an enforceable social contract.

At best they give a set of expectations that one party expects from the other and hardly is a third party allowed to claim any breaches thereby. It is the regulatory agency that may impose sanctions where there are breaches of the regulations.

From the foregoing, the need for an encompassing data protection law that sets out the general data protection principles and the machinery of enforcement of any breach thereof by these organisations/companies cannot be over emphasized.


This lacuna in our law creates a huge opportunity for criminal gangs and even legitimate organizations/companies to target data of Nigerians with the sole purpose of fishing out data that could be used in a criminal or discriminatory manner.

When such organisations commits a breach or a crime is initiated, the lack of laws and regulators coupled with a judiciary that has limited cyber awareness capabilities will make it hard to prosecute alleged offenders.

Without a law to compel these organisations to enforce the 8 principles of data protection leaves room for the operation of Identity theft, which is one of the fastest growing global crimes[23] and according to Franklin F Akinsuyi, this is attributed to a number of reasons[24] which include but not limited to the following:

·        Huge margins for little effort and risk on the part of criminals

·        Inadequate legislation or punishment to deter identity thieves

·        Organisations not deploying appropriate security measure

·        People not being aware of the value of their personal information

These thefts of identity operations are usually done through Phishing Scams, Hacking of databases to steal personal information or staffs colluding with criminals to get these data etc.[25]

Another issue is in the area of National Security in situations where public and private institutions allow data of Nigerian citizens data to be processed by third parties especially in situations where due diligence has not been undertaken, data loss prevention methods have not been verified, or where such information is transferred outside of Nigeria.

Also due to the lack of legislation on data protection, it gives foreign nations and organisation an opportunity to conduct mass monitoring and profiling of Nigerians due to their possession of Nigerians’ “location data”.

This data can be gleaned from the location services from smartphones, laptops, iPad, smartwatches, smart TVs and even social media posts and updates. This information can be used to identify where an individual Nigerian is, where they have been, who they have been in contact with, and who was situated around them[26].

A perfect example of this is Google’s Location History which shows a map of areas, locations and places an individual has been to. Without a law regulating how this information is being used and also imposing mandatory security measures, poses a major impact on the privacy and security of Nigerians.

It is worthy of note that many Nation States have initiated and implemented spying and espionage programs to ensure they maintain a country competitive advantage, which has resulted in profiling campaigns which could be unfavourable to Africans in general. Armed with the Bio-metric (gotten from fingerprint scanners on smartphones), Location, personal and Financial data, countries and organisations can develop algorithms from this information to initiate artificial blocks on Nigerians creating barriers to entry to certain environments.

No wonder why some Nigerians where denied entry into America even though they had valid visas to the county and Nigeria not being on the list of countries on the travel ban list.

In international trade, data protection is a crucial issue and the lack of adequate data protection may prove to be a barrier to trade. As the Internet knows no borders, effective international co-operation is an essential prerequisite for data privacy and protection laws to function adequately in an international context.

Promoting a free-flow of information across borders, while at the same time ensuring that individuals enjoy the protection of their fundamental rights and freedoms should be utmost importance in Nigeria.

The lack of a Data protection law in Nigeria was one of the reasons why PayPal didn’t allow Nigerians sign up to use its services as it violated the principle of data protection on data  should not be transferred to a country without adequate data protection.

Another issue that arises is in the area of jobs creation, as Nigerian companies outsource the work of data processing to foreign companies. They pay hard currency to these foreign companies for a task which should be undertaken by Nigerians.

This does not only depletes the country of hard earned cash but disenfranchises Nigerians from participating in the lucrative industry, further reducing job opportunities. In the Data processing industry; there has been extensive growth in areas of data analytics, predictive analytics and data mining.

This has led to new types of roles such as data scientists being created, a role being sought by many organisations in their quest to understand how best to use personal information aggregation to suit their business models and maintain competitive advantage[27].


Without a comprehensive law on data protection, organisations that do not fall under regulation defined guidelines for data, can deal with personal data of Nigeria the way they want and this leads to selling of information like phone numbers, email address, location history and details, etc, which causes citizens to be harasses with unsolicited text messages, calls and emails from organisations that have purchased these data. The only redress a citizen can take is to bring a tortious action against such companies, but that’s a long stretch.

Data protection shouldn’t bring industry specific but should cut across all sectors or areas, basically it should cover anyone that deals with data of individuals, which includes the public sector or any government agency or body. For example, the latest N-Power programme of the federal government that seeks to cut down the rate of unemployment in the country requires a lot of personal data of Nigerians that signs up to the programme, including their BVN, Account Number, date of birth etc.

Without a law on Data protection, nothing stops government worker to sell these information or use it for illegal purposes.

It is imperative that a legislation should be brought forward to ensure that personal data/information of Nigerian citizens are kept safe and secured, used lawfully and ultimately not transferred outside of the country without adequate protection. This will ensure that valuable information do not get to the wrong hands or used illegally.

[1] 1999 Constitution of the Federal Republic of Nigeria as amended

[2] Rafi Goldberg “Lack of Trust in Internet Privacy and Security May Deter Economic and Other Online Activities” Available at <>

[3] The Economist, “The World’s Most Valuable Resource Is No Longer Oil, But Data” available at:

[4]Franklin F Akinsuyi, “Data Protection & Privacy Laws Nigeria, A Trillion Dollar Opportunity” available at:

[5]Bernard Jemilohun “Regulations or Legislation For Data Protection In Nigeria? A Call For A Clear Legislative Framework”

[6] The U.S. government used the term “personally identifiable” in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB),

[7] UK Data Protection Act 1998

[8] “Determining what is personal data” v1.1 20121212, UK Information Commissioner’s Office available at  accessed on 29/5/2017

[9] A name alone may not identify an individual, as there might be several people with the same name (e. Kenneth Okonkwo) but with a combination of other data (like gender, age, place of work or a telephone /email), then such can clearly identify a person

[10] What determines ‘obviously about’ is based on the scope of the content of the information

[11] There are cases where data is not in itself personal data but, in certain situations, it will become personal data where it can be linked to an individual to provide particular information about that individual.

[12] Context is important here. Information about a house is often linked to an owner or resident and consequently the data about the house will be personal data about that individual. However, data about a house will not, by itself, be personal data.

[13] Again, it is important to remember that it is not always necessary to consider ‘focus’ to determine whether data is personal data. In many cases data may be personal data because it is ‘obviously about’ an individual, or because it is clearly ‘linked to’ an individual because it is about the individual’s activities.

You need to consider the ‘focus’ of the data only where information is not ‘obviously about’ an individual or clearly ‘linked to’ them.

[14] What is being considered here is whether the processing of the information has or could have a resulting impact upon the individual even though the content of the data is not directly about that individual, nor is there any intention to process the data for the purpose of determining or influencing the way that person is treated.

[15] Cynthia Yav, “Legal Frameworks For Data Protection In South Africa And Nigeria” available at accessed on 26/5/2017

[16] Ibid

[17] Ibid


[19] Section 38 (1) ibid

[20] Section 58 ibid

[21] Section 38(5) ibid

[22] These principles are also codified in the NITDA draft guidelines and the RTS regulation

[23] See Akinsuyi, F. Franklin, “Combating Computer Crime in Africa, Proposal for Pan African Cyber Crime Legal Framework” (August 19, 2010). Available at SSRN:

[24] Franklin F Akinsuyi, “Data Protection Legislation for Nigeria, The Time is Now!” available at

[25] ibid

[26] ibid

[27] Franklin F Akinsuyi, “Data Protection & Privacy Laws Nigeria, A Trillion Dollar Opportunity” supra



Leave a Reply

Your email address will not be published. Required fields are marked *