The conundrum of personal data protection in Nigeria is stark and deeply human. Nigeria says it takes personal data seriously. We now have a national law, a regulator with teeth, and glossy compliance talk from boardrooms to boot camps. Yet many Nigerians still experience privacy as something extracted from them rather than protected for them. That is the conundrum.
On paper the Nigeria Data Protection Act 2023 set up the Nigeria Data Protection Commission to give legal force to rights and obligations first sketched in the 2019 regulation by the information technology agency. In spirit it borrows heavily from the European regime, promising purpose limitation, lawful bases and accountability. In practice citizens are still guessing who holds their data, where it goes, and who profits when it moves.
The state’s posture has been to centralise identity while insisting that this is for security and convenience. The national identity number has been welded to mobile lines and deadlines became a ritual, culminating in mass disconnections of unlinked SIMs in 2024. For millions this was not a meaningful choice but a blunt ultimatum. Link or lose service. A consent form signed under the threat of being cut off is not consent at all. The policy may reduce fraud at the margin, but it also creates a single point of failure and a honey pot for criminals. Nigerians asked reasonable questions. Who audits access to the identity database. Who logs every query. What happens when credentials are shared or sold. The government and regulator pushed ahead regardless.
When reports emerged that identity records were being traded online for trivial sums, the identity agency issued firm denials and promised investigations. Civil society groups went to court. In the noise, ordinary people were left with the same old anxiety. If my data is out there, who will fix it and how would I even know. The truth is that security is not a press release. It is architecture, process, logging, and consequence. The agency may yet be right on the facts in any single episode. What matters is that trust, once bruised, requires more than assurances to heal.
Enforcement is finally stirring, and that matters. In 2024 the data protection commission fined a commercial bank after finding it processed personal data without informed consent and misused tools such as cookies and apps. The same year Nigeria’s competition authority, working with the data regulator, issued a headline-grabbing penalty against a global platform for appropriating user data without consent and for privacy policies that left users with no real control. These actions signal a turning point. They also raise a hard question. Can regulators sustain this tempo across thousands of controllers, or will a few big fines become the theatre that substitutes for day to day supervision.
The legal skeleton is not the problem. It promises rights to access, correction, deletion and objection, with timelines that mirror international best practice. The right to a response within one month is meaningful only if people can find the right channel, get a human answer, and see the correction propagate across vendors and data brokers. Ask around and you will hear the same story. Requests vanish into shared inboxes. Vendor lists are incomplete. Records of processing are out-of-date within weeks because new integrations go live without privacy review. This is not malice. It is the inertia of busy teams, under trained staff, and leadership that celebrates launch metrics while outsourcing risk to the future.
Nigeria’s private sector is not blameless. Fintech, health, education and retail have built growth engines on the back of invasive onboarding and perpetual profiling. A culture of “take everything now and ask for permission later” still lingers. Privacy notices read like puzzles, consent boxes are bundled and dark patterns herd users towards surrender. Yet there is a better commercial story hiding in plain sight. Data minimisation reduces breach impact. Clear retention rules cut storage spend. Honest notices reduce complaint volumes. Companies that internalise these truths will sell trust as a product attribute rather than a compliance cost.
The path forward is unglamorous. Build privacy by design into procurement and engineering. Keep the record of processing current. Treat every new data flow as a change request with a privacy check, not a side chat. Test breach playbooks against real scenarios. Fund civil society to pressure test systems. Publish audit outcomes in plain language. Most of all, centre the human being in every decision. The person is not a data subject in a form. She is a citizen, a customer, a patient, a parent. Her privacy is not an abstract right. It is the difference between safety and exposure, between dignity and exploitation. Nigeria has a modern law and active regulators. Now we need the humility and discipline to make those promises real.
