Skip to main content

Personal Data Protection in Nigeria: Reflections on Opportunities, Options and Challenges to Legal Reforms


The right to personal data protection is, without doubt, an important right in the jurisprudence of rights in the contemporary information society. It is becoming as crucial as other orthodox human rights and also attracting significant attention from academics, lawyers, human rights activists and policy makers. In spite of the growing attention data protection receives at international and regional levels, Nigeria is still lagging behind many competitor states like South Africa in establishing an effective legal framework to protect personal data. Individuals’ personal data is being collected and used without any serious form of control to check against abuse. This paper reflects on opportunities, option and challenges to legal reforms on data protection in Nigeria. It contends that certain legislative and practical challenges stand in the way of an effective legal regime on personal data protection. The paper suggests appropriate legal reforms that are needed to enable prevent the increasing risks of violating the right to data protection in a country that is making rapid advances in Information and Communication Technology but hamstrung by an outdated regulatory framework.

This is a preview of subscription content, access via your institution.


  1. 1.

    Lynskey (2014: 592).

  2. 2.

    See generally Kuner (2013: 1); Lagos (2014: 187).

  3. 3.

    De Hert and Gutwirth (2009: 3).

  4. 4.

    Van der Sloot (2015: 26).

  5. 5.

    According to Nigerian Statistic Office, Nigeria’s GDP for the year 2013 is 80.3 trillion naira (£307.6bn: $509.9bn). This surpasses that of South Africa at the end of 2013. Its population is estimated to be about 170 million people which is three times larger than South Africa’s population. Economists however argue that these are mere figures as Nigeria’s economic output is underperforming. See ‘Nigeria becomes Africa’s biggest economy’ BBC News Business, 6 April 2014, available at

  6. 6.

    The key agencies include National Population Commission (NPC), National Identity Management Commission (NIMC), Federal Road Safety Commission (FRSC), Independent National Electoral Commission (INEC) National Population Commission, National Identity Management Commission, Federal Road Safety Commission, Independent National Electoral Commission.” Buhari charges NPC, NIMC, FRSC others to harmonize biometric data” Accessed 30 October 2016.

  7. 7.

    See V Ekwealor “The Nigerian Government is building a database of vehicle owners; it is not looking promising” Accessed 30 October 2016.

  8. 8.

    Internet penetration is ‘the portion of the population that has access to the internet. It defines a portion of the digital divide.’ Ahn and McNutt (2015: 55).

  9. 9.

    Ranked after countries like China, United States (US), India, Japan, Brazil, Russia and Germany who are ranked 1st–7th respectively. See Internet Live Stat ‘Nigeria internet user’ available at (accessed 20 January 2015). The figures are based on an elaboration of data by the International Telecommunication Union (ITU), World Bank, and United Nations Population Division. See also Internet World Stats “Usage and population statistics” Accessed 20 January 2015. There are inconsistencies in figures by both sources however the difference is not substantial.

  10. 10.

    Where Nigeria was ranked 20th largest internet user in the world. Ibid.

  11. 11.

    "Nigeria’s National Broadband Plan 2013–2018” a submission by the presidential committee on broadband Accessed 20 January 2015 p. 12. In the document, broadband is used to refer to high speed communication networks that connect end-users at a data transfer speed greater than 256 Kbit/s. The term is currently used in a way that is reflective of a user’s experience thus ‘broadband within the Nigerian context is defined as an internet experience where the user can access the most demanding content in real time at a minimum speed of 1.5 Mbit/s.’.

  12. 12.

    As of September 2014, the total number of active mobile telephone lines was estimated to be over 130 million which is about 87% penetration, as against less than 1% in the year 2000. See "Subscriber Statistics: Monthly Subscriber Data” Nigerian Communications Commission Accessed 20 January 2015.

  13. 13.

    For example, Premium Times, a Nigerian media outlet, recently reported increasing surveillance activities by the Nigerian government. See M. Mojeed, “EXCLUSIVE: Nigerians Beware! Jonathan procures N11 billion equipment to tap your phones”, Premium Times (Nigeria), 26 February 2015 Accessed 28 February 2015.

  14. 14.

    Various activities of commercial banks in Nigeria raise data protection issues. They conduct Know-your customers (KYC) and gather large amount of customers’ personal data. Recently, banks are required to conduct personal data verification through the Bank Verification Number (BVN) project. See “Central Bank of Nigeria introduces Bank Verification Number (BVN)” Accessed 20 January 2015.

  15. 15.

    Retail outlets also engage in the collection and use of individuals’ personal data through their various activities. For example, there are calls to intensify direct marketing practices in Nigeria. See "Direct Marketing Swallowing Conventional Marketing—IDMN Registrar” Accessed 20 January 2015.

  16. 16.

    See "Credit Bureau Association of Nigeria” Accessed 20 January 2015.

  17. 17.

    These rules are generally called the Fair Information Practice Principles (FIPPs). Modern data protection law is built around these principles which were broad, aspirational, and included a blend of substantive and procedural principles. See Cate (2006: 341).

  18. 18.

    Van der Sloot (2014: 307). See also Birnhack (2008: 509).

  19. 19.

    Bygrave stated that Datenschutz is in turn derived from the notions of Datensicherung and Datensicherheit meaning ‘data security’. Bygrave (2002: 22).

  20. 20.

    De Hert and Gutwirth (2009: 3).

  21. 21.


  22. 22.

    Roos (2008: 313).

  23. 23.


  24. 24.

    Bygrave (2014: 1); See also Bygrave (2002: 1).

  25. 25.

    European Union Data Protection Directive 95/46/EC of The European Parliament And Of The Council On The Protection Of Individuals With Regard To The Processing Of Personal Data And On The Free Movement Of Such Data 1995 (EU Directive) Accessed 23 February 2015 Article 2.

  26. 26.

    Ibid, see also Protection of Personal Information (POPI) Act, No 4, 2013 of South Africa, Accessed on 23 February 2015, Section 1 which defines processing in a similar light. This article will consistently make reference to this South African legislation because it is one of the most recent data protection legislation and it arguable is a representation of a modern data protection piece of legislation.

  27. 27.

    Kuner (2007: 74). Many laws and international codes on data protection however provide for exceptions relating to the processing of personal data for purely personal, artistic and journalistic purposes. See for example EU Directive, Section 3 and POPI Act, Article 7.

  28. 28.

    Both terms are used interchangeably in this paper even though a distinction can be drawn between them. According to Roos, data is unstructured or unorganised facts that need to be processed and organised to produce information. Information is thus a set of organised, structured and processed data. Roos (2008: 313). Bygrave opines that ‘it is artificial and unnecessarily pedantic…to maintain a division between the two notions, as such a division is usually difficult to maintain in practice.’ Bygrave (2002: 20).

  29. 29.

    Bygrave (2014: 1).

  30. 30.

    Example of personal data of natural persons within the scope data protection are identification number, email address, physical address, religion, race, gender, biometric information etc. See EU Directive, Article 2. See also POPI Act, section 1(b).

  31. 31.

    For example, POPI Act in Section 1 refers to ‘existing juristic persons’. Bygrave made an elaborate discussion on the importance of data protection law for organised collective legal entities which is ‘constituted on the basis of the individual members of the entity coming together to set up and maintain the entity through a series of more or less systematic, formalised measures.’ There are two main categories of these entities, there are the legal/juristic persons and those that are not. The non-organised juristic persons are ‘non-profit’ organisations such as religious bodies. See generally Bygrave (2002: 173).

  32. 32.

    Abdulrauf (2014: 74). See also Bygrave (2002: 42).

  33. 33.

    A data subject is an individual whom personal data relates. See POPI Act, Section 1. Protection of data subjects’ interest is the primary aim of the law of data protection. ‘Data subject’ and ‘Individual’ will be used interchangeably in this paper.

  34. 34.

    A ‘data controller’, ‘controller’ and ‘responsible party’ all refers to the same person/entity. It means a natural or legal person or a public or private body who, alone or jointly with others, determines the purposes and means of processing of personal data. See EU Directive, Article 2 and POPI Act, Section 1.

  35. 35.

    Bygrave points out that “data protection laws often take the form of ‘framework’ laws. Instead of setting down in casuistic fashion detailed provisions on the processing of personal information, data protection laws tend to set down rather diffusely formulated, general rules for such processing and make specific allowance for the subsequent development of more detailed regulatory norms as the need arises.” Bygrave (2002: 3).

  36. 36.

    Bygrave (2002: 2).

  37. 37.


  38. 38.


  39. 39.

    See for example EU Directive, Article 28 which requires member states to establish public authorities that will be responsible for monitoring the application of the directive.

  40. 40.

    Different terms are used by various data protection laws to denote the supervisory agency. For example, POPI Act, Section 39 uses ‘Information Regulator’. In some other jurisdictions, like the UK and Canada, the office is centred on a particular public official usually called the privacy commissioner.

  41. 41.

    EU Directive, Article 28 (1); POPI Act, Section 39 (b). See also Greenleaf (2012: 3–13): 3-13. See also Makulilo (2014: 847).

  42. 42.

    Lynskey used the term ‘spilt personality’ in this context to denote the dual objectives of data protection. Lynskey (2013: 59).

  43. 43.

    Makulilo (2014: 846).

  44. 44.

    Levin and Nicholson (2005: 374).

  45. 45.

    Lynskey (2013).

  46. 46.

    OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal data, available at Accessed 23 February 2015.

  47. 47.

    Bygrave (2014: 11).

  48. 48.

    Caruana and Cannataci (2007: 104).

  49. 49.

    Bygrave (2014: 11).

  50. 50.

    See Craig and Ludloff (2011: 68), who contend that the US treats data privacy as a commodity that can be bought and sold. The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) has also been argued to be driven by purely economic sentiments. Berzins (2001–2002: 609–645).

  51. 51.

    Lloyd (2011: 9).

  52. 52.

    A commentator pointed out that with regard to the EU Directive, its original purpose ‘was not only to increase data privacy protection within the European Union, but also, as an integral part of EU policy, to promote trade liberalization and ensure that a single integrated market was achieved.’ Levin and Nicholson, supra note 51, at 376, The EU Directive mentions economic and social progress, trade expansion (Recital 2, 56), and free flow of personal data (Art 1 (2) alongside the right to privacy (Recital 2, 9–11, 68 and Art 1(1). Specifically, see recital 3.

  53. 53.

    Gutwirth (2002: 91). For more on various issues relating to the human rights role of the EU, see Búrca (2011: 649–693).

  54. 54.

    Bernal (2011: 268. The research also notes that ‘so long as the primary focus remains on economic success, privacy and autonomy are likely to be squeezed’.

  55. 55.


  56. 56.

    UDHR, Article 12.

  57. 57.

    ICCPR, Article 17.

  58. 58.

    ECHR, Article 8. The African Charter on Human and Peoples’ Rights (ACHPR), unfortunately, does not contain a right to privacy.

  59. 59.

    Kuner (2009: 308). Bygrave (2002: 116).

  60. 60.

    For example US, Canada, Australia, New Zealand. In fact, Makulilo argues that ‘that the two concepts are increasingly becoming synonymous and hence interchangeable in their daily uses.’ Makulilo (2012a, b: 166). See also Bygrave (2001: 277–283). Lloyd (2011: 26).

  61. 61.

    See for example the South African POPI Act, Preamble; See also EU Directive, Article 1. However, the Proposed EU Regulation however takes a different approach. It anchors data protection on the sui generis right to data protection. See Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to The Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) COM(2012) 11 final 2012/0011 (COD), Article 1.

  62. 62.

    Bygrave (2002: 122).

  63. 63.

    Van der Sloot (2015: 26).

  64. 64.

    The preamble to the UN Charter states that the peoples of the UN are determined to, among others, ‘reaffirm faith in fundamental human rights, in the dignity and worth of the human person, in the equal rights of men and women and of nations large and small’. Charter of the United Nations, Accessed 23 February 2015. Apart from UN Guidelines for the Regulation of Computerized Personal Data Files, G.A. res. 44/132, 44 U.N. GAOR Supp. (No. 49) at 211, U.N. Doc. A/44/49 (1989), there are still calls for an international privacy and data protection framework under the umbrella of the UN. This was from the Monteux Declaration in which there was an appeal to the UN ‘to prepare a binding legal instrument which clearly sets out in detail the rights to data protection and privacy as enforceable human rights.’ De Terwange (2009: 174–175). See also Kuner (2009: 308).

  65. 65.

    The council is Europe’s leading human rights organisation. Council of Europe, ‘The Council of Europe in Brief’, Accessed 23 February 2015.

  66. 66.

    De Terwange (2009: 174–175); Kuner (2009: 308).

  67. 67.

    See 30th International Conference of Data Protection and Privacy Commissioners. The protection of personal data and privacy in a globalized world: a universal right respecting diversities, Strasbourg (October 2008). Accessed 23 February 2015.

  68. 68.

    See Articles 7 and 8 of Charter of Fundamental Rights of the European Union, (2000/C 364/01), Accessed 1 November 2014.

  69. 69.

    De Hert and Gutwirth (2009: 8).

  70. 70.

    Example, Belgian Constitution (1831), Article 22; Portuguese Constitution (1976), Article 26; Spanish Constitution (1978); Article 18 and Swedish Constitution (1975), Article 2. In other countries like Canada, data protection is a quasi-constitutional right. See the decision of the Canadian Supreme Court in H.J. Heinz and Co. Ltd v. Canada (Attorney General), [2006] SCC 13, para. 28.

  71. 71.

    Lynskey (2014).

  72. 72.

    Like the principles of human rights generally. Smith (2007: 29).

  73. 73.

    Based on the principles of international human rights outlined in United Nations Human Rights, ‘What are human rights’, Accessed 23 February 2015.

  74. 74.

    Although, it is acknowledged that the right to data protection and access to information are also in great tension. For more on this issue, see Banisar (2011).

  75. 75.

    Digital divide is ‘the gap between those in society who have access to the Internet (broadband, in their homes) and those who have either poor access (dial-up connection at a public library) or no access at all.’ See Stefanick (2011: 18).

  76. 76.

    Article 1 of the Universal Declaration of Human Rights 1948. ‘All human beings are born free and equal in dignity and rights.”

  77. 77.


  78. 78.

    Constitution of the Federal Republic of Nigeria (1999).

  79. 79.

    Ibid, section 37.

  80. 80.

    There are extremely limited court decisions on the right to privacy generally in Nigeria.

  81. 81.

    Nwauche (2007: 84). Allotey (2014: 173).

  82. 82.


  83. 83.

    Schartum (2008).

  84. 84.

    Ibid. See also De Hert and Gutwirth (2006: 61–104).

  85. 85.

    Schartum (2008); Abdulrauf (2014).

  86. 86.


  87. 87.

    This is evident from the opening words of the section ‘[t]he privacy of citizens…’. Kusamotu (2007: 154). See also Dada (2012: 42).

  88. 88.

    Unlike some other jurisdictions that have an independent civil law of privacy like South Africa, Germany and some provinces in Canada.

  89. 89.

    Nwauche (2007: 79). See also Laosebikan (2007: 340).

  90. 90.

    Solove (2007: 770).

  91. 91.

    Laosebikan (2007: 340–344).

  92. 92.

    Freedom of Information Act (2011).

  93. 93.

    The provision further gives examples of information which is inaccessible to the public because it constitutes personal data.

  94. 94.

    For more on active control, see Neethling (2012: 245).

  95. 95.

    Lynskey (2014: 592).

  96. 96.

    Nigerian National Health Act (2014). Available at Accessed on 20 January 2014.

  97. 97.

    Ibid, section 25.

  98. 98.

    Ibid, section 26 (1).

  99. 99.

    Ibid, section 26 (2).

  100. 100.

    Ibid, section 29.

  101. 101.

    Statistics Act (2007).

  102. 102.

    Ibid, section 26.

  103. 103.

    This is the view of Roos with regard the South African Constitution provision on Privacy. See Roos (2008: 354).

  104. 104.

    See for example the Computer Security and Critical Information Infrastructure Protection Bill (2005); Cyber Security and Data Protection Agency Bill 2008; Electronic Fraud Prohibition Bill 2008. In 2009, there was the Computer Security and Protection Agency Bill and Computer Misuse Bill. Then the Economic and Financial Crimes Commission Act (Amendment) Bill 2010 and the Cyber Security and Information Protection Agency Bill 2012. These entire draft bills have provisions related to data protection. They are all contained in the Nigerian National Assembly website at

  105. 105.

    Available at Accessed 20 January 2015.

  106. 106.

    Available at Accessed 20 January 2015.

  107. 107. Accessed 20 January 2015.

  108. 108.

    Personal Information and Data Protection Bill (2012), [Unfortunately, the Bill is not available online however, a copy is available on file with the authors].

  109. 109.

    T. Kio-Lawson, ‘Right to be Forgotten’, Business Day 1 June 2014 Accessed 20 January 2015.

  110. 110.

    Personal Information and Data Protection Bill (2012), Section 1, Oyewunmi (2012: 240).

  111. 111.

    Ibid. See the provisions of section 4 which contains the major functions of the agency.

  112. 112.

    Data is defined in section 38 of the Bill as ‘a representation of information, knowledge, facts, concepts or instructions intended to be processed, being processed or has been processed in a network.’ The Bill does not however contain a definition of ‘processing’.

  113. 113.

    Privacy Bill 2009.

  114. 114.

    Ibid, see Part V.

  115. 115.

    Ibid, see for example processing limitation (sections 2 and 5); purpose specification (section 3); accuracy of personal information (section 4); consent (section 6).

  116. 116.

    Ibid, part IV and VI.

  117. 117.

    Ibid, part IX.

  118. 118.


  119. 119.

    For example, the Privacy Act of Canada (1982) and the Privacy Act of the United States (1974).

  120. 120.

    A very clear example is the Section 2 which provides that ‘[n]o personal information shall be collected by a government institution unless it relates directly to an operating programme or activity of the institution.’ The section does not say what is the meaning of ‘an operating programme or activity’ neither is it contained in the interpretation section (sec. 69). The Bill also distinguishes between various stages of processing of personal data (i.e. collection, use and disclosure) which make its provisions very clumsy. Unfortunately, clarifications cannot be made as the Bill does not include an elaborate explanatory memorandum.

  121. 121.

    The Data Protection Bill (2010).

  122. 122.

    See Greenleaf (2013a, b, c).

  123. 123.

    Data Protection Bill, title.

  124. 124.

    Ibid, the explanatory memorandum seems more apt in this regard. It is stated that ‘this Bill seeks to make provision for the regulation of the processing of information relating to individuals’.

  125. 125.

    Makulilo (2012a, b: 26).

  126. 126.

    The principles are not expressly set out in the Bill, rather, sketchy provisions of some of them are contained in some sections of the law. See for example processing limitation (sections 2 and 5); purpose specification (section 3); accuracy of personal information (section 4); consent (section 6).

  127. 127.

    Data Protection Bill (2010), Sections 1(1)(a) and (b).

  128. 128.

    Ibid, section 1(1)(d).

  129. 129.

    Ibid, section 1 (3).

  130. 130.

    Ibid, section 1 (1)(e).

  131. 131.

    Ibid, section 2.

  132. 132.

    Ibid, section 3.

  133. 133.

    Ibid, section 4.

  134. 134.

    Ibid, section 5.

  135. 135.

    Ibid, section 7.

  136. 136.

    Makulilo (2012a, b: 26).

  137. 137.

    See for example sections 2(10); 4(2); 5 (5); 7 (1); 8(2)& (3); 9(3)(a).

  138. 138.

    A recent survey conducted in some states in Nigeria showed that over 60 percent of court users complained of excessive length of court proceedings. See NIALS (2000: 19–21). See also Akanbi (2012: 327).

  139. 139.

    See for example sections 8(3); (4); (5).

  140. 140.

    Section 36 (12) of the Nigerian Constitution provides that ‘Subject as otherwise provided by this Constitution, a person shall not be convicted of a criminal offence unless that offence is defined and the penalty therefor is prescribed in a written law, and in this subsection, a written law refers to an Act of the National Assembly or a Law of a State, any subsidiary legislation or instrument under the provisions of a law.’ See and the case of Aoko v. Fabgemi (1963) 7 EN. L.R.1.

  141. 141.

    Makulilo (2012a, b: 27).

  142. 142.

    Personal Information and Data Protection Bill.

  143. 143.

    The NIMC is an agency of the government with ‘the mandate to establish, own, operate, maintain and manage the National Identity Database in Nigeria’. It is also to register persons within the scope of the Act and assign Unique National Identification Number (NIN). The NIMC also is to issue National Identity Cards to Nigerians. See Accessed 23 February 2015.

  144. 144.

    C. Idoko, ‘Identity theft: FG proposes law on personal information, data protection’ Nigerian Tribune Newspaper 22 February 2013 Accessed 20 January 2015.

  145. 145.

    “Nigeria: Adoke Lauds NIMC Proposed Draft Bill on Information, Data Protection” Accessed 30 October 2016.

  146. 146.

    The Bill is not available in the National Assembly website online. See Accessed 23 February 2015.

  147. 147.

    [Emphasis added].Personal Information and Data Protection Bill, Section 1.

  148. 148.

    Ibid, section 2(1)(a).

  149. 149.

    Ibid, section 2(2)(a) and (b); See criticisms by Article 19 (2012: 8).

  150. 150.

    The FIPPS are contained in the schedule of the Canadian PIPEDA. Available at Accessed on 23 February 2014.

  151. 151.

    Article 19 (2012: 6).

  152. 152.

    Personal Information and Data Protection Bill, section 4.1(7).

  153. 153.

    For example, UN Guidelines for the Regulation of Computerized Personal Data Files, Article 8; EU Directive, Article 28; AU Convention on Cyber Security and Personal Data Protection, Article 11(1).

  154. 154.

    Personal Information and Data Protection Bill, section 8 (3)(b).

  155. 155.

    For example, section 72 of the POPI Act of South Africa restricts transborder flow of personal information subject to certain exceptions contained in subsection 1(a–e) of the section.

  156. 156.

    Akinrinade (2002: 125).

  157. 157.

    See generally Abdulrauf (2014).

  158. 158.

    This fact has been admitted by even the Nigerian Attorney General to the Federation and Minister of Justice. See C. Idoko, ‘Identity theft: FG proposes law on personal information, data protection’ Nigerian Tribune Newspaper 22 February 2013 Accessed 20 January 2015.

  159. 159.

    See generally Ani (n.d: 197–323).

  160. 160.

    Makulilo (2013: 50).

  161. 161.

    Generally, lawyers assist legislators in drafting of bills in Nigeria. This is because most legislators do not have a legal background. In fact, there is a legal drafting department in the legislative house comprising just lawyers. See “Legislative Law Practice is an Evolving Area of Legal Practice in Nigeria” Accessed 30 October 2016. The argument we are trying to make with regard to data protection is that most of these lawyers do not possess the requisite technical knowledge on the nitty-gritties of data protection.

  162. 162.

    Gwagwa notes this in relation to Africa generally. A. Gwaga et al ‘Protecting the right to privacy in Africa in the digital age’, Accessed 20 January 2015.

  163. 163.

    Flaherty (2007).

  164. 164.

    P Stein ‘South Africa’s EU-style data protection law’ (2012) 10 Without Prejudice 48 also available at (accessed 1 November 2015).

  165. 165.

    South African Law Reform Commission (SALRC) “Privacy and Data Protection” (2009) Accessed 30 October 2016.

  166. 166.

    An extensive search of the internet will justify this point. This is unlike South Africa where official documents on the deliberations prior to the law are widely available on the internet.

  167. 167.

    “Challenges Of Legislative Intellectualism Before The Eight National Assembly Of Nigeria” Accessed 30 October 2016.

  168. 168.

    See generally Adelola et al (2015: 113–124).

  169. 169.

    Jemilohun (2010: 116).

  170. 170.

    Bakibinga (2004).

  171. 171.

    Bernal (2014: xii). See also Adelola et al (2014: 236).

  172. 172.

    Jemilohun (2010: 116).

  173. 173.

    One of their paramount function includes education and awareness on data protection issues.

  174. 174.

    See Report on state of compliance with International Minimum Standards of Human Rights by Nigeria under the Universal Periodic Review Mechanism, available at 23 February 2015. For the general mandate of the National Human Rights Commission in Nigeria, See Section 5 of the National Human Rights Commission Act 1995 accessed on 23 February 2015.

  175. 175.

    NHRC ‘Mandate’ Accessed 23 February 2015.

  176. 176.

    See Hustinx (2013: 157–172).

  177. 177.

    Examples of such NGOs include Art 19, EPIC and Privacy International. See infra note 192, 191 and 192.

  178. 178.

    For example, Article 19(2012: 146); EPIC: Privacy and Human Rights Reports 2006, Federal Republic of Nigeria, available at Accessed 23 February 2015.

  179. 179.

    Bankole Orimisan “Experts warn Nigerians on abuse of data privacy” The Guardian 3 February 2016 Accessed 1 November 2016.

  180. 180.

    Makulilo (2013: 50).

  181. 181.

    See for example Jemilohun (2010: 116), See also Kusamotu (2007).

  182. 182.

    See Flaherty’s discussions with regard to the reform on the Canadian Privacy Act. Flaherty (n.d: 30).

  183. 183.

    The NLRC is set up to “undertake the progressive development and reform of substantive and procedural law applicable in Nigeria by way of codification, elimination of anomalous or obsolete laws and general simplification of the law in accordance with general directions issued by the Government, from time to time and for matters connected therewith.” See the Title of the NLRC Act, available at Accessed 23 February 2015. Section 5 contains the general functions of the NLRC. The project leading to the South African POPIA was carried out under the aegis of the South African Law Reform Commission (SALRC) and the project was entitled ‘privacy and data protection’. See Van der Merwe (2014: 305).

  184. 184.

    The discussions on the Protection of Personal Information Act not only took a very long period of time, the project committee comprised of renowned experts in data protection and Information technology law such as Professors Johann Neethling & Ian Currie. The Committee was actually under the Chairmanship of Justice CT Howie however, Prof Neethling was the Project Leader. See SALRC “Privacy and Data Protection Report” (2009) available at Accessed 23 February 2015.

  185. 185.

    See Bennett (1990: 551–570). In a related discussion, Bygrave talks about a cross-national perspective as being analytically fruitful for data protection as against comparative approach which itself may be important because all data protection regime are largely based on the same standards. See Bygrave (2002: 12); SALRC (2009: 173, 615).

  186. 186.

    For Example, the PIPEDA of Canada adopted a phased implementation strategy over some period of time.

  187. 187.

    Details of the convention and its status list is yet to be uploaded on the AU website. Accessed 20 January 2015.

  188. 188.

    Abdulrauf and Fombad (2016).

  189. 189.

    See ECOWAS Supplementary Act, Article 48.

  190. 190.

    With the recent reforms being carried out in the Council of Europe’s Convention in the name of ‘modenisation’ and ‘globalisation’, non-European countries could be ratify. Uruguay is in the process of ratifying. See generally Greenleaf (2013a, b, c: 20–23).

  191. 191.

    Based on the European Model.

  192. 192.

    Based on the model adopted by Canada.

  193. 193.

    Greenleaf (2012: 39).

  194. 194.

    That is with the exception of a few scholars (to the best of our knowledge) who have undertaken their doctoral researches on data protection like A.K.E Allotey and O. Laosebikan.

  195. 195.

    Makulilo (2012a, b: 178).

  196. 196.

    EPIC is an independent non-profit research centre that researches on issues of privacy, freedom of expression, democratic values, and promoting public voice in decisions concerning the future of the internet. It pursues a wide range of programmes including public education, litigation, and advocacy. EPIC is located in Washington, DC. ‘About EPIC’ Accessed on 23 February 2015.

  197. 197.

    Privacy International is a London-based charity that investigated government surveillance activities and expose companies facilitating it. It engages in litigations, advocacy and research on issues of privacy, human rights and technology. Privacy International Accessed 23 February 2015.

  198. 198.

    IAPP is an institution for training of professionals who want to advance their careers on data protection. Accessed 23 February 2015.

  199. 199.

    Interaction with the Dean, Faculty of Law, University of Ilorin, Nigeria on 20 December 2014. He also stressed the fact that unfortunately, there seems to be no plan for any university to introduce IT law at the undergraduate level because of two main reasons. First, dearth of experts on IT law and second, IT law is not included in the accreditation requirement for law degree programmes by the National Universities Commission and Council of Legal Education in Nigeria.

  200. 200.

    Presently, only University of Ilorin teaches IT law. The title of the course is Information and Technology Law, BUL659 & BUL 660 for 1st and 2nd semesters. They are however elective law courses.

  201. 201.

    There is a movement in African academic circles on the need for Africanisation of legal education programmes in African institutions. See for example Fombad (2014: 383–398).


  1. Abdulrauf, L.A. 2014. Do we need to bother about protecting our personal data?: Reflections on neglecting data protection in Nigeria. Yonsei Law Journal 5(2): 67–95.

    Google Scholar 

  2. Abdulrauf, L.A., and C.M. Fombad. 2016. The African Union’s data protection convention: A possible cause for celebration of human rights in Africa. Journal of Media Law 8(1): 67–97.

    Article  Google Scholar 

  3. Adelola, T; R. Dawson and F. Batmaz. 2014. Privacy and data protection in E-commerce: The effectiveness of a Government Regulatory Approach in Developing Nations, using Nigeria as a case. In: Paper presented at the 9th international conference for internet technology and secured transactions (ICITST-2014): 234–239.

  4. Adelola, T, R. Dawson and F. Batmaz. 2015. Nigerians’ perceptions of personal data protection and privacy. In Outlook on Quality: Proceedings of Software Quality Management XXIII (SQM 2015), eds. In Lock, R. et al (eds.), UK: Loughborough 113–124.

  5. Ahn, M.J., and J. McNutt. 2015. If we build it will they come? An appreciation of the microfoundations of e-government. In Handbook of research on democratic strategies and citizen-centered e-government service, ed. C. Dolićanin, E. Kajan, D. Randjelović, and B. Stojanović, 38–55. USA: Information Science Reference.

    Chapter  Google Scholar 

  6. Akanbi, M.M. 2012. Challenges of arbitration practices under the Nigerian Arbitration and Conciliation Act of 1988: Some practical considerations. Arbitration 78(4): 325–331.

    Google Scholar 

  7. Akinrinade, B. 2002. Human rights NGOs in Nigeria: Emergence, governmental reaction and the future. African Human Rights Law Journal 2: 110–134.

    Google Scholar 

  8. Allotey, A.K.E. 2014. Data protection and transborder data flows: Implication for Nigeria’s integration into the global network economy. Unpublished LLD thesis, University of South-Africa.

  9. Article 19, n.d. Nigeria Personal Information and Data Protection Bill’ (2013) available online in

  10. Banisar, D. 2011. The right to information and privacy: Balancing Rights and Managing Conflicts. Washington: The International bank for Reconstruction and Development/The World Bank.

  11. Bakibinga, E.M. 2004. Managing electronic privacy in the telecommunications sub-sector: The Ugandan perspective.

  12. Bennett, C.J. 1990. The formation of a Canadian privacy policy: The art and craft of lesson-drawing. Canadian Public Administration 33(4): 551–570.

    Article  Google Scholar 

  13. Bernal, P.A. 2011. Do deficiencies in data privacy threaten our autonomy and if so, can informational privacy rights meet this threat? Unpublished Ph.D. thesis, London School of Economics and Political Science.

  14. Bernal, P. 2014. Internet privacy rights: Right to protect autonomy. Cambridge: Cambridge University Press.

    Book  Google Scholar 

  15. Berzins. C. 2001–2002. Protecting personal information in Canada’s private sector: The price of consensus building. Queen’s Law Journal 27: 609–645.

  16. Birnhack, M.D. 2008. The EU data protection directive: An engine of a global regime. Computer Law and Security Report 24: 508–520.

    Article  Google Scholar 

  17. Búrca, G. 2011. The road not taken: The European Union as a global human rights actor. The American Journal of International Law 105(4): 649–693.

    Article  Google Scholar 

  18. Bygrave, L.A. 2014. Data privacy law: An international perspective. Oxford: Oxford University Press.

    Book  Google Scholar 

  19. Bygrave, L.A. 2002. Data protection law: Approaching its rationale, logic and limits. Netherland: Kluwer Law International.

    Google Scholar 

  20. Bygrave, L.A. 2001. The place of privacy in data protection law. UNSW Law Journal 24: 277–283.

    Google Scholar 

  21. Caruana, M.M., and J.A. Cannataci. 2007. European Union privacy and data protection principles: Compatibility with Culture and Legal frameworks in Islamic states. Information & Communications Technology Law 16: 99–124.

    Article  Google Scholar 

  22. Cate, F.H. 2006. The Failure of Fair Information Practice Principles. In Consumer Protection in the Age of the ‘Information Economy’, ed. J.K. Winn, 341-378. UK: Ashgate. Also available online

  23. Craig, T., and M.E. Ludloff. 2011. Privacy and big data. Sebastopol: O’Reilly Media Inc.

    Google Scholar 

  24. Dada, J.A. 2012. Human rights under the Nigerian Constitution: Issues and problems. International Journal of Humanities and Social Science 2(12): 33–43.

    Google Scholar 

  25. De Hert, P., and S. Gutwirth. 2009. Data protection in the case law of Strasbourg and Luxemburg: Constitutionalisation in action. In Reinventing data protection?, ed. S. Gutwirth, Y. Poullet, P. Hert, C. De Terwange, and S. Nouwt, 3–44. Heidelberg: Springer.

    Chapter  Google Scholar 

  26. De Hert, P and Gutwirth, S. 2006. Privacy, data protection and law enforcement. Opacity of the Individual and Transparency of Power. in Privacy and the Criminal Law, ed. E. Claes, A. Duff and S. Gutwirth, 61–104. Oxford: Intersentia.

  27. Fombad, C.M. 2014. Africanisation of legal education programmes: The need for comparative African legal studies. Journal of Asian and African Studies 49(4): 383–398.

    Article  Google Scholar 

  28. Greenleaf, G. 2013. ‘Modernising’ data protection convention 108: A safe basis for global privacy treaty?. Computer Law and Security Review 29(4): 430–436.

    Article  Google Scholar 

  29. Greenleaf, G. 2013b. Uruguay starts Convention 108’s global journey with accession. Privacy Laws & Business International Report 122: 20–23.

    Google Scholar 

  30. Hustinx, P.J. 2013. (Future) interaction between data protection authorities and national human rights institutions in the European Union. In National human rights institutions in Europe: Comparative, European and international perspectives, ed. J. Wouters, and K. Meuwissen, 157–172. Oxford: Intersentia.

    Google Scholar 

  31. De Terwange, C. 2009. Is a global data protection regulatory model possible. In Reinventing data protection?, ed. S. Gutwirth, Y. Poullet, P. Hert, C. De Terwange, and S. Nouwt, 175–190. Heidelberg: Springer.

    Chapter  Google Scholar 

  32. Flaherty, D.H. n.d. Reflections on Reform of the Federal Privacy Act’ available at

  33. Greenleaf, G. 2013. Global tables of data privacy laws and bills.

  34. Gutwirth, S. 2002. Privacy and the information age, Translated by R. Casert, UK: Rowman & Littlefield Publishers.

  35. Gwagwa, A and A. Wilton. n.d. Protecting the right to privacy in Africa in the digital age.

  36. Jemilohun, B.O. 2010. Legislating for data protection in Nigeria: lessons from UK, Canada and India. 1 Akungba Law Journal 1:98–116.

  37. Kuner, C. 2009. An international legal framework for data protection: Issues and prospects. Computer Law & Security Review 25: 307–317.

    Article  Google Scholar 

  38. Kuner, C. 2007. European data protection law: Corporate compliance and regulation. Oxford: Oxford University Press.

    Google Scholar 

  39. Kuner, C. 2013. Transborder data flows and data privacy law. Oxford: Oxford University Press.

    Book  Google Scholar 

  40. Kusamotu, A. 2007. Privacy law and technology in Nigeria: The legal framework will not meet the test of adequacy as mandated By Article 25 of European Union Directive 95/46. Information and Communications Technology Law 16(2): 149–159.

    Article  Google Scholar 

  41. Laosebikan, F.O. 2007. Privacy and technological development: A comparative analysis of South African and Nigerian Privacy and Data Protection Laws with particular reference to the protection of privacy and data in internet cafes and suggestions for appropriate Legislation in Nigeria. Unpublished Ph.D. Thesis University of Kwazulu-Natal, South Africa.

  42. Lagos, Y. 2014. Taking the personal out of data: Making sense of de- identification. Indiana Law Review 48: 187.

    Google Scholar 

  43. Levin, A., and M.J. Nicholson. 2005. Privacy law in the United States, the EU and Canada: The allure of the middle ground. University of Ottawa Law and Technology Journal 2(2): 357–395.

    Google Scholar 

  44. Lloyd, I.J. 2011. Information technology law, 5th ed. Oxford: Oxford University Press.

    Google Scholar 

  45. Lynskey, O. 2014. Deconstructing data protection: The ‘Added-value’ of a Right to Data Protection in the EU Legal Order. International and Comparative Law Quarterly 63(3): 569–597.

    Article  Google Scholar 

  46. Lynskey, O. 2013. From market-making tool to fundamental right: The role of the court of justice in data protection’s identity crisis. In European data protection: Coming of age, ed. S. Gutwirth, R. Leenes, P. De Hert, and Y. Poullet, 59–84. Heidelberg: Springer.

    Chapter  Google Scholar 

  47. Makulilo, A.B. 2013. Data protection regimes in Africa: Too far from the European ‘adequacy’ standard? International Data Privacy Law 3(1): 42–50.

    Article  Google Scholar 

  48. Makulilo, A.B. 2012a. Nigeria’s data protection bill: Too many surprises. Privacy Law and Business International Report 120: 25–27.

    Google Scholar 

  49. Makulilo, A.B. 2014. ‘Peel off the mask’: Enforcement of the data protection act in Mauritius. Datenschutz und Datensicherheit 12: 845–849.

    Article  Google Scholar 

  50. Makulilo, A.B. 2012b. Privacy and data protection in Africa: A state of the art. International Data Privacy Law 2: 163–178.

    Article  Google Scholar 

  51. Neethling, J. 2012. Protection of Personal Information Bill, 2009 and the Law of Delict. Tydskrif vir hedendaagse Romeins-Hollandse Reg (THRHR) 75: 241–255.

    Google Scholar 

  52. Nwauche, E.S. 2007. The right to privacy in Nigeria. CLAS Review of Nigerian Law and Practice 1(1): 66–90.

    Google Scholar 

  53. Oyewunmi, A.O. 2012. The ICT revolution and commercial sectors in Nigeria: Impacts and legal interventions. British Journal of Arts and Social Science 5(2): 234–247.

    Google Scholar 

  54. Roos, A. 2008. Data Protection. in Information and Communication Technology Law, D. Van der Merwe, A. Roos, T, Pistorius and S, Eiselen, 313-397. Durban: LexisNexis.

  55. Schartum, D.W. 2008. Designing and formulating data protection laws. International Journal of Law and Information Technology 18(1): 1–27.

    Article  Google Scholar 

  56. Smith, R.K.M. 2007. Texts & materials on international human rights. London: Routledge-Cavendish.

    Google Scholar 

  57. Solove, D.J. 2007. “I’ve got nothing to hide” and other misunderstandings of privacy. San Diego Law Review 44: 745–772.

    Google Scholar 

  58. Stefanick, L. 2011. Controlling knowledge: Freedom of information and privacy protection in a networked world. Edmonton: AU Press.

    Google Scholar 

  59. Van der Merwe, D. 2014. A comparative overview of the (sometimes uneasy) relationship between digital information and certain legal fields in South Africa and Uganda. Potchefstroom Electronic Law Journal 17(1): 296–328.

    Google Scholar 

  60. Van der Sloot, B. 2014. Do data protection rules protect the individual and should they? An assessment of the proposed General Data Protection Regulation. International Data Privacy Law 4(4): 307–325.

    Article  Google Scholar 

  61. Van der Sloot, B. 2015. Do privacy and data protection rules apply to legal persons and should they? A proposal for a two-tiered system. Computer Law & Security Review 31(1): 26.

    Article  Google Scholar 

Download references


We thank the two anonymous reviewers for their critical and insightful comments. All errors and omissions are ours.

Author information



Corresponding author

Correspondence to Lukman Adebisi Abdulrauf.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Abdulrauf, L.A., Fombad, C.M. Personal Data Protection in Nigeria: Reflections on Opportunities, Options and Challenges to Legal Reforms. Liverpool Law Rev 38, 105–134 (2017).

Download citation


  • Personal data
  • Data protection
  • Data protection law
  • The right to data protection
  • Legal reforms
  • Nigeria