-1323.png){kind=logo}
Contributors: Dorcas Tsebee, Victoria Adaramola, Deji Sarumi,and Ridwan Oloyede
Looking back at 2024
The year marked the first anniversary of the Nigeria Data Protection Act (NDPA). The Nigeria Data Protection Commission(NDPC) has focused on the implementation of the Act with increased awareness initiatives, collaborations, partnerships, enforcement actions, and other regulatory efforts. To support the implementation of the NDPA, the NDPC published its strategic roadmap and action plan, the "guidance notice" on Registration of Data Controllers and Data Processors of Major Importance (DCPMIs) and followed up with the launch of the registration portal. In addition, the NDPC published the draft Nigeria Data Protection Act General Application and Implementation Directive (NDP-ActGAID) and held public consultations in Lagos and Abuja. Also, the Economic Community of West African States (ECOWAS) commenced the amendment of its 2010Supplementary Data Protection Act, where the NDPC commissioner chaired the validation workshop for the revised draft.
There were some noteworthy activities in Artificial Intelligence (AI) governance in the year. Another AI-specific bill was presented before the Nigerian legislature, adding to two previous attempts in 2023, which was also strengthened by the call from the speaker of the house of representatives for a need for an AI-specific law. The Federal Ministry of Communications, Innovation, and Digital Economy (FMCIDE) published the draft National AI Strategy. Additionally, the draft NDP-ActGAID published by the NDPC includes a provision on emerging technologies like AI, requiring compliance with the obligations under the NDPA. Also, FMCIDE and the United States Department of Commerce issued a joint statement on harnessing AI, facilitating knowledge exchange, and collaboration on AI governance. These steps reflect some of the country's ongoing efforts and commitment to the ethical deployment and responsible use of AI.
The joint statement with the US Department of Commerce also include the commitment to collaborate on the promotion of data protection best practices, interoperable mechanism to facilitate cross-border data flow, and explore participation in the Global Cross Border Privacy Rules (CBPR) Forum. Nigeria had participated in the CBPR discussion in the past year and attended the Forum's event in Taiwan in the year, which may indicate a potential alignment with the CBPR.
Furthermore, this year saw a significant increase in enforcement actions and litigations, reflecting the growing emphasis on data protection compliance. The NDPC announced investigations of some entities across various sectors, and sanctioned four banks and three other institutions resulting in fines of about N400 million in total. Notably, the NDPC issued a record fine on a bank for non-compliance with the law.
The Nigerian courts also played a significant role in data protection enforcement during the year. Notable judgments include the invalidation of certain provisions of the NDPC Registration Guidance Notice for lack of clarity, and fines against a telecommunication company and a financial service provider for unsolicited communication.
There was progress with related frameworks this year. Notably, the amendment to the Cybercrimes Act was enacted in February 2024. Child online protection also received attention this year, with the release of the draft Standard Operating Procedure for Child Online Protection in Nigeria (SOP4COP) by the Nigerian Communications Commission (NCC) to enforce child online protection measures in Nigeria. The Standard mandates that mobile operators implement age verification mechanisms and detect, block, and report unsafe activities for children.
Finally, a bill to amend the NDPA was introduced to the House of Representatives. The proposed amendment will require social media platforms to establish physical offices in Nigeria, among other obligations.
In 2025, we anticipate the following trends:
Finalisation of the implementation directive and publication of more guidance
The NDPC is expected to finalise the much-anticipated NDP-Act GAID, following public consultations on the draft. This directive will provide much-needed guidance on interpreting and applying the NDPA's provisions. The NDPC will likely issue further guidelines, guidance notes, and regulations to clarify other provisions and obligations under the NDPA to enhance compliance. This includes the revision of the registration guidance notice to comply with the court's judgment.
Clarity on cross-border dataflow
With the invalidation of the adequacy list and no detailed provision in the draft NDP-Act GAID, it is expected that the NDPC will either include this provisions in the final version of the document or publish a specific guidance to bring clarity to the rules. This may include the publication of the approval procedure for Binding Corporate Rules, and the publication of module(s) of the Standard Contractual Clause like Rwanda.
We anticipate clearer alignment towards the Global CBPR framework. The NDPC's participation in the 2024 CBPR Forum in Taipei and the joint statement of FMCIDE and the United States Department of Commerce provides the background for potential alignment. These developments, coupled with the inclusion of reference to the CBPR in the Code of Conduct for Data Protection Compliance Organisations (DPCOs), suggest that Nigeria is positioning itself for active participation in the CBPR system. This shift could offer potential benefits for Nigeria. It could facilitate smoother cross-border data flows, especially given the absence an adequacy list. The framework provides an alternative mechanism for international data transfers while Nigeria continues to develop clear procedures for other transfer mechanisms. Additionally, aligning with the CBPR framework enhances compliance with international standards, strengthening trust in Nigeria's data protection regime.
Increased enforcement activity
The NDPC has indicated that 2025 will see a significant increase in enforcement activities, including stricter sanctions and penalties for non-compliance with the NDPA. The NDPC may also adopt a sector-specific approach to enforcement, focusing its attention on particular sectors. The financial services industry appeared under focus in the past year. This could signal a shift towards a more proactive and targeted enforcement strategy. In addition to regulatory action, court decisions are expected to provide greater clarity on key provisions of the NDPA, shaping its practical application and establishing precedents for future cases. This increased litigations may also include more cases brought before the courts for alleged violations of data protection rights and a rise in legal actions against the NDPC, challenging its decisions or exercise of powers.
We anticipate a rise in sector-specific data protection regulatory interventions in the coming year. These interventions, originating from various regulatory bodies, will address both direct and indirect data protection concerns across various sectors. Sector-specific interventions will tailor data protection requirements to the unique needs and challenges of different industries. For instance, the NCC is expected to progress on its draft data protection regulations for the communications sector, which has stalled since 2023. This may also extend to child online safety, with potential interventions addressing data protection concerns related to children's online activities. Progress is also anticipated with the NCC's draft Standard Operating Procedures for Child Online Protection(SOP4COP). The NDPC's partnerships with regulators across several sectors in recent years further suggest a shift towards sector-specific regulation to aid data protection compliance.
While progress is expected on several pending bills, including the National Digital Economy and E-Governance Bill, the Control of Usage of Artificial Intelligence Technology Bill, and the National AI and Robotics Sciences Bill; it is uncertain whether these AI-specific bills will ultimately be enacted. Progress is also expected with the newly introduced AI bill and the proposed amendment to the Nigeria Data Protection Act, both of which have passed the first reading stage in the House of Representatives. Additionally, other legislation, such as the Digital Rights and Freedom Bill, may be reintroduced in the coming year.
AI governance will remain a key focus area. The final version of the National AI Strategy is expected to be published, setting the stage for its implementation. We expect to see more AI-specific regulatory interventions, potentially in the form of guidelines, advisories, or sector-specific regulations. Particularly, it is expected that the NDPC will retain the provisions on responsible use of emerging technologies in the NDP-Act GAID when the final draft is published. As part of the implementation of the National AI Strategy, an AI-specific regulatory body may be created or the function added to the existing role of the National Centre for Artificial Intelligence Research.
Overall, 2025 promises to be a year of significant developments in Nigeria's data protection ecosystem. With the NDPA firmly in place, we anticipate a shift towards greater accountability, enforcement, and sector-specific interventions.
A slight variation of this article will be published by the IAPP early 2025 as part of its global legislative predictions.
You can also read our past legislative predictions for 2022, 2023, and 2024.
.png)
