Balancing Corporate Transparency And Data Protection In Nigeria: Navigating The Tightrope (A Legal Commentary)

INTRODUCTION

The evolution of corporate governance in Nigeria has led to the introduction of several progressive legal frameworks, particularly in the areas of corporate transparency and data protection. The Companies and Allied Matters Act 2020 (CAMA 2020), establishes, as a statutory/primary basis, rules aimed at promoting corporate accountability and transparency. On the other hand, the Nigerian Data Protection Act 2023 (NDPA 2023) provides a comprehensive legal framework for the protection of the personal data rights of individuals (data subjects).

CAMA 2020 represents a significant shift in Nigeria’s corporate governance regime, introducing mechanisms designed to combat opaque ownership structures, corporate fraud, money laundering, and the misuse of corporate vehicles. One of its most notable innovations is the mandatory disclosure of Persons with Significant Control (PSC), alongside expanded requirements for the registration and public availability of company information.

Conversely, the NDPA 2023 seeks to protect the fundamental right to privacy guaranteed under Section 37 of the 1999 Constitution of the Federal Republic of Nigeria (as amended) by regulating the collection, processing, storage, and disclosure of personal data. The Act reflects Nigeria’s alignment with global data protection standards, particularly the European Union (EU) General Data Protection Regulation (GDPR). The apparent tension between these two statutes raises a critical question: can Nigeria pursue aggressive corporate transparency without undermining data privacy rights, or are these objectives inherently incompatible?

This Article argues that while there are overlaps and potential conflicts between both regimes, a careful review reveals that corporate transparency and data privacy are not mutually exclusive but must be reconciled through lawful processing, proportional disclosure, and institutional safeguards. 

1.0. STANDARDS FOR DISCLOSURE UNDER THE COMPANIES AND ALLIED MATTERS ACT 2020 AND THE NIGERIAN DATA PROTECTION ACT 2023

In the first instance, CAMA 2020 contains various provisions which mandates disclosure of varying scopes of information to the Nigerian Corporate Affairs Commission (CAC) with a view to ensuring a strengthened accountability mechanism of Directors and Shareholders and greater public access to information about Companies. Notably, Sections 119 & 120 CAMA makes provisions that mandates persons with Significant Control (PSC) or substantial shareholder in a public company to disclose the particulars of their control or shareholding to the Company within seven (7) days of becoming such a person, while the Company, is to notify CAC within one (1) month (14 days in the case of a public company) of such disclosure.

Similarly, Section 278, CAMA makes provisions to the effect that any person who is appointed or proposed to be appointed a s a director of a public company and who is 70 or more years old, is obligated to disclose this fact to the members at the general meeting, failing which such a person shall be liable to a penalty at an amount specified by the CAC in its regulations. Apart from the foregoing, CAMA contains provisions which mandates companies and their various officers to disclose/provide details on their names and addresses – items which qualify as personal data. Ultimately, the statutory disclosures as enshrined in CAMA is targeted at strengthening investor confidence and enhancing regulatory oversight by making business ownership more visible and management structures more transparent, thereby reducing the risk of unethical practices and illicit cash flows.

To illustrate the need for these transparency provisions, prior to the introduction of PSC disclosure obligations, individuals could hide behind nominee shareholders or layers of companies to carry on various fraudulent and illegal activities, including money laundering, while appearing legitimate. However, mandating disclosure of PSCs ensured that there was clarity on the ultimate beneficiaries of the activities of companies, thereby discouraging the activities of nefarious puppet masters behind the scenes.

On the other hand, the Nigerian Data Protection Act (NDPA) 2023 provides standards on how personal data of data subjects (individuals) is handled – collected, stored, processed, and shared. It makes provision for data controllers, data limitation (restrictions for data processing), data minimization (ensuring only necessary details are obtained from data subjects), storage duration, and penalties for breaches. Nigerian courts have affirmed the sanctity of privacy, as seen in Emerging Markets Telecommunication Services Ltd v Barr Godfrey Nya Eneye.¹, where the Court of Appeal held that the unauthorised disclosure of personal information constitutes a breach of the right to privacy.

Against the backdrop of this coexistence between mandatory disclosures and data protection standards, a critical issue emerges regarding how these safeguards interact with the extensive disclosure obligations imposed under corporate law. Where company regulation demands transparency, and data protection law demands restraint, the possibility of legal tension becomes apparent.  

3.0 4.0 4.1 INTERSECTION AND POTENTIAL CONFLICT BETWEEN THE COMPANIES AND ALLIED MATTERS ACT 2020 AND THE NIGERIAN DATA PROTECTION ACT 2023

Given the overlap created by the potential tension between the data protection standards and the mandatory disclosures, the pivotal issue then lies in balancing the objectives of both regimes. How can the interests of both NDPA and CAMA be fully realized without creating uncertainty and inconsistency in the process?

Section 24 NDPA provides for legal data processing, which means that data must be processed lawfully and for legitimate purposes. The law further states that data processing is lawful where it is needed to comply with a legal obligation, subject to the data controllers/processors. These provisions imply that, where CAMA has demanded that all companies disclose information about directors or persons with significant control for instance, such disclosure will be lawful under the NDPA. However, the NDPA’s principle of data minimization still applies which is that companies should only disclose the information that is strictly necessary to meet CAMA’s requirements and avoid sharing unnecessary personal details. This position mirrors international jurisprudence. In Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Ors², the Court of Justice of the European Union acknowledged that interference with privacy may be justified where it is lawful, necessary, and proportionate. Similarly, in Google Inc v Vidal-Hall³, the English Court of Appeal recognised the real harm arising from the misuse of personal data.

Also, as CAMA demands disclosure, it must be noted that such disclosure of information must not expose individuals (Shareholders, Creditors, investors, and Directors) to financial crime, identity theft, fraud, among others. Thus, the Corporate Affairs Commission (CAC), which serves as a data controller, and companies (data processors) are to apply robust controls as to who can access such data, what information can be displayed in public, and how breaches can be prevented to ensure adequate compliance with the law.

4.0 INSTITUTIONAL RESPONSIBILITY AND SAFEGUARDS 

4.1 The Role of the Corporate Affairs Commission (CAC) 

The Corporate Affairs Commission (CAC) functions as a data controller under the NDPA. As such, it bears responsibility for ensuring that personal data submitted under CAMA are:

• securely stored,
• accessed only by authorised persons,
• protected against breaches, identity theft, and misuse.

The essence is to ensure that there is no Unrestricted public access to sensitive personal data, such as residential addresses, identification numbers, or full dates of birth, which could expose directors and shareholders to fraud and cybercrime. Failure to implement adequate safeguards could expose the CAC to regulatory sanctions under the NDPA.

5.0 STRIKING A BALANCE: TRANSPARENCY AND PRIVACY

A workable balance between corporate transparency and data privacy in Nigeria can be achieved through:

• Proportionate Disclosure: Only information strictly required by law should be collected and displayed publicly.
• Access Control Mechanisms: Sensitive data should be accessible only to regulators and law enforcement agencies, not the public.
• Data Protection Impact Assessments (DPIAs): Regular assessments should be conducted by qualified Data Protection Officers (DPOs) to identify and mitigate risks.
• Regulatory Collaboration: Continuous cooperation between the CAC and the Nigeria Data Protection Commission (NDPC) is essential.

CONCLUSION

A balance between transparency and data privacy is attainable when companies align with relevant regulations through structured regulatory collaboration. This can be achieved by implementing an enforcement framework and disclosure system, conducting regular data protection assessments by qualified data protection officers, and providing ongoing training for all corporate staff. Such measures make it possible for organizations to achieve both corporate transparency and robust data privacy.

Footnotes

1 (2018) LPELR-46193 (CA)

2 [2017] IEHC 307

3 [2015] EWCA Civ 311

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.