1. INTRODUCTION
In a digital economy that is becoming increasingly driven by data, automated decision-making and profiling have become essential components of numerous service provisioning, including credit scoring, employment recruitment, targeted advertising, and healthcare management. While these technologies offer efficiency, they also give rise to considerable concerns regarding privacy, discrimination, and accountability. At the heart of contemporary data protection legislation is the acknowledgment of the rights of data subjects to be safeguarded against possible harms that may result from entirely automated decisions.
In the context of data protection and privacy regulations, a data subject refers to an individual whose personal information is collected, processed, or stored by an organization or entity.1 This encompasses customers, employees, website users, or persons whose personal data are managed by an organization. Data Subject Rights (DSR) refer to the legal entitlements established by data protection legislation that individuals hold regarding the utilization of their data. These rights ensure that individuals maintain authority and control over the handling of their data. In Nigeria, the acknowledgment of the rights of data subjects2 in these contexts is established in the Nigeria Data Protection Act (NDPA) 2023,3 which is closely aligned with international standards, including the European Union's General Data Protection Regulation (GDPR).4
These rights are outlined in Part VI of the Nigeria Data Protection Act, and include: the right to be informed, right to access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object to processing, right to lodge a complaint with a supervisory authority. They also include the right to withdraw consent, right to erasure or deletion, and right not to be subject to a decision based solely on automated processing of personal data,5 including profiling, which produces legal or similar significant effects concerning the data subject.
2. AUTOMATED DECISION-MAKING AND PROFILING
Automated decision-making pertains to decisions executed entirely through automated processes, without any human intervention, that yield legal or similarly significant consequences for individuals.6 Instances of this include automated approvals for loans or the application of algorithms to assess job candidates. Profiling, as articulated in Article 4(4) of the GDPR, is defined as; "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements". In practice, profiling frequently serves as the foundation for automated decisions, heightening the risks of discrimination, exclusion, and lack of transparency, particularly when utilized in sensitive areas.
The NDPA grants individuals the authority to contest or object to decisions that are made exclusively through the automated processing of their personal data, including profiling, without any human involvement, particularly if these decisions have legal implications for them. For example, if a financial institution employs automated algorithms to assess creditworthiness and subsequently denies a loan application based solely on this automated judgment, the data subject is entitled to raise an objection.
The NDPA acknowledges and safeguards the right of individuals not to be subjected to decisions made exclusively through automated processes, including profiling, however, this right is not unconditional. Like many legal rights, its application depends on certain exceptions that balance personal privacy with the legitimate needs of businesses, government, and contract enforcement.
One of the primary exceptions to the ban on automated decision-making occurs when such processing is essential for entering into or fulfilling a contract between the data subject and the data controller.7 In this regard, the law recognizes the practical necessity of automation in situations where human participation may be impractical, inefficient, or even unfeasible. For instance, numerous financial technology platforms in Nigeria utilize automated systems to evaluate a customer's creditworthiness and to instantly approve micro-loans. These systems depend on algorithmic decisions derived from data supplied by the user, such as transaction history or digital behavior, to provide immediate financial services. Without automation, the efficiency and rapidity that characterize such digital contracts would be compromised, thereby undermining the purpose of the service. Consequently, the law permits such processing as long as it is essential for the execution of the agreement and is neither excessive nor arbitrary in nature.
The second exception occurs when automated decision-making is authorised by a written law, which establishes suitable measures to safeguard the fundamental rights and freedoms, and the interests of the data subject in Nigeria.8 This indicates that legislative or regulatory frameworks may allow the implementation of automated processes in certain sectors, as long as these laws incorporate suitable safeguards for the rights and freedoms of data subjects. For example, national security, taxation, social welfare, or electoral systems might require automated profiling to efficiently and impartially manage extensive datasets. Nevertheless, this exception imposes a duty on lawmakers to guarantee that any enabling statute that authorizes such processing also encompasses sufficient protective measures, such as oversight, audit mechanisms, and channels for redress. Hence, the authorisation must be grounded in law, rather than merely on policy or administrative convenience, to avert potential abuse.
Furthermore, another exception arises when the data subject has provided explicit consent for the automated decision-making process.9 Consent, as defined by the NDPA, must be freely given, specific, informed, and unambiguous.10 This criterion guarantees that individuals are completely aware of the nature and implications of the automated processing to which they are consenting.
One of the primary advantages of this right is that it strengthens the concept of individual autonomy by ensuring that Nigerians are not merely treated as data points within algorithmic frameworks. Automated decision-making, although efficient, frequently lacks the subtlety and compassion that defines human judgment.11 By providing individuals with the option to opt out of decisions made exclusively by machines, or to challenge them when necessary, the law upholds the essential principles of human dignity and fairness in the digital realm. This is especially crucial in areas such as employment or credit evaluation, where dependence on profiling can lead to the perpetuation of social biases or discrimination.
Another significant benefit is that the right promotes transparency and accountability in data processing practices. Section 37 (3) of the NDPA stipulates that when automated decision-making is allowed by law, individuals are entitled to request human involvement, voice their opinions, and contest the decisions.12 This encourages a culture of openness in which data controllers are required to make clear their decision-making processes offer clear justifications for outcomes, and address complaints. This necessity for algorithmic transparency is vital in averting data-driven discrimination and misuse, particularly in industries such as fintech, insurance, and e-governance, where predictive profiling is prevalent. In these fields, systems may unintentionally reproduce patterns of systemic exclusion if not properly monitored. For instance, if a loan application is rejected based on a predictive model that has been trained on biased data, the data subject possesses a legal right to contest that decision and seek clarification on the rationale employed.
Automated systems are not without flaws. They may embody the biases of their creators, adopt prejudices from the training data, or simply misinterpret intricate human situations. In a diverse nation such as Nigeria, where linguistic, cultural, and socio-economic disparities are pronounced, unreliable dependence on profiling can result in the deepening of systemic injustice. By acknowledging the right to avoid being subjected to such decisions without proper oversight, the NDPA acts as a legal instrument to avoid misuse, reduce marginalization, and promote equity. This is particularly relevant in areas like law enforcement, where profiling based on geographical location or social media activity could result in discriminatory surveillance and harassment.
Also, where data subjects recognize their rights and possess valid grievances, obtaining access to redress mechanisms continues to pose a challenge. In the absence of a strong enforcement framework, exercising this right becomes problematic.
Furthermore, in contrast to more established jurisdictions like the European Union, Nigeria does not possess a comprehensive body of jurisprudence that interprets the provisions of the NDPA. This lack of precedent or judicial clarity diminishes the legal significance of the right in practical terms, leaving both data subjects and data controllers uncertain about how disputes will be resolved.
3. CONCLUSION
Automated decision-making and profiling are transforming how services are delivered, but they also raise concerns about privacy, fairness, and personal freedom. Laws like the NDPA 2023 and GAID 2025 recognize these challenges and provide protections for individuals. Still, these laws must be properly enforced to make a real difference. As technology continues to grow, data protection rules must keep up to ensure that human dignity and individual rights remain at the heart of digital progress.
Footnotes
* Franklin Okoro, Associate, Intellectual Property and Technology Department, S.P.A. Ajibade & Co., Lagos, Nigeria.
1. See, Privacy Engine Data Protection Software and Solutions, 'What is a Data Subject?', available at (https://www.privacyengine.io/resources/glossary/data-subject/), accessed 24th June, 2025.
2. Part VI, Sections 34 -38, Nigeria Data Protection Act 2023.
3. See, Nigeria Data Protection Act 2023, Federal Republic of Nigeria Official Gazette, No. 119, Lagos, 1st July, 2023, Vol. 110.
4. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, pp. 1-88.
5. Section 37, Nigeria Data Protection Act 2023.
6. Valeria Caforio and Federica Paolucci (2024), 'The Rise of Automated Decision-Making and its Legal Framework', available at (https://www.medialaws.eu/the-rise-of-automated-decision-making-and-its-legal-framework/) accessed 25th June, 2025. See also, Sections 65, Nigeria Data Protection Act 2023.
7. Section 37 (2)(a), Nigeria Data Protection Act 2023.
8. Section 37 (2)(b).
9. Section 37 (2)(c), Nigeria Data Protection Act 2023.
10. Section 65.
11. Wachter, S., Mittelstadt, B., & Russell, C. (2021), 'Why Fairness Cannot be Automated: Bridging the Gap between EU Non-Discrimination Law and AI', Computer Law & Security Review, available at (https://doi.org/10.1016/j.clsr.2021.105567) accessed 27th June, 2025.
12. Section 37 (3), Nigeria Data Protection Act 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
