On 23 August 2025, the Nigeria Data Protection Commission (the "NDPC" or the "Commission") in line with its functions and powers under Sections 5 (i), 6 (a) & (c), 46 (3) and 47 (1) & (2) of the Nigeria Data Protection Act 2023 (the "NDP Act" or the "Act"), issued Compliance Notices (the "Notices") to certain organisations suspected to have violated national data protection standards mandated by the Act. The organisations cut across critical industries including banking, insurance, pensions, gaming and insurance brokerage. By the Notices, the organisations are required to, within Twenty-one (21) days of issuance (date of issuance being 23 August 2025), provide the Commission with the following:
- Evidence of filing of NDP Act Compliance Audit Returns for 2024 as provided under section 6 (d) of the Act;
- Evidence of designation or appointment of a Data Protection Officer, including name and contact details as provided under section 32 of the Act;
- Summary of technical and organisational measures for data protection within the organisation as provided under section 39 of the Act; and
- Evidence of registration as a Data Controller or Processor of Major Importance as provided under section 44 of the Act.
According to the Commission, the Notices are in furtherance of the Commission's mandate under the NDP Act with a view to ensuring a culture of accountability and trust in Nigeria's data protection and privacy ecosystem, while safeguarding the rights of data subjects and strengthening the national digital economy.
Consequences of Failure to comply with the Notices
Any organisation that fails to comply with the Notices may be liable to the following:
- Enforcement Orders: The Commission can issue enforcement orders against the organisation.
- Administrative Fines: The Commission can impose significant fines on the organisation. For Data Controllers or Processors of Major Importance (DCPMI), the fines can be up to the greater of ten million naira (N10,000,000) or two percent (2%) of annual gross revenue.
- Criminal Prosecution: In other cases, the Commission can initiate criminal prosecution against the organisation.
As captured by the Punch Newspaper publication of 24 August 2025, the Commission had in the past, imposed substantial administrative fines against organisations that failed to comply with national data protection standards mandated by the Act, such as the Seven Hundred and Sixty-six Million, Two Hundred Thousand Naira (N766, 200,000) fine against Multichoice Nigeria Limited for issues including illegal data transfers, and the Five Hundred and Fifty-five Million, Eight Hundred Thousand Naira (N555, 800, 000) fine against Fidelity Bank Plc (representing 0.1 per cent of its 2023 revenue), for processing data without consent.
Related Data Protection Laws in Nigeria
The NDP Act is the principal legislation for the protection of personal data in Nigeria. However, there are a few other laws that also protect personal data in Nigeria. These laws include:
- Constitution of the Federal Republic of Nigeria 1999 (As Amended)
The Constitution of the Federal Republic of Nigeria 1999 (As Amended) under section 37, guarantees privacy of Nigerian citizens, their homes, correspondence, telephone conversations and telegraphic communications.
- Child's Rights Act 2003
The Child's Rights Act 2003 (the "Act") guarantees right to privacy as it relates to children. Section 8 of the Act guarantees the child's right to privacy subject to parents' or guardian's right to exercise supervision and control of the child's conduct. Under the Act, a child is any person under the age of Eighteen (18) years. The Act has been enacted as the Child's Rights Law in some States in Nigeria.
- Cybercrimes (Prohibition, Prevention, etc.) (Amendment) Act 2024
The Cybercrimes (Prohibition, Prevention, Etc.) (Amendment) Act 2024 (the "Act") was enacted to address new and evolving cyber threats and to fill gaps in the original Cybercrimes (Prohibition, Prevention, Etc.) Act 2015. The Act expands surveillance powers, imposes stricter penalties for cyber offenses like hacking of personal data and fraud in Nigeria.
- Freedom of Information Act, 2011
The Freedom of Information Act 2011 (the "Act") grants every person the legal right to access information held by public institutions, government-controlled companies, and private bodies performing public functions or using public funds. However, the Act contains exceptions for certain types of information, such as published materials or information that would endanger personal privacy or national security.
- National Identity Management Commission Act 2007
The National Identity Management Commission Act (the "Act") establishes the National Identity Management Commission (the "Commission") to create, manage, maintain and operate the National Identity Database established under section 14 of the Act including the harmonisation and integration of existing identification databases in Government agencies and integrating them into the National Identity Database. The Commission shall also ensure the preservation, protection, sanctity and security (including cyber-security) of any information or data collected, obtained, maintained or stored in respect of the National Identity Database.
Conclusion
Whilst the NDP Act remains the primary legislation on data protection, the above listed legislations arguably protect data and also have respective sanctions for violations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
