Data protection & privacy laws in Nigeria (2026)

The Nigeria Data Protection Commission commenced sector-by-sector investigations against 1,368 entities — including 795 financial institutions, 392 insurance brokers, 136 gaming companies, and pension firms — for failing to file annual compliance audit returns, appoint Data Protection Officers, or register as major data controllers. Organizations were given 21 days to demonstrate compliance or face fines, enforcement orders, and criminal prosecution.

The NDPC imposed a ₦766,242,500 penalty on Multichoice Nigeria for illegal cross-border transfers of Nigerian subscribers' personal data and intrusive, disproportionate data processing. The fine — one of the largest under the NDPA framework — also triggered a mandatory compliance audit of all Multichoice data-collection channels.

The Competition and Consumer Protection Tribunal confirmed the FCCPC's landmark $220 million penalty against Meta Platforms, affirming Nigerian regulators' authority to sanction global tech companies for data misuse affecting Nigerian users. The ruling set binding precedent for data-sovereignty enforcement against foreign digital platforms.

The NDPC published the GAID to operationalise the NDPA 2023, establishing registration tiers (Ultra-High, Extra-High, Ordinary-High), DPO credentialing standards, breach notification timelines, DPIA requirements, and cross-border transfer mechanisms. Effective 19 September 2025, the GAID supersedes the NDPR 2019 as the operative administrative compliance instrument.

After a 38-month joint investigation, the Federal Competition and Consumer Protection Commission fined Meta $220 million for unauthorized cross-border data sharing, discriminatory treatment of Nigerian users versus other jurisdictions, and abuse of dominant market position. The NDPC co-led the data-specific portion, making it the largest privacy penalty in Nigerian history.

President Tinubu signed the NDPA on Democracy Day, enacting Nigeria's first standalone federal data-protection statute. The Act created the independent Nigeria Data Protection Commission, codified data subjects' rights, mandated cross-border transfer safeguards, and set penalties up to 2% of annual global turnover for serious violations — aligning Nigeria's framework with GDPR-era international standards.

President Buhari approved the creation of the NDPB — separate from NITDA — as Nigeria's first dedicated data-protection institution, mandated to consolidate NDPR enforcement and drive enactment of primary legislation. The NDPB later introduced the draft Data Protection Bill in October 2022 that became the NDPA 2023.

NITDA published the Implementation Framework for the NDPR 2019, detailing the mandatory annual Data Protection Audit regime, the licensing and oversight of Data Protection Compliance Organisations (DPCOs), and sector-specific requirements. The Framework institutionalised the compliance-audit cycle that underpinned all pre-NDPA enforcement.

NITDA sent formal enforcement notices to 100 organisations found processing personal data without adequate safeguards under the NDPR, signalling active regulatory intent less than a year after the regulation took effect. The action prompted widespread corporate compliance programs and established NITDA's credibility as an enforcer.

NITDA issued the NDPR — Nigeria's first comprehensive, cross-sectoral data protection instrument — covering lawful basis for processing, consent, data minimisation, purpose limitation, data subjects' rights, mandatory breach notification, and cross-border transfer restrictions. Although subsidiary legislation, the NDPR immediately became Nigeria's primary data-privacy framework and remained so until the NDPA 2023.

The National Information Technology Development Agency Act established NITDA and empowered it to develop regulations for electronic data governance across public and private sectors in Nigeria. The Act served as the sole legislative basis under which the NDPR 2019 was issued and remained the operative foundation for data regulation until the NDPA 2023 replaced it with primary legislation.