In recent years, Nigerians have experienced a significant increase in data privacy breaches, largely due to the rapid digitisation of services and inadequate enforcement of the Nigeria Data Protection Act (NDPA). This surge in breaches underscores a concerning trend of non-compliance among corporate entities in safeguarding customers’ information, SILVER NWOKORO reports.
The NDPA was enacted to safeguard personal data and enforce privacy rights within the country. However, compliance among corporate entities has been inconsistent, leading to significant enforcement actions by the Nigeria Data Protection Commission (NDPC).
The NDPA is the primary law governing data protection and privacy in Nigeria. It was signed into law on June 12, 2023, replacing the Nigeria Data Protection Regulation (NDPR) 2019. The Act establishes a legal framework for the processing of personal data and creates the NDPC to oversee compliance.
The NDPA ensures that personal data is processed in a fair, lawful and accountable manner. It protects data subjects’ rights and provides means of recourse and remedies in the event of the breach of the data rights.
The Act also provides that data processing shall be lawful where the data subject has given and not withdrawn consent for the specific purpose or purposes from which personal data is to be processed to protect the vital interest of the data subject or another person.
“Where the processing of personal data is based on the consent of the data subject, the data subject shall be informed of the right to withdraw consent, before the granting of consent,” the law states.
The Act also added that sensitive personal data is not disclosed outside of the entity without the explicit consent of the data subject.
Apart from issues of data breaches by individuals and corporate bodies harvesting unauthorised information from data subjects’, there are cases where unknown persons attempt to breach banks and other fintech companies.
A classic example of this is the case of Flutterwave, a leading fintech company which reportedly suffered a security breach where hackers illegally accessed its system and attempted to transfer over N2.9 billion from customers’ accounts.
After obtaining a court order to recover $24 million lost to unauthorised Point of Sale (POS) transactions, Flutterwave suffered a security breach that allowed unknown persons to divert billions of naira to several bank accounts. The perpetrators illegally transferred N11 billion to several accounts in April 2024.
Instances of corporate bodies breaching personal data abound. A customer, Chukwunweike Araka Akosa, who used Jumia Foods to order pizza from Domino’s is an example.After his deal with Jumia Foods, the firm then shared his contact and personal details with Domino without his consent.
Thereafter, Domino started sending unsolicited marketing text messages to Akosa without asking for or receiving consent. Frustrated, he reached out to Jumia, but they did not acknowledge any infringement. The messages continued, so he contacted Jumia again, which then contacted Domino’s to have the customer’s details deleted.
However, when the customer tried using Glovo to order pizza, the messages started again. Deeply frustrated, Akosa sued all parties for infringement. Justice Emeka Nwite of the Federal High Court in Abuja awarded the applicant N3 million upon establishing that the restaurant sent him direct unsolicited marketing messages via his phone without his consent.
The court held that the firm’s usage of Akosa’s data for direct marketing purposes was unlawful and in violation of Section 37 of Nigeria’s Constitution and Sections 25 and 26 of the Nigeria Data Protection Act, 2023.
Also, on account of the privacy rights violation, the human rights lawyer and Senior Advocate of Nigeria, Mr Femi Falana, filed a $5 million suit before a Lagos High Court against Meta Platforms Inc., the U.S.-based tech giant owned by Mark Zuckerberg, over the alleged invasion of his privacy
In the originating motion brought by his lawyer, Olumide Babalola, he accused the firm of publishing motion images and voice captioned, “AfriCare Health Center,” on their website to the effect that Falana has suffered a disease known as ‘Prostatitis’, which the lawyer claimed constitutes an invasion of his privacy as guaranteed by the 1999 Constitution.
Explaining why corporate entities breach people’s privacy, a tech lawyer, Temi Dosunmu, said it is the traditional mindset of businesses to leverage any activity that directly helps them to maximise profit. He added that there is a low level of awareness, which is not necessarily the fault of the regulator. He noted that enforcement is also weak and not as pervasive across several sectors as expected.
Dosunmu stated that the duty of sensitisation has been outsourced to Data Protection Compliance Organisations (DPCO) in some way.
“However, this beautiful initiative has not been fully explored yet as some DPCOs seem to focus on revenue generation through audits,” he said, suggesting that influencers could be engaged to sensitise citizens on issues of data breach and privacy rights violation. He added that implementation of the existing penalties, which is two per cent of revenue of corporations and criminal penalties, will go a long way to curb the breaches.
Lawyer and the Executive Director of Cadrell Advocacy Centre, Evans Ufeli, believes Nigerian companies often face significant challenges when it comes to compliance with legal regulations. He noted that several factors contribute to these difficulties, including the complexity of the legal landscape, inadequate infrastructure, lack of clarity in laws, and inconsistent enforcement.
His words: “The Nigerian legal system is not only complex but also changes frequently, making it hard for companies to keep up with the evolving regulations. The multiplicity of regulatory bodies and the overlapping jurisdictions can lead to confusion and conflicting mandates. As a result, businesses may inadvertently contravene laws simply because they are unaware of all the requirements.
“Inadequate infrastructure and resources hinder compliance efforts, particularly for small and medium-sized enterprises (SMEs). Many companies lack the financial means to hire legal experts or invest in compliance technology. This inadequacy is often compounded by a broader economic environment characterised by instability, which further diverts focus away from compliance to mere survival in a competitive market.
“Another aspect is the issue of corruption and inconsistent enforcement of laws. Businesses may believe that adhering to regulations does not guarantee compliance, as enforcement can be selective or influenced by bribery. This perception creates a culture of non-compliance, where companies prioritise short-term gains over long-term legal adherence.” To address these issues, Ufeli urged the government to take several proactive steps to sensitise companies regarding legal compliance.
“It is important to simplify the regulatory frameworks and create a centralised platform where businesses can access all relevant laws and regulations. This initiative would not only provide clarity but also foster understanding among business owners.
“The government should prioritise public awareness campaigns. Workshops, seminars, and training programmes can be rolled out to educate businesses, especially SMEs, about their legal obligations and the benefits of compliance. Collaboration with business associations and chambers of commerce can amplify these educational efforts and ensure that information reaches a wider audience.
“The government could establish a compliance assistance programme that provides guidance and resources for companies struggling to understand and meet regulatory requirements. This programme could include creating a hotline or dedicated staff to answer compliance-related queries,” he suggested.
The lawyer, therefore, urged the government to commit to a transparent and consistent enforcement of laws, reinforcing trust in the legal system. According to him, when companies see that the law applies equally to all, they are more likely to comply, knowing that their commitment to legality can foster a better business environment for themselves and others.
By streamlining processes, enhancing education, and ensuring fair enforcement, Ufeli believes the government can nurture a culture of legal compliance that ultimately benefits the entire economy.
President of Admiralty Lawyers Society of Nigeria (ALSN), Angus Obinna Chukwuka, said the compliance level of corporate entities with the NDPA is far from encouraging.
This, he said, is not surprising because enforcement and implementation of laws in Nigeria have always been problematic and “we have a pathetic situation whereby our law enforcement agencies are part of the rascality of breaches.”
He lamented that those saddled with the responsibility to enforce compliance are intricately committed to default measures. “They collude with the lawless to circumvent the provisions of the law they should enforce for selfish gains. However, one of the greatest challenges to legal compliance is their lack of adequate sensitisation,” Chukwuka stressed.
He noted that the essence and provisions of the Data Protection Act are not known to the bodies that should comply with them.
His words: “Strategies to promote the knowledge of the provisions of that Act should be set out and deployed. All corporate entities should be written on the tenure of the Act and what kind or degree of compliance is required of them. Penalties for default should be emphasised. Those who default should be prosecuted and or punished.”
Chukwuka advocated training for law enforcement agencies and the judiciary on investigation and prosecution as they relate to the provisions of the Act. He also recommended regular training of all officers whose duties are incidental or tangential to the provisions of the Act.
“Copies of the Act should be paid for and distributed to all corporate organisations. Workshops, symposiums, seminars and town hall meetings will also be helpful to intensify sensitisation. All stakeholders must be made to participate in the matters of discussion on the Act.
“Corporate entities who comply properly should be rewarded in a number of ways including tax waivers, awards, siting of strategic public amenities near them,” he said.
Lead Partner at Chaniel Legal Practitioners, Olatunde Adejuyigbe (SAN), argued that by the provisions of the NDPA, data processors and controllers are required to put in place adequate measures for data protection.
These, he said, include measures that will restrict access to data internally. According to him, only a few companies are ready and willing to deploy their resources to procure the software for data protection.
“The government can embark on a media campaign to create awareness about the NDPA and the consequences of non-compliance with the Act,” he suggested.
Corporate and startup lawyer, Rosemond Phil-Othihiwa, argued that companies struggle with compliance due to lack of awareness and understanding, cost of compliance, limited technical expertise, cultural attitudes towards data privacy and complexity of implementation.
She believes that the government can improve corporate compliance through awareness campaigns, industry-specific guidance, capacity building, provision of incentives for compliance and developing stronger enforcement mechanisms.
Phil-Othihiwa advocated penalties for non-compliance, stating that they must be proportionate and enforceable. She noted that NDPA already includes fines and sanctions for breaches, but enforcement needs to be effective.
“Possible punitive and corrective measures should include fines and sanctions, public naming and shaming, suspension of licenses for repeated violations and remedial orders,” she suggested.
