Data Protection in Nigeria; Personal Data and Valid Consent

The use of the internet and transfer of data over networks are characterized by individual electronic traces which are potential identifiers distinguishing individual users and the people with whom they communicate. Data encompasses a lot of vital information which includes personal emails, bank records, criminal records, health records, employment records and other information which can be gathered and disseminated. This article educates an average individual on the possible use of their personal data by data controllers and the protection of this data by the Nigeria Data Protection Regulation 2019.

In the Nigeria Data Protection Regulation 2019, data is defined as characters, symbols and binary on which operations are performed by a computer which may be stored or transmitted in the form of electronic signals and stored in any format or any device. Data protection is the process of safeguarding one’s information which is collected and disseminated mostly through technology. It is the preservation of a fundamental right that is found in the 1999 constitution of Nigeria,1 the Nigeria Data Protection Regulation 2019 [NDPR]2 and in certain international treaties and national constitutions such as the General Data Protection Regulation [GDPR], the European Union General Data Protection Regulation 2018[EUDPR],the United Kingdom Data Protection Act 2018 among others3.

Personal data simply means the information that can personally identify an individual, such as his name, picture, address, national identification number, credit card numbers,4 fingerprints, IP address5 among others. Personal data is not limited to information that can directly identify an individual. A person can be assigned a unique identifier through the combination of pieces of information in order to monitor his online behavior; this can be done through the use of tracking techniques by online advertising companies. They successfully build such person’s online profile and show him related posts containing offers that they assume through the information gathered would be relevant to him.6 This unique identifier which includes all of the person’s online behavior is also personal data.7

The General Data Protection Regulation [GDPR], which came into force on 25 May 2018, and is a universal standard and comprehensive data protection regulations, had a remarkable influence on the Nigeria Data Protection Regulation 2019 which was issued by the National Information Technology Development Agency. The GDPR applies to data controllers whose processing activities are related to the offering of goods or services to individuals in the European Union, or to the monitoring of the behavior of individuals in the European Union while the NDPR applies to the residents of Nigeria and the citizens of Nigeria who are outside the country.

It is highly informative to note that the GDPR and NDPR provisions relating to Personal Data are overwhelmingly similar. GDPR defines personal data as any information relating to an identified or identifiable natural person. It goes on to define an identifiable natural person as one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The NDPR defines Personal Data as any information relating to an identified or identifiable natural person and it defines an identifiable natural person as one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; it can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited, to MAC address, IP address, International Mobile Equipment Identification number (‘IMEI’), IMSI number, SIM, personal identifiable information and others.

Data which relates to religious or other beliefs, an individual’s sexual orientation, political views, and criminal records are specified in the NDPR to be sensitive personal data. The GDPR also categorized these as special categories of personal data.

These definitions show that personal data is all encompassing and the protection of data is pivotal to the safety of individuals.

The need for data protection can be easily linked to the high economic influence and advantage that data controllers8 and data administrators9 are open to in the digital era. Data has been described as the world’s most valuable resource10 Also, its attractiveness to hackers is a major cause for concern due to the risk of cyber attacks. Data protection is no longer just a privacy right, it has become an economic good and governments as well as companies all over the world have come to this realization.

Data can be used to monitor people, their online behavior and even telephone conversations through the installation of listening capabilities in a phone which is sometimes without the consent of the user.

One of the most common ways for personal data to be collected and disseminated online is through website cookies. Website cookies help online companies to enhance site navigation, analyze the site usage and assist in advertisement. A cookie is a small piece of data that a website stores when it is visited by a user, they collect personal information about an individual’s browsing habits and help to remember their preferences.

Social networking sites are also known to collect data through information that people share and they use these data for targeted advertising. This is a means for them to make money as they allow people to join and use their sites freely. They collate relevant information to determine the kind of advertisement that aligns with our type of person, such as our articles, status updates, circle of friends, pictures; this is called user generated content. The time we log into the social network as well as our location while logged in which is known as data traffic, are also monitored.

A random person receives unsolicited phone calls, emails and text messages from organizations which they never gave their personal data to or who they never consented to the use of their personal information in such manner. These organizations mostly advertise their products and services through these unsolicited means of communication. Sometimes, one can make a telephone conversation discussing a subject matter and then hours later they can see sponsored ads on this subject matter which they have never searched on the app.

The question which readily comes to the mind is whether or not this is legal, and if their consent should not have been sought to use their personal data in such manner.

It is pertinent to note that the Nigeria Data Protection Regulation provides for the requirement of consent for personal data to be used or processed. Also, Article 6 of The General Data Protection Regulation provides for consent as one of the six legal grounds for data processing.

Article 7 of the General Data Protection Regulation and Section 7 of the Nigeria Data Protection Regulation clarifies some conditions for consent to be valid.

Consent must be well informed. Individuals must be properly informed about the data processing they agree to, before the processing takes place. In the wordings of the law, no data shall be obtained except the specific purpose of collection is made known to the Data Subject.11 The purposes of the data processing must be clear and individuals must really understand which of their personal data are being processed. It is important that they understand the consequences of such use and the impact it may have on their life in future.

Consent must be explicit. In seeking consent, companies have been found using general terms of use and not giving sufficient information while asking individuals to click a button saying ‘í agree’, this is not sufficient to pass as consent. Another example is pre-ticked boxes that individuals are asked to un-tick if they disagree with the terms of use of their personal data, this is also not a valid way of obtaining consent.

Consent must be freely given. There should not be any form of coercion, force or undue influence, a good instance where consent may be gotten through undue influence is where the data controller is offering a service that no one else offers or where the data controller has a great deal of market power.

The Nigeria Data Protection Regulation further stipulates that it is necessary that the individual who gives consent has the legal capacity to do so. In a situation where consent is given in a written declaration that contains another matter, the request for consent must be presented in a manner that is clearly distinguishable from others in a form that is intelligible and easily accessible, using plain and clear language. This means that data controllers seeking consent should dissuade from using complex and technical wordings which cannot be easily understood, as consent would not be valid where it is not understood by the person who is giving it.

It is also mandated that the consent giver is informed of his right to withdraw his consent at any time and the ease of doing so. This withdrawal can however not have a retrospective effect; it would not affect the data that has been used before the consent was withdrawn and the lawfulness of processing such data.

It is a welcome knowledge that in Nigeria, it is a right of an individual to object to the processing of his data at any time, and he is to be expressly offered the mechanism for this objection free of charge by the data controller.12

It also enhances citizens trust in the government and data controlling companies that their personal data is protected through security measures which includes protection from hackers, setting up firewalls, employing data encryption technologies with other means as provided in the data protection regulation.13


  1. Section 37 of the 1999 constitution of Nigeria guarantees and protects the right of Nigerians to privacy with respect to their homes, correspondence, telephone conversations and telegraphic communications. It is a fundamental right which is enforceable in court.
  2. Also provided for in the Freedom Of Information Act 2011, Child Rights Act 2003 among others.
  3. The Charter of Fundamental Rights of the European Union, Council of Europe Convention 108, as well as other international agreements and national constitutions.
  4. This and others such as vehicle plate numbers and health records are usually not obvious to us to be personal data.
  5. For instance, being able to ascertain whether it was used by a person and not a device, [like a web server].
  6. In this instance, it is not necessary for the advertising company to know the individual’s name, they just study their online behavior like their frequently visited websites and collates this as a file with an identifiable name.
  7. The NDPR provides that online identifiers may be considered as personal data, including unique identifiers such as IP addresses, IMEI number, media access control address and IMSI number, among others. The GDPR also specifies that online identifiers may be considered as personal data, such as IP addresses, cookie identifiers, and radio frequency identification tags.
  8. “Data Controller” means a person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed. This definition is found in the Definition Section of the Nigeria Data Protection Regulation 2019.
  9. “Data Administrator” means a person or organization that processes data. This definition is found in the Definition Section of the Nigeria Data Protection Regulation 2019.
  10. The Economist, ‘The world’s most valuable resource is no longer oil, but data’ [The Economist , 6 May 2017]
    Available at <https//’s-most-valuable-resource-is-no-longer-oil-but-data> Accessed 16 October, 2020.
  11. Section 7 of the Nigeria Data Protection Regulation 2019.
  12. Section 12 of the Nigeria Data Protection Regulation 2019.
  13. Section 10 of the Nigeria Data Protection Regulation 2019.

© 2020 Fixitlaw Solicitors. All Rights Reserved.
Website by BeeTcore.