Nigeria Data Privacy Laws: NDPA 2023 and GAID 2025 Compliance Guide

Nigeria's primary data privacy law is the Nigeria Data Protection Act 2023 (NDPA), enacted by the National Assembly and grounded in the privacy guarantee of Section 37 of the 1999 Constitution. The Nigeria Data Protection Commission enforces the NDPA, supported by the General Application and Implementation Directive 2025.

Quick Answer: What Governs Data Privacy in Nigeria?

Nigeria's data privacy framework rests on two interlocking instruments. The Nigeria Data Protection Act 2023 (NDPA) is the primary statute, enacted by the National Assembly and signed into law on June 12, 2023. The General Application and Implementation Directive 2025 (GAID), issued by the Nigeria Data Protection Commission on March 20, 2025 and effective September 19, 2025, is the subordinate directive that operationalizes the NDPA with detailed rules on registration, compliance audits, consent, cross-border transfers, and enforcement. Together, the NDPA and GAID 2025 form the complete regulatory framework that replaced the Nigeria Data Protection Regulation 2019 (NDPR). The Nigeria Data Protection Commission (NDPC) is the independent statutory authority responsible for enforcement, registration, guidance, and adjudication.

Jurisdiction scope: This article addresses the federal data protection law of Nigeria under the NDPA 2023, the GAID 2025, and the constitutional guarantee in Section 37 of the 1999 Constitution. It does not address sector-specific privacy rules under the Nigerian Communications Commission, Central Bank of Nigeria data policies, or health information frameworks separately from the NDPA. For Nigeria's recording consent laws, see Nigeria Recording Laws.

Constitutional Basis: Section 37 of the 1999 Constitution

Data protection in Nigeria is grounded in a constitutional right, not merely a legislative policy choice. Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) provides:

"The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected."

Section 37 is located in Chapter IV of the Constitution, which sets out Nigeria's Fundamental Rights. These rights are justiciable: a person whose Section 37 right is violated can bring an action in the Federal High Court or a State High Court for enforcement under Section 46(1) of the Constitution.

The NDPA's preamble and Section 1 make explicit that the Act was enacted to safeguard the fundamental rights and freedoms of data subjects as guaranteed under the Constitution. The NDPA therefore derives its legislative authority directly from Section 37 and translates the constitutional right to privacy into specific, enforceable obligations on organizations that process personal data.

The Multichoice Nigeria investigation illustrates this link in practice. When the NDPC imposed a NGN 766.2 million fine on Multichoice in June 2025, it framed the violations as "a fundamental violation of Nigerians' right to privacy under Section 37 of the 1999 Constitution," not merely a breach of the NDPA's statutory provisions.

History: From NDPR 2019 to NDPA 2023

Nigeria's formal data protection framework developed in three distinct phases.

Phase 1: NDPR 2019 (January 2019 to June 2023). On January 25, 2019, the National Information Technology Development Agency (NITDA) issued the Nigeria Data Protection Regulation (NDPR) under its authority in the NITDA Act 2007. The NDPR was a secondary regulatory instrument, not primary legislation passed by the National Assembly. This legal limitation constrained enforcement: courts could question whether NITDA had authority to impose penalties outside its core ICT mandate.

NITDA supplemented the NDPR with an Implementation Framework in July 2019 that introduced Data Protection Compliance Organizations (DPCOs) as licensed audit intermediaries, established annual compliance audit obligations, and set out breach notification requirements. These structures laid the groundwork for more comprehensive legislation.

Phase 2: The Transitional Bureau (February 2022 to June 2023). In February 2022, President Muhammadu Buhari established the Nigeria Data Protection Bureau (NDPB) by executive order to consolidate data protection governance and draft primary legislation. The NDPB took over NITDA's data protection functions and operated as a transitional body until the NDPA was enacted.

Phase 3: The NDPA 2023 and the NDPC (June 2023 onward). President Bola Tinubu signed the NDPA into law on June 12, 2023. The Act was passed by the National Assembly as primary legislation, resolving the enforcement authority questions that had surrounded the NDPR. The NDPA established the Nigeria Data Protection Commission (NDPC) as an independent statutory body, replacing the NDPB.

The GAID 2025, issued March 20, 2025 and effective September 19, 2025, completed the transition. It formally retired the NDPR 2019 as a legal instrument. Organizations are now evaluated against the GAID's specific obligations, not the NDPR's broader principles.

The Nigeria Data Protection Commission (NDPC)

The NDPC is Nigeria's independent data protection supervisory authority. Its powers and functions are set out in Part II of the NDPA. The Commission's principal functions include:

• Administering and enforcing the NDPA
• Maintaining the register of data controllers and processors of major importance
• Issuing guidelines, directives, and codes of practice
• Investigating complaints from data subjects
• Conducting compliance audits
• Imposing administrative sanctions and fines
• Promoting public awareness of data protection rights
• Cooperating with other national and international data protection authorities

The NDPC is headed by a National Commissioner and operates under a Governing Council. It is funded through government appropriations and the fees collected from DCPMI registration and compliance audits. The Commission publishes guidance notices, compliance notices, and enforcement decisions at ndpc.gov.ng.

The GAID 2025: What It Is and What It Changed

The General Application and Implementation Directive 2025 is the NDPC's primary implementing instrument for the NDPA. The NDPC issued it on March 20, 2025. It came into force on September 19, 2025, giving organizations a six-month transition window.

The GAID contains 52 articles organized across 10 schedules. Its most significant contributions to the operational framework include:

DCPMI thresholds and tiering. The GAID specifies the data subject volume thresholds that trigger DCPMI status and sets out the UHL, EHL, and OHL tier classifications.

Compliance Audit Return structure. The GAID specifies the content, format, and frequency of CARs and clarifies that OHL organizations are not required to engage a licensed DPCO for filing.

Consent specificity rules. The GAID identifies six processing activities for which consent is mandatory, removing the choice among the six lawful bases for those activities.

Cross-border transfer instruments. Schedule 5 sets the criteria for NDPC adequacy assessments and designates SCCs and BCRs as the primary transfer mechanisms in the absence of a formal adequacy decision.

Cookie and notice requirements. The GAID requires active consent for non-essential cookies and mandates prominent homepage display of privacy and cookie notices.

SNAG system. The GAID introduces the Standard Notice to Address Grievance as a pre-regulatory escalation remedy for data subjects.

DPO credentialing and semi-annual reporting. The GAID strengthens DPO independence and introduces semi-annual internal data protection reporting obligations for DCPMIs.

Who Must Comply: Scope and Territorial Reach

The NDPA applies to any individual or organization, public or private, that processes personal data of individuals in Nigeria. Territorial reach is extraterritorial under Section 2 of the NDPA: a foreign company with no Nigerian physical presence falls within the NDPA if it targets Nigerian data subjects or offers goods or services to individuals in Nigeria.

The NDPA uses the standard data protection distinction between data controllers (who determine the purposes and means of processing) and data processors (who process on behalf of controllers). Both carry compliance obligations under the NDPA and GAID.

Data Controllers and Processors of Major Importance (DCPMIs)

The NDPA and GAID create a special compliance tier for DCPMIs. An organization qualifies as a DCPMI if it satisfies any one of these criteria:

• Processes the personal data of 200 or more data subjects in any six-month period (the entry-level OHL threshold; EHL covers 1,000-4,999 and UHL covers 5,000 or more in six months)
• Provides commercial ICT services on digital devices that store personal data of other individuals
• Operates in any of the 14 designated sectors: aviation, communication, education, electric power, export/import, financial services, health, hospitality, insurance, oil and gas, tourism, e-commerce, public service, or any additional sector designated by the NDPC

DCPMIs must register with the NDPC within six months of first qualifying. The NDPC's current registration fee schedule is as follows:

The GAID classifies DCPMIs into three tiers for compliance audit purposes:

The 2025 Compliance Audit Return deadline was originally March 31, 2026, and was subsequently extended by the NDPC to May 30, 2026. Late filing attracts a surcharge of 50% of the applicable CAR fee.

Lawful Bases for Processing Personal Data

Section 25 of the NDPA sets out six lawful bases for processing personal data. At least one must apply before any processing begins:

1. Consent: The data subject has given explicit, freely given, specific, informed, and unambiguous consent.
2. Contract: Processing is necessary to perform a contract with the data subject or to take pre-contractual steps at their request.
3. Legal obligation: Processing is required to comply with a legal obligation the controller is subject to.
4. Vital interests: Processing is necessary to protect the vital interests of the data subject or another person.
5. Public interest: Processing is necessary for a task carried out in the public interest or in the exercise of official authority.
6. Legitimate interests: Processing is necessary for the legitimate interests of the controller or a third party, provided those interests do not override the data subject's fundamental rights.

The GAID 2025 specifies that consent is the only permissible basis for six categories of processing: direct marketing, sensitive personal data, further processing that departs from the original purpose, children's data, cross-border transfers to non-adequate countries, and automated decision-making that produces legal or similarly significant effects.

When relying on legitimate interests, controllers must complete a Legitimate Interest Assessment (LIA) using the template in the GAID schedules, documenting the controller's interest, the necessity of the processing, and the balancing test against the data subject's rights.

Watch out: Using legitimate interests as the default fallback basis is one of the most common compliance errors flagged in NDPC sector investigations. If the processing falls into any of the six mandatory-consent categories above, no other lawful basis applies, regardless of how compelling the legitimate interest appears.

Data Subject Rights

The NDPA grants individuals a comprehensive set of rights over their personal data. Controllers must respond to requests without undue delay.

Right to Information

Before collecting any personal data, controllers must inform data subjects of: the identity and contact details of the controller; the purposes and legal basis of processing; the categories of data; recipients or categories of recipients; retention periods; and the full set of data subject rights available.

Right of Access

Data subjects may request a copy of all personal data a controller holds about them. The controller must provide the data in a commonly used electronic format.

Right to Rectification

Individuals can request correction of inaccurate or incomplete personal data. Controllers must act without undue delay.

Right to Deletion (Erasure)

Data subjects may request deletion of their personal data when: the data is no longer necessary for its original purpose; consent is withdrawn; the data subject objects and no overriding legitimate grounds exist; or the data was processed unlawfully.

Right to Withdraw Consent

Data subjects may withdraw consent at any time. Withdrawal must be as easy as giving consent. Controllers cannot impose additional steps or friction on the withdrawal process.

Right to Object

Data subjects may object to processing. On receipt of an objection, the controller must cease processing unless it demonstrates compelling legitimate grounds that override the data subject's interests, rights, and freedoms.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, data subjects have the right to receive their personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Sensitive Personal Data and Children's Data

The NDPA defines sensitive personal data as information relating to: genetic data; biometric data used for unique identification; health data; religious or philosophical beliefs; political opinions; trade union membership; sex life or sexual orientation; racial or ethnic origin; and criminal records. The NDPC may designate additional categories by directive.

Processing sensitive personal data is prohibited unless the data subject has given explicit consent or the processing is necessary for substantial public interest on the basis of law.

The NDPA sets the age of a child at under 18 years, consistent with Nigeria's Child Rights Act. Processing a child's personal data requires explicit consent from a parent or legal guardian. Controllers must implement age verification and parental consent confirmation mechanisms. Children's data must be treated with the same heightened protections as sensitive personal data.

Data Breach Notification

The NDPA imposes strict, time-bound breach notification obligations.

Notification to the NDPC

Controllers must notify the NDPC of a personal data breach within 72 hours of becoming aware of it. The notification must include: the nature of the breach; the categories and approximate number of data subjects affected; the name and contact details of the DPO or other contact point; the likely consequences; and the measures taken or proposed. Where notification cannot be made within 72 hours, the controller must provide the reasons for the delay along with the notification.

Notification to Data Subjects

Where a breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller must notify affected individuals without undue delay in clear, plain language. The notification must describe what happened, what data was involved, and what steps the individual can take.

Processor Obligations

Data processors must notify the relevant data controller without undue delay upon becoming aware of a breach, enabling the controller to meet the 72-hour window.

Data Protection Officers (DPOs)

All DCPMIs must appoint a qualified Data Protection Officer. The DPO may be an employee or engaged through a service contract with an external provider. GAID 2025 strengthens the DPO's institutional position:

• The DPO must report directly to the highest level of senior management
• The organization must provide sufficient resources and access to all processing activities
• The organization must facilitate continuous professional training for the DPO
• The DPO's independence is protected: they cannot be dismissed, penalized, or demoted for performing their duties
• The DPO must submit internal data protection compliance reports to senior management on a semi-annual basis

The DPO is the primary contact point for data subjects filing requests and for the NDPC in all regulatory matters.

Data Protection Impact Assessments (DPIAs)

Controllers must conduct a DPIA before beginning any processing activity that is likely to result in a high risk to the rights and freedoms of data subjects. The GAID 2025 identifies high-risk processing to include: systematic automated profiling that produces legal or similarly significant effects; large-scale processing of sensitive personal data; systematic monitoring of publicly accessible areas; and processing involving emerging technologies such as blockchain, IoT, or generative AI.

Where a DPIA reveals that a proposed processing activity would result in a high risk that the controller cannot mitigate, the controller must consult the NDPC before proceeding. The NDPC may authorize the processing with conditions, require modification of the plan, or prohibit it.

Cross-Border Data Transfers

Sections 41 to 43 of the NDPA and GAID 2025 Schedule 5 govern the transfer of personal data outside Nigeria. Personal data may only be transferred if one of the following conditions is satisfied:

1. Adequacy decision. The NDPC has determined that the destination country provides an adequate level of data protection. Under the prior NDPR regime, the NDPC maintained a whitelist that included EEA member states, the United Kingdom, Canada, Israel, New Zealand, Switzerland, and Argentina. That whitelist is not automatically carried forward under the NDPA/GAID framework. As of the GAID's effective date (September 19, 2025), the NDPC has not published a formal adequacy list under the new framework. Organizations should not assume prior-regime approvals remain valid.

2. Standard Contractual Clauses (SCCs). The NDPC may approve SCC templates for use in cross-border transfers. Controllers must execute the approved SCCs before transferring data and obtain NDPC approval for the arrangement.

3. Binding Corporate Rules (BCRs). Multinational corporate groups may apply to the NDPC for approval of BCRs governing intra-group transfers. BCRs must be binding on all group entities and must grant data subjects enforceable rights.

4. Explicit consent. The data subject gives explicit, informed consent to the specific transfer after being made aware of the risks arising from the absence of an adequacy decision or appropriate safeguards.

5. Contract performance or vital interests. The transfer is necessary for the performance of a contract between the data subject and the controller, for pre-contractual measures taken at the data subject's request, or to protect the vital interests of the data subject.

Because the NDPC has not published a formal adequacy list under the NDPA/GAID framework, most organizations currently rely on SCCs or BCRs. The Multichoice Nigeria fine of NGN 766.2 million (June 2025) demonstrates that unauthorized cross-border transfers are treated as serious violations subject to substantial penalty.

Penalties for Non-Compliance

The NDPA establishes a tiered penalty structure based on organization classification.

Data Controllers and Processors of Major Importance

Fines of up to NGN 10 million or 2% of annual gross revenue, whichever is higher. For large Nigerian companies or multinationals with significant Nigerian revenue, the 2% threshold substantially exceeds the NGN 10 million floor.

Other Organizations

Fines of up to NGN 2 million or 2% of annual gross revenue, whichever is higher.

Criminal Penalties

Failure to comply with an enforcement order or directive issued by the NDPC may result in imprisonment of up to one year for responsible individuals.

Administrative Powers

Beyond monetary penalties, the NDPC may issue enforcement notices, order cessation of specific processing activities, require remediation measures, and mandate independent compliance audits at the organization's expense.

Late CAR Filing Penalty

Under the GAID, filing a Compliance Audit Return after the prescribed deadline attracts a late-filing penalty of 50% of the applicable CAR filing fee, in addition to exposure to the broader penalty framework for non-compliance.

NDPC Enforcement: A Track Record of Escalating Action

The NDPC has moved from issuing guidance to imposing substantial penalties. By early 2026, the Commission had collected approximately NGN 7.2 billion from registrations, compliance revenues, and fines, and had investigated over 213 individual complaints since 2023.

FCCPC and NDPC vs. Meta/WhatsApp: The Two-Track Story

Two separate enforcement actions targeted Meta in Nigeria on different legal tracks.

FCCPC track ($220 million). The Federal Competition and Consumer Protection Commission (FCCPC) concluded a 38-month joint investigation with the NDPC and, on July 19, 2024, issued a Final Order imposing a $220 million administrative penalty on Meta Platforms and WhatsApp LLC. The investigation found discriminatory and exploitative data practices against Nigerian users: sharing WhatsApp user data with Facebook without explicit consent and treating Nigerian users less favorably than users in other jurisdictions. Meta appealed. On April 25, 2025, Nigeria's Competition and Consumer Protection Tribunal upheld the $220 million penalty and ordered payment within 60 days. That FCCPC order remains the subject of ongoing proceedings as of mid-2026.

NDPC track ($32.8 million, subsequently waived). Separately, the NDPC conducted a 17-month investigation and, in February 2025, imposed a $32.8 million penalty on Meta for NDPA violations: absence of explicit consent for behavioral advertising, unauthorized cross-border transfers, collection of data from non-users, and algorithmic practices that exposed users to financial and health risks. On October 30, 2025, the NDPC and Meta signed a confidential settlement agreement. On November 3, 2025, a Federal High Court in Abuja converted the agreement into a formal consent judgment. Under the terms, Nigeria waived the entire $32.8 million NDPA penalty and set aside the original Final Orders; Meta was required only to cover the government's legal fees. The settlement generated significant public debate about NDPC's enforcement credibility with global technology platforms.

NDPC vs. Multichoice Nigeria: NGN 766.2 Million Fine (June 2025)

On June 6, 2025, the NDPC imposed a NGN 766.2 million fine on Multichoice Nigeria (operator of the DStv satellite television service). The investigation, initiated in Q2 2024, found that Multichoice had unlawfully transferred personal data of Nigerian subscribers and non-subscribers across borders without appropriate consent or safeguards. The NDPC described the practices as "intrusive, unfair, unnecessary and disproportionate" and a violation of Section 37 of the 1999 Constitution. Multichoice's proposed remedial measures were found "unsatisfactory."

Sector-Wide Financial Services and Gaming Investigation (August 2025)

In August 2025, the NDPC issued compliance notices to 1,368 organizations across multiple sectors: 795 financial institutions, 392 insurance brokers, 136 gaming companies, 35 insurance companies, and 10 pension companies. Each organization was given 21 days to provide evidence of DPO appointment, technical and organizational data protection measures, and DCPMI registration status.

Education Sector Investigation (February 2026)

On February 19, 2026, the NDPC issued compliance notices to 649 higher education institutions across Nigeria, including federal universities, state universities, private universities, polytechnics, colleges of education, and technical colleges. The institutions were required to provide within 21 days: evidence of filing NDP Act Compliance Audit Returns for 2024; evidence of DPO appointment; a summary of technical and organizational data protection measures; and evidence of DCPMI registration. The NDPC stated that failure to comply may result in enforcement orders, administrative fines, and criminal prosecution. The Commission also partnered with Nigeria's Federal Ministry of Education in February 2026 to address what it described as a low level of data protection adherence in the education sector.

Cookie and Privacy Notice Requirements

The GAID 2025 introduced specific digital compliance requirements. All cookies that are not strictly necessary for the technical operation of a website require active, affirmative consent from the user. Pre-checked boxes, implied consent through continued browsing, and consent-by-default configurations do not satisfy this requirement.

Controllers must display a privacy notice and a cookie notice on the homepage of their websites. The cookie notice must give users a clear opportunity to accept or decline non-essential cookies, and it must be displayed prominently, significantly obstructing a portion of the homepage. These requirements apply to any website targeting Nigerian users, including foreign-operated websites.

Standard Notice to Address Grievance (SNAG)

The GAID 2025 introduced the Standard Notice to Address Grievance (SNAG) as an additional data subject remedy. A SNAG is a standardized written demand template that a data subject serves on an organization to require it to address a specific data protection complaint internally. Serving a SNAG is not a precondition for filing an NDPC complaint or initiating court proceedings; it is an optional preliminary step. Organizations that ignore or inadequately respond to a SNAG risk compounding their regulatory exposure when the matter proceeds to the NDPC.

Compliance Checklist for Organizations Operating in Nigeria

Organizations subject to the NDPA and GAID 2025 should address the following:

• Determine whether the organization qualifies as a DCPMI based on processing volume (200 or more data subjects in any six-month period is the OHL entry threshold; 1,000-4,999 is EHL; 5,000 or more is UHL) or sector designation, and register with the NDPC within six months of qualifying
• Determine the DCPMI tier (UHL, EHL, or OHL) and understand the applicable CAR filing obligations and deadlines
• Appoint a qualified Data Protection Officer who reports directly to senior management
• Identify and document the lawful basis for each processing activity; where one of the six mandatory-consent categories applies, obtain explicit consent
• Complete a Legitimate Interest Assessment using the NDPC's GAID template before relying on legitimate interests as a lawful basis
• Conduct Data Protection Impact Assessments for all high-risk processing activities before they begin
• Establish a 72-hour breach notification procedure and maintain incident response documentation
• Review all cross-border data transfer arrangements; execute NDPC-approved SCCs or BCRs; do not assume prior-regime adequacy whitelist approvals remain valid
• Update website cookie consent mechanisms to require active, affirmative consent for non-essential cookies
• File annual Compliance Audit Returns (UHL and EHL DCPMIs via licensed DPCO) by the prescribed deadline
• Train staff on NDPA obligations and ensure the DPO receives continuous professional development

Recent Developments: 2025 to 2026

GAID effective (September 19, 2025). The six-month transition window closed. The NDPR 2019 is retired; the GAID 2025 is the operative compliance standard.

Meta/NDPC settlement (October to November 2025). The NDPC waived the entire $32.8 million NDPA penalty against Meta; the settlement was converted to a Federal High Court consent judgment. Civil society organizations raised concerns about enforcement credibility. The $220 million FCCPC action on a separate legal track continues.

CAR deadline extension (March 2026). The NDPC extended the 2025 Compliance Audit Return deadline from March 31, 2026 to May 30, 2026. Late filings attract a 50% surcharge on the applicable CAR fee.

Education sector compliance notices (February 2026). The NDPC noticed 649 higher education institutions and partnered with the Federal Ministry of Education to address low compliance levels in the sector.

2026 enforcement outlook. The NDPC has signaled continued sector-by-sector investigation into aviation, communication, e-commerce, and health industries. Organizations that received compliance notices in 2025 face follow-up scrutiny on remediation. The Commission is expected to focus on cross-border transfer arrangements and DPO qualifications.

Disclaimer

This article presents general legal information about Nigeria's federal data protection framework under the Nigeria Data Protection Act 2023 and the GAID 2025. It is not legal advice. It does not address every provision of the NDPA or GAID, and it does not account for sector-specific rules under the Nigerian Communications Commission, Central Bank of Nigeria, or other regulatory bodies. The information was verified as of May 19, 2026. Laws and enforcement practices change. Organizations and individuals should consult a lawyer licensed to practice in Nigeria for advice on their specific situation and compliance obligations.