Presently, the key privacy regulations in Nigeria are the 1999 Constitution of the Federal Republic of Nigeria (as amended (“Constitution”)) and the Nigerian Data Protection Regulation 2019 (“NDPR”) issued by the National Information Technology Development Agency (“NITDA”) on January 25, 2019, pursuant to section 32 of the NITDA Act 2007. The Guidelines for the Management of Personal Data by Public Institutions in Nigeria and the implementation Framework for the NDPR, which were both issued by the NITDA in 2020  also provide regulation and guidance on data protection in Nigeria.

The Constitution deals with the protection of the privacy of Nigerian citizens in general terms by stipulating that “the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.” 

In January 2019, NITDA (the national authority in Nigeria charged with the responsibility of the planning, developing and promoting the use of information technology) issued the Nigerian Data Protection Regulation 2019 (“NDPR”) pursuant to its powers under the NITDA Act 2007. The NDPR seeks to prescribe the minimum data protection requirements for the collection, storage, processing, management, operation and technical controls of information of Nigerian citizens and residents within and outside Nigeria.

In addition, the Consumer Protection Regulations 2020 (“CBN Regulations”) and the Regulatory Framework for Bank Verification Number Operations and Watchlist for the Nigerian Banking Industry 2017 (“BVN Framework”), both published by the Central Bank of Nigeria (“CBN” – Nigeria’s apex bank and the agency responsible for licensing, regulating, monitoring, and supervising Nigerian banks and other financial institutions), the Consumer Code of Practice Regulations 2007 (“Code of Practice Regulations”) and Registration of Telephone Subscribers Regulations 2011 (“NCC Regulations”) both published by the Nigerian Communications Commission ("NCC", the Nigerian telecommunications sector regulator), the Guidelines for Nigerian Content Development in Information and Communications Technology 2013 issued by the NITDA (“ICT Guidelines”), the Child Rights Act No. 26 of 2003 ("CRA"), the HIV and AIDS (Anti-Discrimination) Act of 2014 (“HIV Act”), the Official Secrets Act, chapter O3, Laws of the Federation of Nigeria 2004 (“Official Secrets Act”), the Freedom of Information Act No. 4 of 2011 (“Freedom of Information Act”), the Cybercrimes (Prohibition, Prevention, etc.) Act 2015 ("Cybercrimes Act"), the Credit Reporting Act 2017 and the National Health Act 2014 ("NHA"),  offer some degree of privacy regulation/protection.

The CRA (which only applies to persons under the age of eighteen) also protects the privacy of children and seeks to limit access to information relating to children in certain circumstances.

The CRA provides that every child is entitled to privacy, family life, home, correspondence, telephone conversation and telegraphic communications. The CRA prohibits the publication of any information that will lead to the identification of a child offender; requires that the records of child offenders be kept strictly confidential and closed to third parties, and accessible to only persons directly concerned with the disposition of the case at hand, or any other authorized persons, and prohibits the use of such records in adult proceedings in subsequent cases involving the same child offender.

With regard to health-related information, the unauthorized disclosure of information relating to the HIV status of an individual is an offense under the HIV Act. The NHA requires health establishments to maintain health records for every user of health services and maintain the confidentiality of such records. The NHA further imposes restrictions on the disclosure of user information and requires persons in charge of health establishments to set up control measures for preventing unauthorized access to information. The NHA applies to all information relating to patient health status, treatment, admittance into a health establishment, and further applies to DNA samples collected by a health establishment.

The schedule to the NCC’s Code of Practice Regulations sets out principles to regulate the collection and maintenance of the consumer’s personal information and requires service providers to ensure the security of that information.

The NCC Regulations guarantee the confidentiality of subscriber information held in the NCC’s Central Database and they give subscribers’ the right to view and update their personal information held in the NCC’s Central Database or the database of any telecommunication company.

The CBN Regulations impose certain restrictions on the transfer of customers’ data to third parties and place an obligation on financial institutions to establish appropriate measures to guarantee the protection of consumer assets and privacy. The CBN Regulations require that financial and personal information should be protected by financial institutions at all times and should not be released to a third party without the consent of the customer, except as required by law.  It imposes a duty of care on financial institutions to safeguard the privacy of their customers’ data except:

• with the express permission of the customer;
• as required by the CBN and other regulatory bodies;
• where there is a court order; and
• where public duty/interest is involved.

The Nigerian Constitution seeks to protect “the privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications.” The NDPR  is more specifically, aimed at protecting ‘Personal Data’, which is defined as “any information relating to an identified or identifiable natural person (Data Subject); the information must relate to an individual, whether to his or her private, professional or public life. The NDPR applies to all residents of Nigeria and to all Nigerian citizens whether residing within or outside Nigeria. Personal Data can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person. It also includes other unique identifiers such as, but not limited, to MAC address, IP address, IMEI number, IMSI number, Subscriber Identification Module. Personal Identifiable Information means information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in a context.” ‘Sensitive Personal Data’ is also protected and this is defined as “data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information”. 

The Freedom of Information Act protects ‘personal information’, which is defined as “any official information held about an identifiable person but does not include information that bears on the public duties of public employees and officials."

The Official Secrets Act makes it an offense for any person to transmit any classified matter to a person to whom he/she is not authorized on behalf of the government to transmit. “Classified matter” is defined as “any information or thing which, under any system of security classification, from time to time, in use by any branch of the government, is not to be disclosed to the public and of which the disclosure to the public would be prejudicial to the security of Nigeria".

Organizations or persons that control, collect, store and process Personal Data of Data Subjects are obliged to comply with the privacy obligations in Nigeria. A Data Subject under the NDPR is an identifiable natural person, one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. The NDPR applies to all residents of Nigeria and all Nigerian citizens within and outside Nigeria.

Every person in Nigeria (whether natural or juristic) is required to adhere to the provisions of the Constitution that guarantees “the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications". The NDPR and the Guideline for the Implementation of the NDPR in Public Institutions also impose an obligation on all persons engaged in transactions intended to process Personal Data, whether private, federal, state and local government agencies and institutions as well as other organizations that own, use or deploy information systems within Nigeria; data collectors, data custodians, data administrators, data systems auditors and data security organizations, including their employees and agents which control, collect, store and process Personal Data of Nigerian residents and citizens within and outside Nigeria, to comply with the privacy obligations in Nigeria.
Sectoral regulators such as the NCC and the CBN have issued regulations with data protection provisions that organizations in the sectors are expected to comply with.

In addition to the foregoing, the following statutes and regulations impose the privacy obligations on the parties mentioned below:

• the HIV and AIDS (Anti-Discrimination) Act of 2014 - places the obligation on employers to ensure that any information relating to the HIV status of an employee is not disclosed without obtaining the consent of the employee unless such disclosure is required by law.
• the Code of Practice Regulations provides that all licensees must take reasonable steps to protect customer information against ‘improper or accidental disclosure’ and ensure that such information is securely stored.

• The NHA requires persons in charge of health establishments to set up control measures for preventing unauthorized access to a user’s health records and to the storage facility in which, or system by which, records are kept.

Nigerian law specifies certain legal grounds by which Personal Data can be collected and processed.

The NDPR prescribes that for a Data Controller to process the Data Subject’s personal data, it must fall under any of the five lawful bases listed below;

• the Data Subject has given his consent to the processing of his personal data for one or more specific purposes; 
• it is necessary for the performance of a contract to which the data subject is a party;
• the processing is necessary for compliance with a legal obligation to which the Data Controller is subject; 
• it is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is
• physically or legally incapable of giving his consent; 
• the collection and processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in the controller

Regulation 2.2(f) of the Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020 provides an additional basis where the processing of personal data by public institutions shall be lawful and legitimate which is the legitimate interest of the data subject. Furthermore, Regulation 2.2(g) provides that the processing of personal data by a public institution must be founded on public, legal and vital interest and the determination of these bases shall be subject to the following:

• the processing is directly or collaterally linked to the performance of a mandate stipulated by an act of the National Assembly;
• the processing is necessary for the promotion of the security or welfare of the citizens, justifiable in a democratic and free society; and
• a directive of the President in furtherance of the powers vested on that office by the Constitution or a legal instrument.

Regulation 2.3(2)(a) of the NDPR provides that where processing is based on consent, the Data Controller must be able to demonstrate that the Data Subject has consented to the process of his or her Personal Data and has the legal capacity to give consent.

In addition, Schedule 4, Regulation 35 of the Code of Practice Regulations specifies that in order to collect and maintain information on individual consumers, the information should be:

• fairly and lawfully collected and processed;
• processed for limited and identified purposes;
• relevant and not excessive;
• accurate;
• not kept longer than necessary;
• processed in accordance with the consumer’s other rights;
• protected against improper or accidental disclosure; and
• not transferred to any party except as permitted by any terms and conditions agreed with the consumer, as permitted by any permission or approval of the NCC, or as otherwise permitted or required by other applicable laws or regulations.

The processing and disclosure of personal data are regulated by the laws listed above.

The processing and disclosure of Personal Data are also regulated to the extent that the data can only be used or disclosed in a legitimate manner; i.e., with consent and for the purpose for which consent was obtained, or as required/allowed under applicable law.

The NDPR provides that for Personal Data to be disclosed to a third party, the Data Controller is required to provide the Data Subject with information regarding the identity of the Third Party, the purpose of the processing, categories of data concerned, recipients or categories of recipients, the existence of a mechanism for access to and the mechanism to rectify the data concerning the Data Subject, etc. This information should be provided to the Data Subject at the time of undertaking the collection of such data or no later than when the data are first disclosed (if disclosure to a third party is envisaged).

The NDPR also states that a Data Subject should be given the option to object if his/her Personal Data will be disclosed to third parties or used on their behalf for direct marketing. In addition, every Data Subject should be able to obtain information regarding the purpose of the data processing, the categories of data concerned, the recipients or categories of recipients to whom the data are disclosed, as well as the procedure involved in any automatic processing of data concerning the Data Subject.

The NDPR requires data controllers to carry out a yearly audit of their data protection practices and process to ensure that they conform with the NDPR. This audit can only be conducted by organizations licensed as data protection compliance organizations by the NITDA. At the conclusion of the audit, data controllers that process the data of up to 2,000 data subjects in a period of 12 months are required to file their audit report with the regulator not later than the 15th of March the following year. A data controller that processes the personal data of more than 1000 data subjects in a period of 6 months is required to submit a soft copy of the summary of the audit to the NITDA. Furthermore, the Implementation Framework empowers the NITDA to at its discretion, carry out scheduled audits as well as spot checks or special audits to ascertain a data controller’s level of compliance with the NDPR as well as identify data breaches.

Regulation 2.10 of the NDPR imposes financial sanctions on a data controller where it is found to be in breach of any of the data privacy rights of a data subject. These sanctions include:

• in the case of a data controller dealing with more than 10,000 data subjects, payment of the fine of 2% of the annual gross revenue of the preceding year or payment of the sum of 10 million Naira whichever is greater; and
• in the case of a data controller dealing with less than 10,000 data subjects, payment of the fine of 1% of the annual gross revenue of the preceding year or payment of the sum of 2 million Naira whichever is greater.

In addition, a breach of the NDPR will be construed as a breach of the provisions of the NITDA Act 2007 and consequently, the penalties of the NITDA Act 2007 are also applicable. Section 18 of the NITDA Act 2007 provides that where no specific penalty is provided for an offense under the act, the offender will be liable on conviction:

• for a first offense, to a fine of 200,000 Naira or imprisonment for a term of 1 year or to both such fine and imprisonment; and
• for a second and subsequent offense, to a fine of 500,000 Naira or to imprisonment for a term of 3 years or to both such fine and imprisonment.

Any person that collects Personal Data is required to ensure that the information is properly stored, secured and retained only for the relevant period or as otherwise required by law.

Regulation 2.1 (c) of the NDPR provides that Personal Data shall be stored only for the period within which it is reasonably needed. Although the NDPR does not explicitly provide a timeframe for the retention of Personal Data, the Implementation Framework stipulates the timeframe that would apply where the retention of Personal Data is not specified in the contract between the parties or by applicable law.

Where a retention period is not specified, the retention period will be :

1. 3 years after the last active use of a digital platform 
2. 6 years after the last transaction in a contractual agreement 
3. in the case of death, when evidence is presented by the deceased’s relative
4. immediately upon request by the Data Subject or his/her legal guardian, provided there are no statutory provisions to the contrary and the Data Subject is not the subject of an investigation or suit that may require the Personal Data sought to be deleted.

Keeping data beyond the time period for which it is required increases the risk of a data breach if adequate provision is not made for its safekeeping. Data can be stored physically or virtually (such as in an online server). Data collected must be stored within Nigeria and, if it is to be transferred out of Nigeria, the NDPR requires that such transfer must be done under the supervision of the Honorable Attorney General of the Federation ("HAGF"). The HAGF is expected to assess the foreign jurisdiction where the data is to be transferred in order to determine whether such a country has the regulatory framework to adequately protect such information. The NDPR provides that where the data is to be transferred without the HAGF's supervision, the Data Subject must consent to such transfer after having been duly informed of this requirement of the NDPR and of the risks associated with such transfer without the HAGF's adequacy decision.

Regulation 3.1(9) and 3.1(10) of the NDPR provides that upon the receipt of a request from a Data Subject, a Data Controller is obligated to rectify or erase Personal Data immediately and without delay. The Data Controller is also required to take further steps to inform processors processing the Personal Data and any other person to whom the Personal Data has been disclosed, of the Data Subject's request. We should also mention that where the Data Controller fails to take action on the request of the Data Subject, the Controller shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority. Any information provided to the Data Subject by a Data Controller in response to the Data Subject's request shall be done at no cost except otherwise provided in a public policy or law or the Data Controller is able to prove that the Data Subject's request is manifestly unfounded or excessive.

Regulation 3.1(9)(c) of the NDPR provides an exception to the general rule on data erasure where there are overriding legitimate grounds to continue processing the Personal Data even after the request for erasure has been made by the Data Subject.

The Cybercrimes Act provides that service providers are to keep all traffic data and subscriber information as may be prescribed by the relevant authority for the time being responsible for the regulation of communication services in Nigeria for a period of two years.

Section 58 of the Cybercrimes Act defines a service provider is defined as “any public or private entity that provides to users of its services the ability to communicate by means of a computer system, electronic communication devices, mobile networks; and any other entity that processes or stores computer data on behalf of such communication service or users of such service”.

The ICT Guidelines state that all government data should be hosted locally and require all ICT companies in Nigeria to "...host all subscriber and consumer data within the country." As indicated above, the NCC also places an obligation on licensees to ensure that the information that is collected is protected against improper or accidental disclosure and kept for no longer than is necessary.
The NCC Regulations also require that information collected and recorded as part of a licensee’s complaint-handling processes shall be retained by the licensee for at least 12 months following resolution of a complaint.

With specific regard to Internet service providers, paragraph 8 (“Records and Data Retention”) of the NCC's Guidelines on the Provision of Internet Services, require Internet service providers to retain Internet service-related information, including user identification, the content of user messages and traffic or routing data for a minimum period of 12 months or any other period directed by the NCC.

Section 29 of the NHA requires the person in charge of a health establishment who is in possession of a user’s health records to set up control measures to prevent unauthorized access to those records and to the storage facility in which, or system by which, records are kept. A person who fails to perform this duty shall be liable on conviction to imprisonment for a period not exceeding two years or to a fine of 250,000 Naira or both.

Data Subjects have rights of access to and correction of Personal Data. The NDPR stipulates that Data Subjects have a right to require Data Controllers to rectify, erase or block any data which does not comply with the provisions of the NDPR. Data controllers are required to undertake such rectification, erasure or blocking without excessive delay or expense to the Data Subject. In addition, a Data Subject may request for a copy of his Personal Data and transmit the to another processing system by automated means, where technically feasible.

The Code of Practice Regulations requires licensees of the NCC to establish appropriate processes or mechanisms for the identification and correction of inaccuracies in individual consumer information.

The NCC Regulations also provide that any subscriber whose personal information is stored in the NCC’s central database or a licensee’s database shall be entitled to view the personal information and to request updates and amendments to such information.

Section 23 of the NHA requires healthcare providers to give users relevant information about their state of health and necessary treatment relating to the users' health status, the range of diagnostic procedures and treatment options generally available to the user, the benefits, risks, costs and consequences generally associated with the option and the users right to right to refuse health services as well as the implications of such refusal. The only exception to this is where the disclosure of the user’s health status would be contrary to the best interests of the user. 

In addition to the foregoing, the CBN Regulations state that financial institutions shall create convenient avenues through which customers can update their details as the need arises in order to ensure data accuracy and ultimately enhance protection.

Personal Data can be transferred for processing or storage outside Nigeria. If the data is to be transferred out of Nigeria, the NDPR requires that such transfer must be done under the supervision of the Honorable Attorney General of the Federation ("HAGF"). The HAGF is expected to assess the foreign jurisdiction to which the data is to be transferred in order to determine whether such a country has the regulatory framework to adequately protect such information.

The NDPR provides that where the data is to be transferred without the HAGF's supervision, the Data Subject must give his/her consent to such transfer after having been duly informed of this requirement of the NDPR and of the risks associated with such transfer without the HAGF's adequacy decision.

The NDPR Implementation Framework provides that an adequate decision in respect of a transfer of personal data to a foreign country will be issued by the NITDA provided the information required for approving such transfer is satisfactorily provided by the Data Controller. The adequacy decision must be made under the supervision of the HAGF’s Office.

The NITDA has published a list of countries on a “White List”. These are countries deemed by the NITDA to have adequate Data Protection Laws for the purposes of cross-border data transfer. The NITDA permits the cross-border transfer of Personal Data outside Nigeria or the onward transfer from or to a party in a jurisdiction on the White List. It is expected that the process of obtaining an adequacy decision for the transfer of data to a country on the White List will be less rigorous than for a transfer to a country that is not mentioned on the list.

The HAGF, in his supervisory role, has the discretion to prohibit the transfer of the Personal Data of Nigerian citizens or residents to countries where he is of the opinion that the country’s data protection regime is inadequate or incompatible with Nigerian law.

Data Controllers are allowed to transfer Personal Data to countries on the White List provided the organization complies with the provisions of the NDPR. The transfer of data to any country other than the ones listed, by a Data Controller or Administrator in its request for an adequacy decision, shall be subject to further processes to ascertain the adequate protection of the Personal Data of Nigerian citizens and residents

Regulation 10(4) of the Registration of Telephone Subscribers Regulations 2011 also provides that no subscriber information shall be transferred outside Nigeria without the prior written consent of the NCC.

As stated above, the ICT Guidelines provide that all government data should be hosted locally and requires all ICT companies in Nigeria to host all subscriber and consumer data locally within the country.

In addition, the BVN Framework requires that Bank Verification Number (“BVN”) data must be stored in Nigeria and must not be transferred outside of Nigeria without the consent of the CBN. The BVN is a unique identification number assigned to each customer of a Nigerian bank, which can be verified across all banks in Nigeria. The BVN Framework does not define what constitutes “BVN data”, however, it is expected that this term would mean all information provided by the customer to the bank in connection with the application for the BVN. This information includes the customer’s name, date of birth, residential address, telephone number, and gender, among others.

The NDPR Implementation Framework provides that Data Controllers have a duty of self-reporting Personal Data breaches to the NITDA within 72 hours of becoming aware of such breach. The timeline should be documented in the organization’s data protection policy and data privacy policy. The Data Controller is also expected to immediately notify the Data Subject of the Personal Data breach where the Personal Data breach will likely result in high risks to the freedom and rights of the Data Subject. Notification of data breach to NITDA must include the following information:

1. a description of the circumstances of the loss or unauthorized access or disclosure; 
2. the date or time period during which the loss or unauthorized access or disclosure occurred; 
3. a description of the personal information involved in the loss or unauthorized access or disclosure; 
4. an assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure; 
5. an estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure; 
6. a description of steps the organization has taken to reduce the risk of harm to individuals; 
7. a description of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure, and 
8. the name and contact information for a person who can answer, on behalf of the organization, the Agency’s questions about the loss of unauthorized access or disclosure.

The Cybercrimes Act provides that any person or institution who operates a computer system or a network, whether public or private, shall immediately inform the National Computer Emergency Response Team ("CERT") Coordination Center of any attack, intrusion and other disruption liable to hinder the function of another computer system or network so that the National Computer Emergency Response Team Coordination Center can take the necessary measures to tackle the issues.

The key privacy regulator in Nigeria is the National Information Technology Development Agency ("NITDA"), the agency oversees the administration, implementation and enforcement of the provisions of the NDPR.  On February 4, 2022, the President of the Federal Republic of Nigeria, President Muhammadu Buhari announced the establishment of a dedicated data protection agency for Nigeria which is to be known as the Nigerian Data Protection Bureau ("NDPB"). This means that going forward, the NDPB and not the NITDA will be responsible for the enforcement of data protection regulations and for the administration of all related data protection matters in Nigeria. The NDPB will be operating within the existing regulatory framework i.e. the Regulation and the NDPR Implementation Framework pending when a substantive Data Protection Bill will be enacted to create a regulatory framework for the establishment and administration of the NDPB and related data protection matters. There are also other regulators operating within specific sectors and who have published privacy/data protection regulations to be observed by their licensees, such as the NCC and the CBN.

A privacy breach could attract both criminal and civil sanctions. The consequences of a privacy breach are usually set out in the law or regulations which prescribe the privacy obligation. Examples are set out below:
The NDPR provides that any person (individual or corporate) that is subject to the Regulation and found to be in breach of the data privacy rights of any Data Subject shall be liable in addition to any other criminal liability, the following:

• in the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million Naira whichever is greater;
• in the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira whichever is greater.

In addition to the penalties stipulated in the NDPR, the Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020 provide that a public institution can be penalized for non-compliance with the provisions of the guidelines. Where the public institution is found to be in breach of the guidelines, it will be liable to a fine of 200,000 Naira in the case of a first conviction, or 500,000 Naira in the case of second and subsequent convictions. A public institution may be subject to penalties under both the guidelines and the regulation for the same incidence of non-compliance, where applicable.

The Cybercrimes Act provides that any person or organization that fails to report an attack incident to the CERT within 7 days of its occurrence as required commits an offense and shall be liable to denial of Internet services in Nigeria and to payment of a mandatory fine of 2 million Naira into the National Cyber Security Fund.

The NCC Regulations prescribe fines for the following offenses which amount to dealing with subscriber information in a manner inconsistent with the provisions of the regulations:

• retaining, duplicating or dealing with subscriber information in contravention of any of the provisions of the NCC Regulations (which attracts a fine of 200,000 Naira); and
• utilizing subscriber information in any business, commercial or other transactions, (which attracts a fine of 1 million Naira)

The Code of Practice Regulations states that the contravention of any of its provisions will make the offender liable to such fines, sanctions or penalties as may be determined by the NCC from time to time.

The CBN Regulations provide for the following sanctions which may apply to any breach of the CBN Regulations:

• refund to customers in line with relevant regulations issued by the CBN (where a breach of the Regulations has occasioned loss to the customer);
• letter of apology; 
• restriction on activities of the financial institution;
• suspension of the financial institution from inter-bank activities; 
• suspension/withdrawal of the financial institution’s foreign exchange dealership license; 
• denial of approvals; 
• publication of infractions and sanctions; 
• monetary penalties; 
• product recall; 
• cancellation of advertisements 
• warning letters to the management /board of directors of the financial institution
• suspension/removal of culpable board/management staff/employees; 
• referral to law enforcement agencies for prosecution; 
• revocation of banking license; and 
• other sanctions that may be deemed appropriate by the CBN.

A person who discloses a “classified matter” in contravention of the provisions of the Official Secrets Act, will be liable (on conviction on indictment) to imprisonment for a term not exceeding fourteen years; or on summary conviction, to imprisonment, for a term not exceeding two years and/or a fine of an amount not exceeding 200 Naira. 

Section 29 of the NHA requires the person in charge of a health establishment who is in possession of a user’s health records to set up control measures to prevent unauthorized access to those records and to the storage facility in which, or system by which, records are kept. A person who fails to perform this duty shall be liable on conviction to imprisonment for a period not exceeding two years or to a fine of 250,000 Naira or both.

The NDPR provides that the consent of the Data Subject must be obtained by the Data Controller for any direct marketing activity.

The Code of Advertising Practice Sales Promotion and other Rights/Restrictions on Practice issued by the Advertising Practitioners Council of Nigeria (“APCON Code”) provides that all advertising and marketing communications directed to the Nigerian market using the Internet and other electronic media are subject to the laws regulating advertising practice in Nigeria.

In relation to electronic marketing, the APCON Code states that the commercial nature of the communication must be made clear in the subject header, the terms of the offer and the mode of entering into the contract must be clear and there must be a transparent mechanism to enable the consumer to opt-out from future solicitation. In addition, when advertising to minors, their personal information cannot be disclosed to third parties without parental consent. If the product is unsuitable for children, it must be clearly identified in the subject line of the message.

With regard to unsolicited electronic marketing, the Cybercrimes Act makes it an offense to engage in spamming. ‘Spamming’ is defined as “the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages to individuals and corporate organizations”. The Cybercrimes Act provides that any person who engages in spamming with intent to disrupt the operations of a computer (whether private or public or that of a financial institution) is guilty of an offense and liable upon conviction to imprisonment for a term of three years and/or a fine of 1 million Naira.

In addition, the Code of Practice Regulations states that no licensee of the NCC shall engage in unsolicited telemarketing unless it discloses:

• at the beginning of the communication, the identity of the licensee or any other person on whose behalf it is made and the precise purpose of the communication;
• during the communication, the full price of any product or service that is the subject of the communication; and
• that the person receiving the communication shall have an absolute right to cancel the agreement for purchase, lease or other supply of any product or service within seven days of the communication, by calling a specific telephone number (without any charge, and that the licensee shall specifically identify during the communication) unless the product or service has by that time been supplied to and used by the person receiving the communication.

Licensees of the NCC are also required to conduct telemarketing in accordance with any “call” or “do not call” preferences recorded by the consumer, at the time of entering into a contract for services or after, and in accordance with any other rules or guidelines issued by the NCC or any other competent authority.

The NCC, by virtue of the Guidelines on Short Code Operation in Nigeria 2011 (and reiterated by the NCC in 2016) also prohibits mobile network operators from making, or allowing their networks to be used to make, unsolicited calls or sending unsolicited text messages to their subscribers without each subscriber’s consent. The NCC requires that subscribers must be given the choice to opt out of receiving such unsolicited calls and/or messages. Contravention of this directive attracts a fine of 500,000 Naira.

The Guidelines for the Provision of Internet Service issued by the NCC provide that Internet Service Providers (“ISPs”) must take reasonable steps to promote compliance with the following requirements for commercial email or other commercial communications transmitted using the ISP’s services:

• the communication must be clearly identified as a commercial communication;
• the person or entity on whose behalf the communication is being sent must be clearly identified;
• the conditions to be fulfilled in order to qualify for any promotional offers, including discounts, rebates or gifts, must be clearly stated;
• promotional contests or games must be identified as such, and the rules and conditions to participate must be clearly stated; and
• persons transmitting unsolicited commercial communications must take account of any written request from recipients to be removed from mailing lists, including by means of public “opt-out registers” in which people who wish to avoid unsolicited commercial communications are identified.

The Federal Competition and Consumer Protection Act, 2019 ("FCCPA") applies to all commercial activities within or having an effect in Nigeria regardless of the means of carrying out the activity or whether the entity carrying out the activity is local or foreign. The FCCPA provides that a producer, importer, distributor, retailer, trader or service provider shall not, in pursuance of trade and for the purpose of promoting or marketing, directly or indirectly, goods or services, make any representation to a consumer in a manner that is likely to imply any false, misleading, erroneous or fraudulent representation of information. 

In addition, any term or condition of an agreement for the sale of any goods or services is void to the extent that it purports to establish minimum prices to be charged on the resale of the goods or services in Nigeria. The FCCPA also provides that an undertaking shall not conspire, combine, agree or arrange with another undertaking to unduly reduce competition in the sale of any goods or services or in the price of personal or property insurance. The meaning of “sale” under the act includes advertisements for sale, displays for sale and offers for sale. Generally, the FCCPA frowns upon unfair marketing, regardless of the means of marketing.

The Cybercrimes Act provides that any person who engages in spamming activities with the intention of disrupting the operations of a computer (whether private or public or that of a financial institution) is guilty of an offense and liable, upon conviction, to imprisonment for three years or to a fine of 1 million Naira, or both a fine and a term of imprisonment.

Yes, on February 4, 2022, the President of the Federal Republic of Nigeria, President Muhammadu Buhari announced the establishment of a dedicated data protection agency for Nigeria which is to be known as the Nigerian Data Protection Bureau ("NDPB"). This means that going forward, the NDPB and not the NITDA will be responsible for the enforcement of data protection regulations and for the administration of all related data protection matters in Nigeria. The NDPB will be operating within the existing regulatory framework i.e. the Regulation and the NDPR Implementation Framework pending when a substantive Data Protection Bill will be enacted to create a regulatory framework for the establishment and administration of the NDPB and related data protection matters. It is expected that there will be another draft of legislation to replace the draft Data Protection Bill 2020 which was released by the National Identity Management Commission ("NIMC") and the NITDA, as this bill seems to have been jettisoned when the NIMC placed adverts in selected national newspapers seeking to engage experts to draft a new document.¹

__________

[1] https://www.premiumtimesng.com/news/top-news/495768-data-protection-indignation-as-fg-abandons-draft-bill-seeks-consultants-for-fresh-process.html