Examining the Powers of the NITDA to Enforce Data Protection Laws in Nigeria

Abstract

In Nigeria, the right to privacy is protected under Section 37 of the 1999 Constitution of the Federal Republic of Nigeria by providing that: ‘[t]he privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected. A host of other general and sector-specific legislation serves to safeguard (informational) privacy. A number of these legislations, including especially the 2019 Nigeria Data Protection Regulation (NDPR)—currently the most comprehensive of all existing informational privacy/data protection laws – is made and enforced by the country’s foremost information technology agency, i.e., the National Information Technology Development Agency (NITDA). However, there have arisen controversies regarding the powers of the NITDA to make or enforce data protection laws in Nigeria. To frame the question more clearly, it has been asked whether the NITDA has the power to enforce data protection requirements and penalties stipulated in the 2007 NITDA Act and the NDPR. This article (1) examines the role of the NITDA in data protection; (2) considers the validity of the NITDA Act, the NDPR (and other subsidiary legislation); and (3) contemplates the power of the NITDA to issue sanctions in case of non-compliance by affected entities. This article questions certain fundamental assumptions around the formulation, interpretation, and application of Nigeria’s data protection laws. Our contribution effectively lays to rest controversies surrounding NITDA’s powers of enforcement – a conclusion, which, in our opinion, remains valid until a contradictory legal judicial position, is declared. Nigeria, Nigeria Data Protection Regulation, NDPR, National Information Technology Development Agency, NITDA, Data Protection, Privacy