Blog

Regulatory Guidelines for Blockchain Technology Start-Ups in Nigeria.

aeolawpractice

Introduction

Blockchain and distributed ledger technology (DLT) are transforming Nigeria’s digital economy, offering innovative solutions across finance, supply chain, and governance. As adoption grows, so does the need for a robust regulatory framework to ensure compliance, investor protection, and market stability. The Securities and Exchange Commission (SEC) and the Central Bank of Nigeria (CBN) have introduced regulations to guide Virtual Asset Service Providers (VASPs), Digital Investment Service Providers (DISP) and businesses leveraging blockchain. This article outlines Nigeria’s regulatory requirements, focusing on SEC’s 2024 Amended Digital Asset Rules, the Investment and Securities Act 2025 (ISA 2025), and CBN’s compliance rubrics, providing actionable guidance for businesses.

Understanding Nigeria’s Blockchain Regulatory Framework

Nigeria’s regulatory approach balances innovation with oversight. The SEC classifies most digital assets—stablecoins, utility tokens, and asset-referenced tokens—as securities unless proven otherwise, requiring registration for entities issuing, trading, or managing these assets targeting Nigerian investors. The CBN, while historically cautious about cryptocurrencies, has shifted to permit regulated VASPs to operate bank accounts under specific conditions, reflecting a pragmatic embrace of blockchain’s potential.

The National Blockchain Policy, approved in May 2023, underscores Nigeria’s commitment to blockchain adoption, though it lacks legislative force. It serves as a guide for businesses, emphasizing innovation and economic growth. The introduction of the eNaira, a central bank digital currency (CBDC), and Nigerium, a blockchain that is entirely owned and controlled by Nigeria, further highlights Nigeria’s blockchain integration, regulated by the CBN and NITDA respectively.

Key Regulatory Bodies and Their Roles

  1. Securities and Exchange Commission (SEC): Oversees digital assets as securities under the ISA 2025, regulating VASPs, exchanges, and custodians. The SEC’s 2024 Amended Digital Asset Rules provide a comprehensive framework for compliance.
  2. Central Bank of Nigeria (CBN): Regulates financial institutions and VASPs’ banking operations, enforcing anti-money laundering (AML) and know-your-customer (KYC) requirements.
  3. National Information Technology Development Agency (NITDA): Supports blockchain adoption through initiatives like the National Blockchain Adoption Strategy and data protection regulations.

SEC Regulatory Requirements for VASPs

The SEC’s 2024 Amended Digital Asset Rules and ISA 2025 outline specific obligations for VASPs, categorized by their activities:

(a) Licensing Categories:

(i)Digital Asset Offering Platform (DAOP): Facilitates token or coin offerings.

(ii) Digital Asset Exchange (DAX): Operates trading markets, including Over the Counter (OTC) and brokerage models.

(iii) Digital Asset Custodian (DAC): Provides safekeeping and asset management.

(iv) Digital Asset Intermediary (DAI): Offers brokerage, advisory, or trustee services

(v) Operators may hold multiple licenses if they meet each category’s requirements.

(vi) Accelerated Regulatory Incubation Program (ARIP): A 12-month program allowing startups to test models under SEC supervision before full registration, ideal for refining innovative services.

(b). Corporate Governance

(i) Minimum of five directors, including one independent non-executive, a non-executive chairman, an executive with fintech expertise, and 60% Nigerian citizens.

(ii) CEO tenure capped at 10 years.

(iii)Mandatory board committees: Nomination, Governance, Audit, Remuneration, and Risk.

(c) Financial Requirements: DAXs and DACs require a minimum paid-up capital of ₦1 billion, with varying thresholds for other VASPs.

(d) Advertising Compliance:

(i) Advertisements must be SEC-approved, clear, and non-misleading.Prohibited claims include “double your money” or “secure your future.”

(ii) Unverified influencers are banned, and compliance with Advertising Regulatory Council of Nigeria (ARCON) guidelines is mandatory.

(e) Privacy Coins Ban: To combat money laundering and exit the FATF Grey List, Nigeria prohibits privacy coins that obscure transaction details or user identities.

(f) Foreign VASPs: Foreign operators not targeting Nigerians may qualify for a “reverse solicitation” exemption. However, active marketing (e.g., local ads, influencers, or events) triggers registration requirements. VASPs licensed in International Organization of Securities Commissions (IOSCO), West African Securities Regulators Association (WASRA), or reciprocal jurisdictions may apply for conditional exemptions if they meet Nigerian standards.

CBN Regulatory Compliance Requirements

The CBN’s regulatory framework, while not blockchain-specific, imposes critical compliance obligations on businesses using blockchain/DLT, particularly VASPs. Key requirements include:

a.  Guidelines on Operations of Bank Accounts for VASPs (December 2023): VASPs registered with the SEC can open bank accounts with CBN-regulated institutions, provided they obtain SEC license. However, CBN-regulated entities are prohibited from dealing in cryptocurrencies or facilitating payments for unregistered VASPs. Accounts of non-compliant entities must be identified and closed by banking and financial institutions.

b. Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) Regulations (2019): VASPs must implement robust AML/CFT policies, including transaction monitoring and suspicious activity reporting, to prevent financial crimes.

c. Three-Tier KYC Requirements (2013): Businesses must verify customer identities through tiered KYC processes, ensuring traceability of blockchain transactions. This addresses anonymity concerns, requiring platforms to link user addresses to real identities.

d. Risk-Based Cybersecurity Framework (2019): VASPs must adopt cybersecurity measures, including governance, risk management, and resilience assessments, to protect digital assets and customer data.

e. Consumer Protection Framework: VASPs must safeguard consumer data and implement measures to prevent unauthorized disclosures, aligning with the Nigerian Cybercrime (Amendment) Act 2024.

These requirements ensure VASPs operate transparently and securely within Nigeria’s financial system, complementing SEC regulations.

Other Relevant Laws and Regulations

a. The NDPA-GAID 2025 provides detailed guidance under the Nigeria Data Protection Act 2023, setting data governance standards for all entities processing Nigerians’ personal data, locally or abroad. Blockchain businesses must carry out Data Privacy Impact Assessments, appoint certified Data Protection Officers, and file annual compliance audits if classified as major data controllers or processors. They must ensure transparency, implement privacy-by-design, uphold user rights, and obtain explicit consent for cookies and tracking on their platforms

b. Companies and Allied Matters Act (CAMA) 2020: Governs corporate registration and operations for all businesses, including fintechs.

c. Federal Competition and Consumer Protection Act (2018): Protects consumers from unfair practices, applicable to digital asset services.

d. Cybercrime (Amendment) Act 2024 mandates stricter compliance for electronic platforms handling user information, and enhancing enforcement against cyber fraud. Importantly for Virtual Asset Service Providers (VASPs), and blockchain-based services within the scope of its cybersecurity and data governance obligations mandates traceability of all transactions, log maintenance and cooperation with investigative authorities. The Act also introduces higher penalties for non-compliance with know-your-customer (KYC) obligations, aligning with Nigeria’s broader anti-money laundering (AML) strategy.

Practical Guidance for Businesses

1.Assess Your Business Model: Determine if your services fall under DAOP, DAX, DAC, or DAI categories and apply for the appropriate SEC licenses. Use ARIP for pilot projects.

2. Secure CBN Compliance: Register with the SEC to access banking services and implement AML/CFT, KYC, and cybersecurity measures to meet CBN standards.

3.Establish Governance: Appoint a compliant board with Nigerian representation and establish required committees to ensure transparency.

4.Mind Marketing Practices: Obtain SEC and ARCON approval for ads, avoiding misleading claims or unverified influencers.

5.Avoid Privacy Coins: Ensure your platform does not support privacy coins to comply with Nigeria’s anti-money laundering efforts.

6. Prepare Financially: Meet the ₦1 billion capital requirement for DAXs/DACs and budget for registration fees and compliance costs.

7.Foreign Operators: If the intention is to target foreigners, maintain a passive presence to avoid SEC registration. If marketing locally, secure a license.

8.Engage Experts: Consult legal expert on fintech matters to navigate SEC and CBN requirements, ensuring compliance with local laws.

Conclusion

Nigeria’s blockchain regulatory framework, led by the SEC’s 2024 Amended Digital Asset Rules, ISA 2025, and CBN’s compliance requirements, provides a clear path for businesses to thrive while ensuring investor protection and market integrity. By securing SEC licenses, adhering to CBN’s AML/CFT and KYC mandates, and aligning with data protection laws, blockchain businesses can build trust and sustainability. Early engagement with regulators through programs like ARIP and robust governance will position entrepreneurs to lead in Nigeria’s dynamic digital economy.

Written by Adeola Osifeko LLB, LLM, ACIS, ABR. Principal Partner at AEO Law Practice. Contact adeola@aeolawpractice.com

The Role of Blockchain in Africa: Understanding the Technology and Its Impact.

aeolawpractice

What is Blockchain?

Blockchain is a secure, decentralized database that allows all participants in a network to access real-time, tamper-proof information simultaneously. This transparency and reliability are especially valuable in Africa, where trust in centralized systems is often undermined by inefficiencies, bureaucracy, or corruption. In this context, blockchain presents a powerful tool for building confidence in data and transactions.

Its potential becomes even more significant under the African Continental Free Trade Area (AfCFTA),which brings together 54 nations to form the world’s largest free trade zone. As AfCFTA works to boost intra-African trade and integration, blockchain can help overcome key obstacles by streamlining cross-border transactions, lowering costs, and fostering trust among trading partners.

How does blockchain work?

Blockchain is a type of distributed ledger technology (DLT) that records transactions across multiple computers, or nodes, in a network. Unlike traditional databases controlled by a single entity, blockchain distributes the power to update the ledger among participants. This ensures no single party can alter the data without consensus, making it highly secure.

In Africa, consider a smallholder farmer in Kenya using a blockchain-based platform like AgriLedger. When the farmer sells maize to a cooperative, the transaction is recorded in a secure, encrypted “block” and distributed across participants within the network. Each block is encrypted with a unique, unchangeable hash and linked to the previous block, forming a chain. This chain is shared across the network, allowing buyers, cooperatives, and regulators to verify the transaction’s authenticity. Nodes, such as local cooperatives or tech hubs, are rewarded with digital tokens for validating these transactions.

The blockchain’s cryptographic security requires two keys: a public key (like an account number) and a private key (a secure password). For instance, a cocoa farmer using the Agriledger platform would use their public key to receive payments on the blockchain, while the private key would be used to authorize transactions. This ensures that only the rightful owner of the private key can access and control the funds.

What is proof of work and how is it different from proof of stake?

Blockchain networks use consensus mechanisms to validate transactions. In Africa, public blockchains like Bitcoin or Ethereum use either proof-of-work or proof-of-stake to achieve this.

In a proof-of-work system, nodes (or miners) compete to solve complex cryptographic puzzles to validate transactions. First to solve the puzzle earns tokens. For instance, in Nigeria, where crypto adoption is high, early Bitcoin miners used proof-of-work to earn rewards, though the energy-intensive process has raised concerns about unreliable electricity.

In contrast, proof-of-stake selects validators based on the amount and duration of cryptocurrency they hold. In Ethiopia, a blockchain platform for coffee exports could use proof-of-stake, where traders with more staked coffee-backed tokens have a higher chance of validating transactions, earning rewards without heavy energy use. This shift, as seen in Ethereum’s 2022 “Merge,” is more sustainable for Africa’s energy-constrained environments.

How can businesses benefit from blockchain?

Blockchain and DLT offer African businesses opportunities to reduce risks, lower costs, and enhance transparency. Here are key benefits with local examples:

  • Reduced risk and lower compliance costs: In South Africa, banks spend millions annually on “know your customer” (KYC) processes. A blockchain-based KYC system, like that piloted by Standard Bank, could require only one verification per customer, shared across institutions. This cuts costs and improves customer onboarding for rural clients accessing microfinance.
  • Traceable & Sustainable Transactions: African businesses engaged in cross-border trade often encounter significant delays due to paperwork and inefficient processes. However, digital innovations are beginning to change this landscape. A notable example is a Rwandan coffee exporter who decides to leverage the blockchain-based platform Bext360, which utilises blockchain, IoT, and AI, guaranting end-to-end traceability of the exporter’s coffee shipments—from farms in Rwanda to markets in Europe, ensuring transparency, ethical sourcing, and sustainability throughout the supply chain.
  • Automated and secure contract fulfillment: Smart contracts—self-executing agreements coded on a blockchain—can automate processes. A Nigerian solar energy company like Switch Electric integrates smart contracts on a blockchain to manage pay-as-you-go solar systems. When a customer pays via mobile money, the contract automatically activates their solar panel, reducing manual oversight and ensuring reliable energy access.

How are blockchain, cryptocurrency, and decentralized finance connected?

Blockchain underpins cryptocurrencies like Bitcoin and Ethereum, enabling secure, intermediary-free transactions. In Africa, where 60% of the population is unbanked, cryptocurrencies offer an alternative to traditional banking. For example, in Nigeria, platforms like Binance allow traders to buy and sell crypto using local currencies, bypassing slow bank transfers.

Decentralized finance (DeFi) takes this further by replacing financial intermediaries with smart contract-based services. In Kenya, a DeFi platform like Aave could enable peer-to-peer lending, where a boda boda driver borrows funds directly from investors via blockchain, with terms enforced by smart contracts. This empowers users with greater control over their finances, crucial in regions with limited banking infrastructure.

What else can blockchain be used for?

Beyond cryptocurrencies, blockchain has diverse applications in Africa:

  • Immutable audit trails: In Zimbabwe, where land disputes are common, blockchain can create tamper-proof land title records. A project like Bitland uses blockchain to log property transactions, ensuring transparency and reducing fraud.
  • Supply chain tracking: In Côte d’Ivoire, blockchain tracks cocoa from farm to export, ensuring ethical sourcing. Companies like Farmerline use blockchain to verify the origin of produce, building trust with international buyers and ensuring fair pay for farmers.
  • Smart contracts for governance: In Ghana, blockchain-based voting systems are being explored to enhance election transparency. Smart contracts could automatically tally votes, reducing the risk of manipulation.

How might blockchain evolve over time?

Blockchain’s future in Africa hinges on two trends:

  • Blockchain as a Service (BaaS): Cloud-based BaaS platforms, like those offered by Amazon Web Service (AWS) or Microsoft Azure, allow African startups to build blockchain solutions without heavy infrastructure costs. For instance, a Nigerian fintech could use BaaS to create a remittance platform, lowering fees for diaspora transfers.
  • Interoperability: As blockchain networks grow, interoperability will enable data sharing across platforms. For example, a blockchain like MediConnect, used in other African regions, could be adapted to ensure interstate hospitals share only necessary data (e.g., treatment history for emergencies) with patient consent, while anonymizing or restricting non-essential data. Regional agreements, like those under the East African Community, could further standardize cross-border data-sharing protocols.

These trends align with growing demands for transparency in supply chains (e.g., ethical mining in the DRC) and economic pressures pushing for cost-effective solutions. However, regulatory clarity and cybersecurity advancements are critical to unlocking blockchain’s full potential in Africa.

What are some concerns around the future of blockchain?

Blockchain technology is complex and rapidly evolving, yet the expertise required to effectively harness its potential across various applications remains limited in Africa. The successful implementation of blockchain solutions relies heavily on consistent access to electricity, widespread internet connectivity, and a population with adequate technical skills—resources that continue to be scarce in many parts of the continent. Adding to these challenges, blockchain platforms are often built using different programming languages and operate on diverse infrastructures, which creates significant interoperability issues and increases the risk of obsolescence as new technologies emerge.

Beyond these foundational barriers, scalability presents another critical challenge. Many established blockchains, such as Bitcoin, struggle to handle high transaction volumes efficiently—an important consideration in densely populated markets like Nigeria. Furthermore, the energy-intensive proof-of-work consensus mechanism commonly used by these blockchains is often impractical in regions with unreliable power supply. However, alternative consensus models like proof-of-stake offer promising solutions to these energy concerns.

In Nigeria specifically, blockchain adoption is gradually gaining regulatory balance as authorities like the Central Bank of Nigeria and the Securities and Exchange Commission unify policies. Although restrictions on major cryptocurrency platforms such as Binance and Coinbase create uncertainty.

At the same time, cybersecurity risks, illustrated by incidents like the hacking of South Africa’s centralized exchange VALR, reveal vulnerabilities within the ecosystem. Moreover, competing financial technologies—such as mobile money platforms like Kenya’s M-Pesa—continue to dominate the payments landscape due to their relative simplicity and widespread adoption, potentially outpacing blockchain solutions in the near term.

Final Thoughts.

While blockchain isn’t a cure-all, by enabling responsible supply chains—those that are transparent, ethically sourced, and sustainable—blockchain strengthens trust and accountability across borders. This is critical for advancing the African Continental Free Trade Area (AfCFTA), which seeks to unify 54 countries into a single market. Through technologies like smart contracts, digital ledgers, and real-time data sharing, blockchain can reduce trade friction, lower costs, and accelerate the movement of goods and services.

Furthermore, the integration of smart contract governance offers a new level of automation and trust in cross-border transactions. By encoding trade agreements into self-executing digital contracts, parties can minimize disputes, enforce compliance automatically, and ensure fairness in trade practices—especially vital in a diverse and multi-jurisdictional context like Africa. Complementing this is blockchain’s capacity to create immutable audit trails, which provide a tamper-proof historical record of every transaction, shipment, and contract execution. This level of transparency deters fraud, simplifies compliance, and builds long-term institutional trust.

However, the transformative potential of blockchain in Africa hinges on the continent’s ability to adapt, innovate, and implement thoughtful regulation. Effective governance frameworks, digital infrastructure, and cross-border legal harmonization will be essential to ensure inclusive, secure, and scalable adoption. With the right ecosystem in place, blockchain can be a cornerstone technology for a unified, resilient, and future-ready African trade landscape

Source:

  1. Mckinsey & Company, ‘What is blockchain’ Mckinsey Explainers June 2024
  2. Raymond Ofagbor and Deweni Apulu, ‘The Role of Crypocurrency and Blockchain Technology in Fostering Growth & Promoting Trade in Africa’ Aelex Article Series August 2023. <https://www.aelex.com/the-role-of-cryptocurrency-and-blockchain-technology-in-fostering-growth-and-promoting-trade-within-the-afcfta/> Accessed on 3 June 2025.

Written by Adeola Osifeko LLB, LLM, ACIS & ABR. Partner at AEO Law Practice

Blockchain & AI in Nigerian Governance: Building a Transparent Digital Future.

aeolawpractice

Introduction: A Nation at the Cusp of Digital Transformation.

Nigeria is stepping boldly into a new era where emerging technologies—most notably blockchain, artificial intelligence (AI), and robotic process automation (RPA)—are poised to redefine governance, transparency, and national development.

On May 31, 2025, the Federal Government of Nigerian announced its intention to deploy AI and blockchain technologies across Ministries, Departments, and Agencies (MDAs). This announcement, combined with a robust national blockchain policy initiative, marks a coordinated push to ensure technology becomes a central pillar of public administration and inclusive economic growth.

Why Blockchain and AI Matter for Governance..

AI and blockchain are transitionary technology pathways—they are practical tools that can revolutionize how governments operate. AI can automate repetitive administrative tasks, identify inefficiencies, and enhance decision-making with real-time data. Blockchain, on the other hand, offers a decentralized and tamper-proof method for recording transactions and maintaining transparent records.

For example, imagine a public procurement process where every step—from bidding to payment—is recorded on a blockchain. This would make it nearly impossible to manipulate data or hide irregularities, thereby curbing corruption and improving trust in public systems.

Dr. Dasuki Arabi, Director General of the Bureau of Public Service Reforms (BPSR), emphasized that this technology will augment existing digital platforms like the Treasury Single Account (TSA), Integrated Payroll and Personnel Information System (IPPIS), and the Government Integrated Financial Management Information System (GIFMIS)—all of which have already saved Nigeria billions in leakages.

From Vision to Policy: The Roadmap for Blockchain in Nigeria.

The Federal Government of Nigeria on 16 May 2025 officially released the whitepaper titled: “Co-Creating a Roadmap for Blockchain in Nigeria,” outlining critical steps for Nigeria to fully harness the potential of blockchain. Building on NITDA’s 2023 National Blockchain Strategy, the roadmap proposes a comprehensive and inclusive policy framework that emphasizes transparency, financial inclusion, and digital identity.

In practical terms:

  • Financial Inclusion: Blockchain can reduce transaction costs by up to 80%, making it easier for underserved populations—especially in rural areas—to access banking and financial services.
  • Agriculture and Supply Chains: Blockchain can track agricultural goods from farms to markets, reducing fraud and spoilage. For instance, a blockchain-enabled supply chain can ensure that fertilizers delivered to farmers are not diverted, which has been a recurring challenge in Nigeria.
  • Digital Identity: Over 70 million Nigerians still lack formal identification. Blockchain-based digital IDs can provide secure, verifiable identities, opening doors to education, banking, healthcare, and more.

Engaging the Best Minds: A Research-Driven Approach.

Nigeria is not leaving its blockchain future to chance. Using data from platforms like http://Lens.org. and insights from global blockchain journals, the federal government identified 21 top Nigerian researchers active in the blockchain field. These experts are now being engaged to help guide policy formulation and innovation.

The roadmap even includes a crowd-sourcing initiative, inviting public input to ensure that the list of researchers and contributors is as representative and comprehensive as possible. This open and collaborative approach sets Nigeria apart, creating a policy grounded in both global best practices and local realities.

Skills for a Smart Future: Building Digital Capacity.

Recognizing that no technology can succeed without skilled people behind it, the Federal Government plans to train over 500,000 public servants in emerging technologies, including AI and blockchain. These capacity-building efforts are critical for maintaining and scaling digital systems across all MDAs.

Moreover, NITDA plans to set up research centers across Nigeria’s six geo-political zones, focusing on AI, IoT, and blockchain. This decentralized innovation strategy ensures that every region of Nigeria contributes to—and benefits from—tech-driven growth.

A Nigerian Blockchain for Nigeria’s Future: Introducing Nigerium.

In a bold move toward data sovereignty, NITDA is also developing an indigenous blockchain platform called “Nigerium.” This platform will allow Nigerian developers and government bodies to build solutions on a secure, homegrown infrastructure. Unlike foreign-controlled blockchains, Nigerium is designed with Nigeria’s regulatory, cultural, and infrastructural context in mind.

Conclusion: The Road Ahead.

Nigeria is doing more than adopting new technologies—it is reimagining governance, citizenship, and national development through innovation. The fusion of AI, blockchain, and RPA will not only make government more transparent and efficient, but will also unlock economic opportunities for millions.

But success requires more than policy documents and infrastructure. It demands collective action—from government leaders, civil servants, researchers, entrepreneurs, and citizens.

Call to Action.
Are you a blockchain researcher, developer, or enthusiast? Contribute your ideas and expertise to Nigeria’s digital transformation. Join the national conversation by submitting feedback and suggestions to policy@fmcide.gov.ng. Let’s co-create a future where technology empowers everyone.

Written by Adeola Osifeko LLB,LLM,ACIS,ABR. Partner at AEO Law Practice. You can reach her on adeola@aeolawpractice.com

Case Review: Incorporated Trustees of Personal Data Protection Awareness Initiative v. Nizamiye Hospital Limited.

aeolawpractice

Introduction

On April 10, 2025, Honourable Justice Abubakar Hussaini Musa of the Federal Capital Territory High Court, Abuja, delivered a landmark judgment in Incorporated Trustees of Personal Data Protection Awareness Initiative v. Nizamiye Hospital Limited (Suit No. FCT/HC/GAR/CV/187/2024). This case, initiated by the Claimant via an Originating Summons dated February 20, 2024, sought to enforce compliance with Nigeria’s data protection framework, specifically Sections 24 and 27 of the Nigeria Data Protection Act (NDPA) 2023 and Article 2.5 of the Nigeria Data Protection Regulation (NDPR) 2019. The Claimant, a public interest organization, challenged the defendant’s, alleged failure to deploy privacy notices for its CCTV surveillance and website tracking, conduct a Data Protection Impact Assessment (DPIA), and adequately inform data subjects, including the Claimant’s Country Director, Ozoemena Nwogbo, about the collection and processing of their personal data. Seeking declaratory reliefs, mandatory orders, and substantial damages, the suit tests the boundaries of data privacy obligations in Nigeria’s evolving digital landscape, raising critical questions about enforcement, compliance, and the role of public interest litigation in safeguarding personal data.

In response, the Defendant challenged the suit primarily on the grounds of the Claimant’s locus standi and disclosure of a reasonable cause of action. The Court, in its determination, framed three key issues:

  1. Whether the Claimant had the requisite locus standi
  2. Whether the facts of the case constitute a reasonable cause of action against the defendant
  3. Whether the Defendant breached the Claimant’s privacy under the NDPA 2023.

Key Legal Issues Addressed:

1. Locus Standi to Institute Action under the NDPA 2023.

The court addressed the issue of locus standi by determining whether the Claimant, a corporate entity, had the legal capacity to institute and prosecute the suit as a public interest group in the light of the Defendant’s argument that the Claimant lacked a direct legal relationship with the Defendant and had not demonstrated how its own civil rights were adversely affected.

The court, relying on Centre for Oil Pollution Watch v. NNPC (2019) 5 NWLR (Pt. 1666) 518, held that the Claimant had locus standi because the suit was a public interest litigation. The court reasoned that public interest litigation allows non-governmental organizations (NGOs) to sue on behalf of groups or individuals who may lack the resources or awareness to seek redress themselves. The Claimant’s objectives, as outlined in its Constitution (Exhibit B), include educating the public on data protection and advocating for data security, which aligned with the suit’s purpose of safeguarding public data privacy rights.

However, the court noted that the Claimant, as a juristic person, could not directly suffer a data breach. The suit was based on the experience of the Claimant’s Country Director, who visited the Defendant’s facility. The court clarified that public interest litigation does not require the Claimant to have a personal stake but rather a broader interest in protecting public rights, as supported by the Supreme Court’s reasoning in Centre for Oil Pollution Watch.

Legal Implications:

The NDPA 2023 does not explicitly define locus standi for public interest litigation, but the court’s reliance on Centre for Oil Pollution Watch establishes that NGOs with objectives related to data protection can sue to enforce compliance with the NDPA, even without direct personal injury.

  • The decision expands access to justice under the NDPA by recognizing the role of advocacy groups in holding data controllers accountable, particularly for vulnerable data subjects.
  • However, the court’s caution that the Claimant’s objectives do not explicitly include litigating breaches suggests that NGOs must clearly align their constitutional mandates with the reliefs sought to avoid challenges to their standing.

While the court’s recognition of public interest litigation is progressive, it did not fully address whether the NDPA imposes specific requirements for locus standi beyond general principles. Section 46 of the NDPA allows a “data subject” to lodge complaints with the Nigeria Data Protection Commission (NDPC), but it is silent on whether non-data subjects, like NGOs, can directly initiate court actions. Future cases may need to clarify whether NGOs must first exhaust administrative remedies with the NDPC before approaching the courts.

2. Gaps in Nigeria’s Data Governance Landscape.

The judgment highlights several gaps in Nigeria’s data governance framework, as revealed through the Claimant’s allegations and the court’s findings:

a. Lack of Clear Enforcement Mechanisms:

  • The NDPA establishes the NDPC as the primary regulatory body (Section 6) with powers to investigate complaints and issue compliance orders (Sections 46–48). However, the judgment reveals a gap in enforcement, as the Claimant bypassed the NDPC and directly approached the court. The court noted that the NDPA provides for administrative remedies (e.g., lodging complaints with the NDPC under Section 46) and judicial review only after exhausting these remedies (Section 50). This suggests a lack of clarity or awareness among litigants about the NDPA’s procedural requirements.
  • The absence of evidence that the Claimant engaged the NDPC before filing the suit underscores a gap in public awareness and institutional capacity to handle data protection complaints efficiently.

b. Ambiguity in Privacy Notice Requirements:

The Claimant alleged that the Defendant failed to deploy privacy notices on its website and at its physical facility, as required by Section 27 of the NDPA. The court, however, found that the Defendant’s website (Exhibit D) contained a notice regarding third-party data sharing, which the Claimant overlooked. This points to a gap in standardizing what constitutes a “clear, concise, transparent, intelligible, and easily accessible” privacy notice under Section 27(3). Without specific NDPC regulations or guidelines on privacy notice formats, organizations like the Defendant may adopt inconsistent practices, leading to disputes.

c. Data Protection Impact Assessments (DPIAs):

The Claimant’s second issue alleged that the Defendant failed to conduct a Data Protection Impact Assessment (DPIA) as required under Section 28 of the Nigeria Data Protection Act (NDPA) 2023. The court did not extensively address this issue, due to the Claimant’s failure to substantiate claims of high-risk data processing activities that would necessitate a DPIA. The Nigeria Data Protection Commission’s (NDPC) issuance of the General Application and Implementation Directive (GAID) 2025 on March 20, 2025, provides critical clarity on DPIA obligations, addressing gaps highlighted in the judgment.

Article 28 of the NDP Act-GAID 2025 mandates that data controllers and processors conduct a DPIA when processing is likely to result in high risks to data subjects’ rights and freedoms, particularly for activities involving sensitive personal data, automated processing, or large-scale data collection. Schedule 4 of the GAID outlines a comprehensive DPIA template, requiring assessments of processing purposes, data categories, lawful bases, risks (e.g., data breaches, unauthorized access), and mitigation measures. It further specifies that DPIAs must evaluate necessity, proportionality, and data subject rights, with a final assessment determining whether processing should proceed, be modified, or be halted. The frequency of DPIA reviews (e.g., monthly, quarterly, or annually) must also be justified based on risk levels.

The absence of NDPC regulations at the time of the judgment contributed to uncertainty, as Section 28(3) of the NDPA empowers the NDPC to issue such guidelines, but none were cited. The GAID 2025 rectifies this by providing clear criteria and a structured process, reducing ambiguity for data controllers like the Defendant. For instance, the Defendant’s use of CCTV surveillance and patient data collection could trigger a DPIA if deemed high-risk under Schedule 4, particularly if involving vulnerable data subjects (e.g., minors or patients with health conditions, per Schedule 6’s Data Subject Vulnerability Indexes). The Claimant’s failure to demonstrate such risks likely weakened their case, but the GAID’s framework now enables more precise evaluations.

Despite this progress, the GAID reveals a lingering implementation gap: the need for widespread awareness and capacity building to ensure organizations understand and apply DPIA requirements. Article 7(o) of the GAID mandates DPIAs when required by the NDPA or directed by the NDPC, emphasizing proactive compliance. Future litigation will benefit from these guidelines, but the NDPC must prioritize training and enforcement to ensure data controllers consistently meet these obligations, fostering a robust data protection regime in Nigeria

d. Limited Judicial Precedent:

The NDPA is a relatively new statute, and this case is among the early judicial interpretations of its provisions. The court’s reliance on environmental law precedents (e.g., Centre for Oil Pollution Watch) rather than data protection-specific authorities indicates a gap in local jurisprudence. This reliance may limit the development of nuanced data protection law tailored to Nigeria’s digital context.

e. Public Awareness and Compliance:

The Claimant’s allegations about CCTV surveillance and patient forms suggest a broader gap in public and organizational awareness of NDPA obligations. The Defendant’s defense that CCTV was installed for security purposes (aligned with Section 3(2) exemptions) was accepted without scrutiny of whether the Defendant complied with transparency requirements (e.g., signage indicating CCTV use). This reflects a gap in ensuring that exemptions are balanced with data subject rights.

Recommendations to Address Gaps:

  • The Nigeria Data Protection Commission (NDPC) has addressed the need for clarity in data protection compliance through the issuance of the General Application and Implementation Directive (GAID) 2025 on March 20, 2025, which provides detailed guidance on privacy notices, Data Protection Impact Assessments (DPIAs), and exemptions under the Nigeria Data Protection Act (NDPA) 2023. Set to take effect on 19 September 2025, the GAID’s comprehensive frameworks, including Articles 7(l–m) and 27 for privacy notices, Article 28 and Schedule 4 for DPIAs, and Article 5 for exemptions, aim to ensure data controllers and processors have clear, actionable obligations. To maximize compliance, the NDPC should focus on robust awareness campaigns and capacity-building initiatives before and after the GAID’s implementation to support organizations in aligning with these enhanced standards, thereby strengthening Nigeria’s data protection regime
  • Strengthening the NDPC’s capacity to investigate and resolve complaints could reduce premature litigation and enhance administrative enforcement.
  • Developing a robust body of data protection case law will help clarify the NDPA’s application and address novel issues in Nigeria’s digital economy.

3. Judicial Reasoning on Privacy in the Digital Age.

The court’s reasoning on privacy in the digital age, as articulated in the judgment, reflects a cautious approach to balancing data protection with practical realities:

a. Interpretation of NDPA Provisions:

  • The court meticulously reproduced and analyzed Sections 24, 25, 27, and 28 of the NDPA, adopting a literal interpretation as advocated by the Claimant. It emphasized that data controllers must process personal data fairly, lawfully, and transparently (Section 24) and inform data subjects of processing details (Section 27). However, the court found no evidence that the Defendant’s data collection was unlawful or not transparent, as the data subject (Ozoemena Nwogbo) consented to data collection by completing the Patient Information Form (Exhibit C) and paying for registration.
  • The court’s finding that the Defendant’s website notice satisfied Section 27 suggests a practical approach to digital privacy, recognizing that explicit consent mechanisms (e.g., clicking an icon for third-party data sharing) meet statutory requirements.

b. CCTV and Security Exemptions:

The court accepted the Defendant’s argument that CCTV surveillance was justified for security purposes under Section 3(2)(a)–(c) of the NDPA, which exempts data processing for crime prevention, public health emergencies, or national security. This reflects judicial recognition of the need to balance privacy with public safety in the digital age, particularly in a security-conscious context like Nigeria. However, the court did not explore whether the Defendant provided visible CCTV warnings, which could have strengthened its analysis of transparency obligations.

c. Constitutional Privacy Rights:

The Claimant invoked Section 37 of the 1999 Constitution, which guarantees privacy of citizens’ homes, correspondence, and communications. The court, citing Hon. Peter Nwali v. Ebonyi State Independent Electoral Commission (2014), clarified that Section 37 protects specific aspects of privacy (e.g., homes, telephone conversations) but found no evidence that the Defendant’s actions violated these rights. This reasoning underscores a narrow interpretation of constitutional privacy in the digital context, limiting its application to data protection unless a clear breach is demonstrated.

d. Absence of Data Breach Evidence:

The court’s central reasoning was that the Claimant failed to show an actual breach of the data subject’s privacy under Section 40 of the NDPA. It emphasized that a cause of action under the NDPA requires evidence of harm, loss, or injury (Section 51), which was absent. This approach aligns with digital age privacy principles that prioritize tangible harm over speculative concerns, reflecting a pragmatic judicial stance.

The court’s reasoning is grounded in statutory interpretation but lacks engagement with emerging digital privacy challenges, such as automated data processing or profiling, which are referenced in Section 27(1)(g) of the NDPA. The judgment could have explored whether the Defendant’s CCTV or patient data systems involved automated decision-making, which requires specific disclosures.

Also, the court’s reliance on consent (via the Patient Information Form) overlooks potential power imbalances in healthcare settings, where patients may feel compelled to provide data without fully understanding its implications.

Furthermore, the acceptance of security exemptions for CCTV without requiring evidence of compliance with transparency measures (e.g., signage) risks undermining data subject rights in the digital age.

4. Implications for the Future of Legal and Policy Advancement

The judgment has significant implications for the development of data protection law and policy in Nigeria:

a. Strengthening Public Interest Litigation:

  • By recognizing the Claimant’s locus standi, the judgment sets a precedent for NGOs to advocate for data protection compliance, fostering a culture of accountability. This could encourage more public interest litigation to enforce NDPA provisions, particularly for marginalized groups who lack access to legal recourse.
  • However, the court’s dismissal of the suit as premature highlights the need for clearer guidelines on when public interest litigation is appropriate under the NDPA. Future policy should clarify the interplay between NDPC complaints and direct court actions.

b. Enhancing NDPC’s Role:

The judgment underscores the NDPC’s role as the primary enforcer of data protection laws. The court’s reference to Sections 46–50 suggests that litigants should exhaust administrative remedies before approaching courts, except in cases of clear harm (Section 51). This implies a need for the NDPC to strengthen its investigative and enforcement mechanisms to handle complaints efficiently.

c. Clarifying Compliance Obligations:

The acceptance of CCTV exemptions suggests that policy must balance security needs with data subject rights, possibly through mandatory signage or public awareness campaigns about surveillance.

d. Building Judicial Precedent:

  • As one of the early NDPA cases, this judgment contributes to Nigeria’s data protection jurisprudence but reveals a reliance on non-data-specific precedents. Future cases should develop principles tailored to digital privacy, addressing issues like automated processing, cross-border data transfers, and data breach remedies.
  • Courts should engage more with international data protection frameworks, such as the EU’s General Data Protection Regulation (GDPR), to align Nigeria’s jurisprudence with global standards, as referenced by the Claimant’s citation of RW v. Osterreichische (C-154/21).

e. Promoting Digital Economy Growth:

  • The NDPA aims to strengthen Nigeria’s digital economy (Section 1(h)). The judgment’s dismissal of speculative claims ensures that organizations are not unduly burdened by frivolous litigation, fostering a business-friendly environment. However, robust enforcement of NDPA provisions is essential to build public trust in digital services, encouraging participation in Nigeria’s digital economy.
  • Policy should prioritize capacity building for data controllers, particularly in sensitive sectors like healthcare, to ensure compliance without stifling innovation.

f. Addressing Speculative Litigation:

  • The court’s characterization of the suit as “speculative” and “premature” warns against fishing expeditions in data protection litigation. Future litigants must provide concrete evidence of harm or non-compliance to succeed, reinforcing the need for factual grounding in NDPA claims.
  • This could prompt policy reforms to streamline NDPC complaint processes, ensuring that legitimate grievances are addressed administratively before escalating to courts.

Conclusion

The judgment in Incorporated Trustees of Personal Data Protection Awareness Initiative v. Nizamiye Hospital Limited is a significant step in Nigeria’s evolving data protection landscape. It affirms the role of public interest litigation in enforcing NDPA compliance, highlights gaps in enforcement and awareness, and adopts a pragmatic approach to digital privacy. However, the dismissal of the suit as premature underscores the need for clearer regulatory frameworks, enhanced NDPC capacity, and robust judicial precedent to address emerging digital challenges. For Nigeria to advance its data governance, policymakers must prioritize standardized compliance measures, public education, and international alignment to foster a trusted and secure digital economy.

Written by Adeola Osifeko LLB,LLM,ACIS, ABR. Partner Corporate Commercial Group at AEO Law Practice

The Dark Side of Non-Disclosure Agreements in the Music Industry: Lessons for Nigeria.

aeolawpractice

Introduction.
Record labels employ a variety of contractual arrangements to manage artists, each with distinct rights, obligations, and revenue-sharing models. These agreements may include Standard Recording Contracts—which cover master recordings, production, marketing, and distribution costs; Licensing Deals—where labels secure rights to musical works for a defined period; 360 Deals—which encompass revenue from touring, merchandise, endorsements, and music sales; Joint Ventures—detailing profit-sharing between the artist and label; and Single or EP Deals—short-term agreements focused on one or a few tracks rather than a full album. These are generally limited in scope, and artists typically cannot publicly announce they’ve been signed, as the label’s involvement is specific to supporting production and marketing for that particular release.

Most of these contracts typically include confidentiality provisions, often referred to as Non-Disclosure clause or Non-Disclosure Agreement (NDA). A Non-Disclosure Agreement (NDA) is a legally binding contract preventing parties from disclosing specified confidential or proprietary information.

While NDAs are intended to protect sensitive information, recent developments in the global music industry have revealed its darker side: a tool of victimisation weaponized by silence. High-profile cases, such as the ongoing legal battle between Sean “Diddy” Combs and singer Cassie Ventura, have spotlighted how NDAs can be deployed to conceal abuse and silence victims—raising serious ethical concerns with implications for not only the artists worldwide, including Nigeria but the lawyers that draft them.

NDAs: Shielding Misconduct & Unconscionable Industry Practices.

In the case of United States v Sean Combs, allegations have emerged that NDAs were employed to prevent individuals from speaking out about abusive behaviour. Testimonies from Cassie Ventura and former personal assistant (Capricon Clark, scheduled to testify on 27 May 2025) suggest that NDAs were used not just to protect business interests but to silence victims and witnesses of alleged unfair and unconscionable practices of Bad Boy Records. This misuse of NDAs has sparked broader concerns of how the Rich and Powerful force signees into unfair work practices while serving to restrict valuable information of their personal lives, some of which have damaging effects on their employees. A telling example emerged in November 2024, when TMZ published details of a typical NDA used by Sean Combs’ enterprises, barring signees from taking photos or videos, or publicly discussing any event that took place at parties hosted by Combs, without his express written consent. More alarmingly, the NDA imposed an extraordinary duration— effective for 20 years after Combs’ death or 70 years from the date of signing, whichever is later—effectively silencing parties for a lifetime and beyond.

Another notable and deeply troubling example of the misuse of non-disclosure agreements emerged in the case of former Hollywood producer and convicted rapist Harvey Weinstein, currently serving a 16 year sentence on conviction of rape in 2022. For years, Weinstein allegedly relied on NDAs and secret settlements to silence numerous women who accused him of sexual harassment, assault, and rape. These agreements were often presented under pressure, with victims fearing reputational harm, career sabotage, or legal retaliation if they spoke out. The NDAs functioned as tools of coercion—protecting Weinstein’s power and shielding his actions from public scrutiny.

It was only after investigative reporting by journalists at The New York Times and The New Yorker in 2017 that the extent of the allegations—and the role NDAs played in concealing them—became widely known. Although sentenced to 3 years imprisonment earlier in March 2020 for third degree rape and 20 years for first degree criminal sexual assault. The decision was overturned by the New York’s highest court late April 2024 in a 4-3 decision, the court held that the trial court erred in admitting testimony about uncharged, alleged prior sexual acts involving individuals other than the complainants, as such testimony lacked any relevant or material value in establishing the defendant’s propensity to commit the charged offenses

Implications for the Nigerian Music Industry.

The Nigerian music industry is rapidly growing, with artists gaining international recognition. However, the use of NDAs in Nigeria is not immune to misuse. While NDAs are intended to protect intellectual property and confidential business information, there is a risk that they could be used to legitimize misconduct of record label executives/owners of entertainment companies. The lack of robust legal frameworks and enforcement mechanisms in Nigeria may exacerbate this issue, allowing powerful individuals to exploit NDAs to silence victims.

Legal Considerations and the Need for Reform.

In Nigeria, NDAs are legally binding agreements that establish a confidential relationship between parties. However, there is a need for clearer legal guidelines to prevent the misuse of NDAs in cases involving misconduct or implicating signees such as to sabotage their careers. Legal reforms should be directed at ensuring that NDAs do not shield powerful individuals from accountability for abusive behaviour. Additionally, there should be provisions that allow victims to speak out without fear of legal repercussions when reporting misconduct.

Tips for Navigating Unfair Contract Clause/Agreement.

When faced with repugnant or overly restrictive non-disclosure agreement (NDA) which can be inserted as contract clauses or standalone agreements connected to artist management agreement, Nigerian artists should take proactive and informed steps to protect their rights, dignity, and creative freedom. Here are practical recommendations:

1. Engage a Competent Entertainment Lawyer.

Why: NDAs are legal documents that can have long-term consequences.
Action: Always consult with a lawyer familiar with the entertainment industry before signing any agreement. A lawyer can:

  1. Identify exploitative or overly broad clauses.
  2. Negotiate fairer terms on your behalf.
  3. Explain legal implications in simple terms.

Example: An emerging Afrobeats artist approached a major label. The proposed NDA restricted her from ever discussing her experiences, even in cases of abuse. Her lawyer flagged it as unenforceable and negotiated for its removal.

2. Negotiate Scope and Duration.

Why: NDAs should be limited in scope, not lifelong gags.

Action: Artists should:

  1. Push for time-limited NDAs (e.g., 2–3 years).
  2. Define exactly what counts as “confidential” (e.g., financial terms, trade secrets—not personal conduct or abuse).

Tip: Avoid clauses that prohibit you from discussing anything that occurs in the relationship, especially personal or criminal conduct.

3. Insist on Exceptions for Illegality and Abuse.

Why: Some NDAs try to silence people from reporting illegal activity.
Action: Demand exceptions that allow you to:

  1. Report harassment, abuse, or crimes to authorities.
  2. Speak out about misconduct without facing legal penalties.

Note: Nigerian law may not explicitly bar such clauses yet, but public policy and human rights principles can help challenge them in court.

4. Avoid Blanket or One-Sided NDAs.

Why: Blanket NDAs often favor the more powerful party.
Action: Request mutual NDAs where both parties are bound by the same terms, or reject overly one-sided clauses that:

  1. Only protect the record label.
  2. Impose penalties only on the artist.

5. Document Every Interaction.

Why: Documentation creates a paper trail that can be useful in legal disputes.
Action:

1.Keep copies of all drafts and communications.

2. Make notes about meetings where NDAs were discussed or signed.

3. If possible, request that negotiations be recorded or documented via email.

6. Involve Trusted Representatives.

Why: Emotional or power pressure can cloud judgment.

Action:

  1. Bring your manager, preferably your legal rep,  for contract negotiations bordering on artist management contracts.
  2. Don’t let anyone pressure you into signing “on the spot.”

7. Leverage Artist Collectives or Unions.

Why: There is strength in numbers.

Action: Join or support collectives like the Performing Musicians Employers’ Association of Nigeria (PMAN), Musical Copyright Society of Nigeria (MCSN), Guild of Artistes and Poets (GAP). Also engage in advocacy for industry-wide ethical standards on contract terms which includes unconscionable NDAs.

8. Know When to Walk Away.

Why: Not every opportunity is worth your silence.

Action: If an NDA demands unethical silence or gives away too much of your freedom, consider turning down the deal. Protecting your long-term dignity and legal rights is more valuable than a short-term gain.

Final Thought.

The use of NDAs should never be a tool for exploitation or silencing abuse. As seen in global controversies, repugnant NDA practices can perpetuate harm. Nigerian artists must be vigilant, legally aware, and ready to challenge any clause that infringes on their fundamental rights.

Written by Adeola Osifeko LLB, LLM, ACIS, ABR. Partner Corporate Commercial Group at AEO Law Practice

Sources:

1. Njera Perkins and Taiyler. S. Mitchell, ‘How Cassie’s Lawsuit Against Diddy Galvanised a Movement of Survivors’ Huffpost 24 May 2025  <https://www.huffpost.com/entry/sean-diddy-combs-trial-cassie-lawsuit_n_682fae95e4b0239ca9a6eba3> Accessed 25 May 2025

2. Laura Italiano, ‘At Diddy trial, ex-assistants recall smashed whiskey glasses, bags of drugs, and mopping up after freak offs’ Business Insider Africa 25 May 2025 <https://africa.businessinsider.com/entertainment/at-diddy-trial-ex-assistants-recall-smashed-whiskey-glasses-bags-of-drugs-and-mopping/4s7rjhm> Accessed 25 May 2025

3. Ronan Farrow, ‘Weighing the Cost of speaking Out About Harvey Weinstein’ New Yorker 27 October 2017 <https://www.newyorker.com/news/news-desk/weighing-the-costs-of-speaking-out-about-harvey-weinstein> Accessed 25 May 2025.

4. Daniel Arkin, ‘What you need to know about Harvey Weinstein’s retrial’ NBC News 21 April 2025 <https://www.nbcnews.com/news/us-news/harvey-weinstein-retrial-conviction-health-me-too-what-know-rcna199981> Accessed 25 May 2025