Tag: ndpa2023

Case Review: Incorporated Trustees of Personal Data Protection Awareness Initiative v. Nizamiye Hospital Limited.

aeolawpractice

Introduction

On April 10, 2025, Honourable Justice Abubakar Hussaini Musa of the Federal Capital Territory High Court, Abuja, delivered a landmark judgment in Incorporated Trustees of Personal Data Protection Awareness Initiative v. Nizamiye Hospital Limited (Suit No. FCT/HC/GAR/CV/187/2024). This case, initiated by the Claimant via an Originating Summons dated February 20, 2024, sought to enforce compliance with Nigeria’s data protection framework, specifically Sections 24 and 27 of the Nigeria Data Protection Act (NDPA) 2023 and Article 2.5 of the Nigeria Data Protection Regulation (NDPR) 2019. The Claimant, a public interest organization, challenged the defendant’s, alleged failure to deploy privacy notices for its CCTV surveillance and website tracking, conduct a Data Protection Impact Assessment (DPIA), and adequately inform data subjects, including the Claimant’s Country Director, Ozoemena Nwogbo, about the collection and processing of their personal data. Seeking declaratory reliefs, mandatory orders, and substantial damages, the suit tests the boundaries of data privacy obligations in Nigeria’s evolving digital landscape, raising critical questions about enforcement, compliance, and the role of public interest litigation in safeguarding personal data.

In response, the Defendant challenged the suit primarily on the grounds of the Claimant’s locus standi and disclosure of a reasonable cause of action. The Court, in its determination, framed three key issues:

  1. Whether the Claimant had the requisite locus standi
  2. Whether the facts of the case constitute a reasonable cause of action against the defendant
  3. Whether the Defendant breached the Claimant’s privacy under the NDPA 2023.

Key Legal Issues Addressed:

1. Locus Standi to Institute Action under the NDPA 2023.

The court addressed the issue of locus standi by determining whether the Claimant, a corporate entity, had the legal capacity to institute and prosecute the suit as a public interest group in the light of the Defendant’s argument that the Claimant lacked a direct legal relationship with the Defendant and had not demonstrated how its own civil rights were adversely affected.

The court, relying on Centre for Oil Pollution Watch v. NNPC (2019) 5 NWLR (Pt. 1666) 518, held that the Claimant had locus standi because the suit was a public interest litigation. The court reasoned that public interest litigation allows non-governmental organizations (NGOs) to sue on behalf of groups or individuals who may lack the resources or awareness to seek redress themselves. The Claimant’s objectives, as outlined in its Constitution (Exhibit B), include educating the public on data protection and advocating for data security, which aligned with the suit’s purpose of safeguarding public data privacy rights.

However, the court noted that the Claimant, as a juristic person, could not directly suffer a data breach. The suit was based on the experience of the Claimant’s Country Director, who visited the Defendant’s facility. The court clarified that public interest litigation does not require the Claimant to have a personal stake but rather a broader interest in protecting public rights, as supported by the Supreme Court’s reasoning in Centre for Oil Pollution Watch.

Legal Implications:

The NDPA 2023 does not explicitly define locus standi for public interest litigation, but the court’s reliance on Centre for Oil Pollution Watch establishes that NGOs with objectives related to data protection can sue to enforce compliance with the NDPA, even without direct personal injury.

  • The decision expands access to justice under the NDPA by recognizing the role of advocacy groups in holding data controllers accountable, particularly for vulnerable data subjects.
  • However, the court’s caution that the Claimant’s objectives do not explicitly include litigating breaches suggests that NGOs must clearly align their constitutional mandates with the reliefs sought to avoid challenges to their standing.

While the court’s recognition of public interest litigation is progressive, it did not fully address whether the NDPA imposes specific requirements for locus standi beyond general principles. Section 46 of the NDPA allows a “data subject” to lodge complaints with the Nigeria Data Protection Commission (NDPC), but it is silent on whether non-data subjects, like NGOs, can directly initiate court actions. Future cases may need to clarify whether NGOs must first exhaust administrative remedies with the NDPC before approaching the courts.

2. Gaps in Nigeria’s Data Governance Landscape.

The judgment highlights several gaps in Nigeria’s data governance framework, as revealed through the Claimant’s allegations and the court’s findings:

a. Lack of Clear Enforcement Mechanisms:

  • The NDPA establishes the NDPC as the primary regulatory body (Section 6) with powers to investigate complaints and issue compliance orders (Sections 46–48). However, the judgment reveals a gap in enforcement, as the Claimant bypassed the NDPC and directly approached the court. The court noted that the NDPA provides for administrative remedies (e.g., lodging complaints with the NDPC under Section 46) and judicial review only after exhausting these remedies (Section 50). This suggests a lack of clarity or awareness among litigants about the NDPA’s procedural requirements.
  • The absence of evidence that the Claimant engaged the NDPC before filing the suit underscores a gap in public awareness and institutional capacity to handle data protection complaints efficiently.

b. Ambiguity in Privacy Notice Requirements:

The Claimant alleged that the Defendant failed to deploy privacy notices on its website and at its physical facility, as required by Section 27 of the NDPA. The court, however, found that the Defendant’s website (Exhibit D) contained a notice regarding third-party data sharing, which the Claimant overlooked. This points to a gap in standardizing what constitutes a “clear, concise, transparent, intelligible, and easily accessible” privacy notice under Section 27(3). Without specific NDPC regulations or guidelines on privacy notice formats, organizations like the Defendant may adopt inconsistent practices, leading to disputes.

c. Data Protection Impact Assessments (DPIAs):

The Claimant’s second issue alleged that the Defendant failed to conduct a Data Protection Impact Assessment (DPIA) as required under Section 28 of the Nigeria Data Protection Act (NDPA) 2023. The court did not extensively address this issue, due to the Claimant’s failure to substantiate claims of high-risk data processing activities that would necessitate a DPIA. The Nigeria Data Protection Commission’s (NDPC) issuance of the General Application and Implementation Directive (GAID) 2025 on March 20, 2025, provides critical clarity on DPIA obligations, addressing gaps highlighted in the judgment.

Article 28 of the NDP Act-GAID 2025 mandates that data controllers and processors conduct a DPIA when processing is likely to result in high risks to data subjects’ rights and freedoms, particularly for activities involving sensitive personal data, automated processing, or large-scale data collection. Schedule 4 of the GAID outlines a comprehensive DPIA template, requiring assessments of processing purposes, data categories, lawful bases, risks (e.g., data breaches, unauthorized access), and mitigation measures. It further specifies that DPIAs must evaluate necessity, proportionality, and data subject rights, with a final assessment determining whether processing should proceed, be modified, or be halted. The frequency of DPIA reviews (e.g., monthly, quarterly, or annually) must also be justified based on risk levels.

The absence of NDPC regulations at the time of the judgment contributed to uncertainty, as Section 28(3) of the NDPA empowers the NDPC to issue such guidelines, but none were cited. The GAID 2025 rectifies this by providing clear criteria and a structured process, reducing ambiguity for data controllers like the Defendant. For instance, the Defendant’s use of CCTV surveillance and patient data collection could trigger a DPIA if deemed high-risk under Schedule 4, particularly if involving vulnerable data subjects (e.g., minors or patients with health conditions, per Schedule 6’s Data Subject Vulnerability Indexes). The Claimant’s failure to demonstrate such risks likely weakened their case, but the GAID’s framework now enables more precise evaluations.

Despite this progress, the GAID reveals a lingering implementation gap: the need for widespread awareness and capacity building to ensure organizations understand and apply DPIA requirements. Article 7(o) of the GAID mandates DPIAs when required by the NDPA or directed by the NDPC, emphasizing proactive compliance. Future litigation will benefit from these guidelines, but the NDPC must prioritize training and enforcement to ensure data controllers consistently meet these obligations, fostering a robust data protection regime in Nigeria

d. Limited Judicial Precedent:

The NDPA is a relatively new statute, and this case is among the early judicial interpretations of its provisions. The court’s reliance on environmental law precedents (e.g., Centre for Oil Pollution Watch) rather than data protection-specific authorities indicates a gap in local jurisprudence. This reliance may limit the development of nuanced data protection law tailored to Nigeria’s digital context.

e. Public Awareness and Compliance:

The Claimant’s allegations about CCTV surveillance and patient forms suggest a broader gap in public and organizational awareness of NDPA obligations. The Defendant’s defense that CCTV was installed for security purposes (aligned with Section 3(2) exemptions) was accepted without scrutiny of whether the Defendant complied with transparency requirements (e.g., signage indicating CCTV use). This reflects a gap in ensuring that exemptions are balanced with data subject rights.

Recommendations to Address Gaps:

  • The Nigeria Data Protection Commission (NDPC) has addressed the need for clarity in data protection compliance through the issuance of the General Application and Implementation Directive (GAID) 2025 on March 20, 2025, which provides detailed guidance on privacy notices, Data Protection Impact Assessments (DPIAs), and exemptions under the Nigeria Data Protection Act (NDPA) 2023. Set to take effect on 19 September 2025, the GAID’s comprehensive frameworks, including Articles 7(l–m) and 27 for privacy notices, Article 28 and Schedule 4 for DPIAs, and Article 5 for exemptions, aim to ensure data controllers and processors have clear, actionable obligations. To maximize compliance, the NDPC should focus on robust awareness campaigns and capacity-building initiatives before and after the GAID’s implementation to support organizations in aligning with these enhanced standards, thereby strengthening Nigeria’s data protection regime
  • Strengthening the NDPC’s capacity to investigate and resolve complaints could reduce premature litigation and enhance administrative enforcement.
  • Developing a robust body of data protection case law will help clarify the NDPA’s application and address novel issues in Nigeria’s digital economy.

3. Judicial Reasoning on Privacy in the Digital Age.

The court’s reasoning on privacy in the digital age, as articulated in the judgment, reflects a cautious approach to balancing data protection with practical realities:

a. Interpretation of NDPA Provisions:

  • The court meticulously reproduced and analyzed Sections 24, 25, 27, and 28 of the NDPA, adopting a literal interpretation as advocated by the Claimant. It emphasized that data controllers must process personal data fairly, lawfully, and transparently (Section 24) and inform data subjects of processing details (Section 27). However, the court found no evidence that the Defendant’s data collection was unlawful or not transparent, as the data subject (Ozoemena Nwogbo) consented to data collection by completing the Patient Information Form (Exhibit C) and paying for registration.
  • The court’s finding that the Defendant’s website notice satisfied Section 27 suggests a practical approach to digital privacy, recognizing that explicit consent mechanisms (e.g., clicking an icon for third-party data sharing) meet statutory requirements.

b. CCTV and Security Exemptions:

The court accepted the Defendant’s argument that CCTV surveillance was justified for security purposes under Section 3(2)(a)–(c) of the NDPA, which exempts data processing for crime prevention, public health emergencies, or national security. This reflects judicial recognition of the need to balance privacy with public safety in the digital age, particularly in a security-conscious context like Nigeria. However, the court did not explore whether the Defendant provided visible CCTV warnings, which could have strengthened its analysis of transparency obligations.

c. Constitutional Privacy Rights:

The Claimant invoked Section 37 of the 1999 Constitution, which guarantees privacy of citizens’ homes, correspondence, and communications. The court, citing Hon. Peter Nwali v. Ebonyi State Independent Electoral Commission (2014), clarified that Section 37 protects specific aspects of privacy (e.g., homes, telephone conversations) but found no evidence that the Defendant’s actions violated these rights. This reasoning underscores a narrow interpretation of constitutional privacy in the digital context, limiting its application to data protection unless a clear breach is demonstrated.

d. Absence of Data Breach Evidence:

The court’s central reasoning was that the Claimant failed to show an actual breach of the data subject’s privacy under Section 40 of the NDPA. It emphasized that a cause of action under the NDPA requires evidence of harm, loss, or injury (Section 51), which was absent. This approach aligns with digital age privacy principles that prioritize tangible harm over speculative concerns, reflecting a pragmatic judicial stance.

The court’s reasoning is grounded in statutory interpretation but lacks engagement with emerging digital privacy challenges, such as automated data processing or profiling, which are referenced in Section 27(1)(g) of the NDPA. The judgment could have explored whether the Defendant’s CCTV or patient data systems involved automated decision-making, which requires specific disclosures.

Also, the court’s reliance on consent (via the Patient Information Form) overlooks potential power imbalances in healthcare settings, where patients may feel compelled to provide data without fully understanding its implications.

Furthermore, the acceptance of security exemptions for CCTV without requiring evidence of compliance with transparency measures (e.g., signage) risks undermining data subject rights in the digital age.

4. Implications for the Future of Legal and Policy Advancement

The judgment has significant implications for the development of data protection law and policy in Nigeria:

a. Strengthening Public Interest Litigation:

  • By recognizing the Claimant’s locus standi, the judgment sets a precedent for NGOs to advocate for data protection compliance, fostering a culture of accountability. This could encourage more public interest litigation to enforce NDPA provisions, particularly for marginalized groups who lack access to legal recourse.
  • However, the court’s dismissal of the suit as premature highlights the need for clearer guidelines on when public interest litigation is appropriate under the NDPA. Future policy should clarify the interplay between NDPC complaints and direct court actions.

b. Enhancing NDPC’s Role:

The judgment underscores the NDPC’s role as the primary enforcer of data protection laws. The court’s reference to Sections 46–50 suggests that litigants should exhaust administrative remedies before approaching courts, except in cases of clear harm (Section 51). This implies a need for the NDPC to strengthen its investigative and enforcement mechanisms to handle complaints efficiently.

c. Clarifying Compliance Obligations:

The acceptance of CCTV exemptions suggests that policy must balance security needs with data subject rights, possibly through mandatory signage or public awareness campaigns about surveillance.

d. Building Judicial Precedent:

  • As one of the early NDPA cases, this judgment contributes to Nigeria’s data protection jurisprudence but reveals a reliance on non-data-specific precedents. Future cases should develop principles tailored to digital privacy, addressing issues like automated processing, cross-border data transfers, and data breach remedies.
  • Courts should engage more with international data protection frameworks, such as the EU’s General Data Protection Regulation (GDPR), to align Nigeria’s jurisprudence with global standards, as referenced by the Claimant’s citation of RW v. Osterreichische (C-154/21).

e. Promoting Digital Economy Growth:

  • The NDPA aims to strengthen Nigeria’s digital economy (Section 1(h)). The judgment’s dismissal of speculative claims ensures that organizations are not unduly burdened by frivolous litigation, fostering a business-friendly environment. However, robust enforcement of NDPA provisions is essential to build public trust in digital services, encouraging participation in Nigeria’s digital economy.
  • Policy should prioritize capacity building for data controllers, particularly in sensitive sectors like healthcare, to ensure compliance without stifling innovation.

f. Addressing Speculative Litigation:

  • The court’s characterization of the suit as “speculative” and “premature” warns against fishing expeditions in data protection litigation. Future litigants must provide concrete evidence of harm or non-compliance to succeed, reinforcing the need for factual grounding in NDPA claims.
  • This could prompt policy reforms to streamline NDPC complaint processes, ensuring that legitimate grievances are addressed administratively before escalating to courts.

Conclusion

The judgment in Incorporated Trustees of Personal Data Protection Awareness Initiative v. Nizamiye Hospital Limited is a significant step in Nigeria’s evolving data protection landscape. It affirms the role of public interest litigation in enforcing NDPA compliance, highlights gaps in enforcement and awareness, and adopts a pragmatic approach to digital privacy. However, the dismissal of the suit as premature underscores the need for clearer regulatory frameworks, enhanced NDPC capacity, and robust judicial precedent to address emerging digital challenges. For Nigeria to advance its data governance, policymakers must prioritize standardized compliance measures, public education, and international alignment to foster a trusted and secure digital economy.

Written by Adeola Osifeko LLB,LLM,ACIS, ABR. Partner Corporate Commercial Group at AEO Law Practice

Navigating the Nigeria Data Protection Act – GAID: Compliance Strategies for Data Processors & Data Controllers.

aeolawpractice

Introduction.

On 20 March 2025, the Nigeria Data Protection Commission (NDPC) issued the General Application and Implementation Directive (GAID) pursuant to its powers under the Nigeria Data Protection Act 2023 (NDPA 2023).1 This directive serves as a comprehensive framework guiding compliance with the NDPA 2023, ensuring that data protection obligations are clearly understood and effectively implemented across various sectors, including startups and small and medium enterprises (SMEs).

The GAID, structured into 52 Articles and 10 Schedules, replaces the Nigeria Data Protection Regulation (NDPR) 2019 and its Implementation Framework 2020, as such, acts carried out during their subsistence, remain valid. For businesses, particularly startups and SMEs, aligning with the GAID is crucial for data compliance, regulatory approval, and market competitiveness. This article examines the implementation requirements and effectiveness of the GAID, drawing comparative insights from the United Kingdom, Australia, and Canada, and outlining practical compliance strategies for startups and SMEs.

Key Implementation Requirements Under the GAID.

The GAID mandates data controllers/data processors to comply with twenty-three key compliance measures, including registration as a Data Controller or Data Processor of Major Importance (DCPMIs), annual compliance audits for Ultra-High and Extra-High-Level DCPMIs before 31 March each year, and semi-annual data protection reports assessing data processing activities every six months.2 In the United Kingdom, data controllers must register with the Information Commissioner’s Office (ICO) and conduct periodic Data Protection Impact Assessments (DPIAs) under the UK GDPR and the Data Protection Act 2018.3 Similarly, Australia’s Privacy Act 1988 mandates that businesses handling personal data implement Privacy Management Plans (PMPs) to regularly assess compliance.4 For the Nigerian data processor, data controller or business/body  determining the purposes and means of processing personal data, adopting similar risk-based assessments ensures readiness for audits and regulatory compliance.

The GAID further introduces a revised template for conducting annual compliance audits, with filing fees up to NGN1,000,000 for Ultra-High-Level DCPMIs processing over 50,000 data subjects.5 In Canada, under the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations must submit privacy audit reports to the Office of the Privacy Commissioner (OPC).6 This provision is similar with Nigeria’s GAID, which mandates transparent reporting mechanisms to maintain compliance. For Nigerian startups and SMEs processing personal data, the increased filing fees require budgetary planning to avoid defaults which attracts regulatory penalties.

The GAID clarifies that reliance on legitimate interest as a lawful basis for processing personal data requires a Legitimate Interest Assessment (LIA).7 In the UK, the ICO’s Legitimate Interests Assessment (LIA) Framework requires organizations to document assessments before relying on legitimate interest.8 In Australia, organizations must demonstrate proportionality when relying on legitimate interest, ensuring data protection rights remain uncompromised. The Legitimate Interest Guidance provided by the Office of the Australian Information Commissioner (OAIC) plays a crucial role in regulating fairness and reasonableness requirements for entities. It emphasizes that data handling practices must be reasonable, necessary, and proportionate, aligning with principles recognized under the Privacy Act 1988. This ensures that entities do not override individuals’ rights without proper justification.9 For Nigerian the startups and SMEs, this means conducting thorough assessments before relying on legitimate interest is essential to avoid the risk attached to non-compliance.

Another key provision of the GAID is the introduction of the Standard Notice to Address Grievance (SNAG), a mechanism allowing data subjects to formally notify a data controller or processor if they reasonably believe that their right to data privacy has been violated. However, the submission of a SNAG is not a condition precedent for lodging a complaint with the NDPC or instituting legal action in court. Rather, it serves as a structured means for seeking internal redress from an organization suspected of infringing on a data subject’s privacy rights. Upon receiving a SNAG, the data controller or processor is required to communicate its decision on the matter to the NDPC through the electronic portal set up by the Commission.10 This provision is similar to Canadian provision, under PIPEDA, where individuals must first seek resolution with the organization before lodging complaints with the OPC.11 For Nigerian startups/SMEs, implementing internal data subject complaint mechanisms if well managed reduces and enhances consumer trust whilst eliminating the cost of securing the intervention of the Commission or instituting a lawsuit in addressing personal data infringement.

Aligning Startups and SMEs with the GAID: Compliance Strategies.

Data Controllers and Processors within the Nigerian Startups and SMEs ecosystem must develop an internal data protection compliance framework through data audits to manage personal data flows whilst designating Data Protection Officers (DPOs).12 Implementing risk-based data protection measures, such as encryption and access control mechanisms, is essential. Compliance with Data Breach Notification within 72 hours should be prioritized.13

Data Processing Software Compliance Under GAID.

The GAID imposes strict compliance obligations on Data Controllers and Processors deploying data processing software that enables tracking or facilitates swift personal data processing while establishing a communication link with data subjects, by mandating any data controller or processor using such software to conduct a Data Privacy Impact Assessment (DPIA) before deployment.14 Software must be designed in line with the principles of privacy by design and by default, adhere to data security guidelines, and include a privacy policy within the software interface. Additionally, the directive requires data controllers and processors to provide a privacy statement before installation, explicitly informing users of the types of personal data to be processed, the lawful purpose for processing, and the security measures in place to protect their data.¹5

By mandating these measures, the GAID aligns with global best practices. For instance, the UK’s Information Commissioner’s Office (ICO) requires DPIAs for software used to track or profile users, ensuring compliance with GDPR principles.16 Also in Australia, privacy-by-design principles are emphasized under the Privacy Act 1988, mandating software developers and organizations to integrate privacy safeguards at every stage of development. It is therefore required of Nigerian Data Processors utilizing data processing software to ensure compliance with these regulations to avoid reputational risks.

The NDPC is committed to an open-door policy that balances individual rights with economic progress. To strengthen compliance, the Commission will issue guidance notices, advisories, and capacity-building programs to promote a robust data privacy culture across Nigeria, although the full implementation of the GAID 2025 will commence in September 2025, following a six-month transition period. Provisions related to fees and financial obligations will take effect in January 2026, allowing data controllers and processors ample time to comply with regulatory requirements. These measures aim to ensure a smooth transition while reinforcing Nigeria’s evolving data protection framework.

Conclusion

The GAID provides a structured compliance roadmap for data processors and controllers, ensuring alignment with the NDPA 2023 by incorporating international best practices from the UK, Australia, and Canada. With the GAID 2025, Nigerian businesses can be consistent with regulatory compliance, strengthen consumer trust, and mitigate data risks. Startups and SMEs must take proactive steps to implement data protection policies to secure long-term sustainability in Nigeria’s digital economy.

Endnotes

  1. Nigeria Data Protection Act 2023, ss 1(a), 6(c), 61, and 62
  2. Nigeria Data Protection Act 2023, s 2.
  3. Data Protection Act 2018 (UK), s 16.
  4. Privacy Act 1988 (Cth) (Australia), s 33.
  5. Nigeria Data Protection Act – General Application and Implementation Directive 2025, art 10(6).
  6. Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (Canada).
  7. GAID 2025, art 26(1), Schedule 8.
  8. Information Commissioner’s Office, ‘Guide to the UK GDPR: Legitimate Interests’ (ICO, 2024) < https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/legitimate-interests/&gt; Accessed 23 March 2025.
  9. Office of the Australian Information Commissioner, ‘Legitimate Interests Guidance’ (OAIC, 2024) <https://www.oaic.gov.au/privacy/the-privacy-act/review-of-the-privacy-act/privacy-act-review-issues-paper-submission/part-6/&gt; Accessed 23 March 2025.
  10. GAID 2025, art 40(2),(5) & (6).
  11. PIPEDA (Canada), s 13.
  12. GAID 2025, art 11
  13. GAID 2025, art 33
  14. GAID 2025, art 31
  15. Ibid
  16. Information Commissioner’s Office, ‘Guide to the UK GDPR: When Do We Need A DPIA’ (ICO, 2024) <https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/> Accessed 23 March 2025

#DataProtection #GAID2025 #NDPA2023 #DataProtectionCompliance

Written by Adeola Osifeko LLB, LLM, BL, ACIS, ABR