Nigeria as a nation did not appear interested in the subject of data protection until a global standard, the European Union (EU) General Data Protection Regulation (GDPR), issued by the European Union, entered into force in 2018. In a knee-jerk but commendable reaction, the federal government of Nigeria issued a series of documents regulating data protection, representing a microcosm of European practices with some adjustments [1-4].

These makeshift ‘delegated’ legislative attempts by an executive agency of the federal government of Nigeria were marred by many irregularities and flaws in the Nigeria Data Protection Regulation (NDPR) and thereby attracted academic criticism and judicial inconsistencies on the legitimacy, form, substance, approach, and operability of the provisions [5]. For example, while the courts were not settled on the conditions of access to court, researchers disagree on how best to legislate data protection under the existing and relevant laws in Nigeria [6].

Having intentionally regulated data protection under many guises since 2019, the Nigerian data protection legal regime deserves an identity devoid of wholesale comparison with the GDPR on the sentiments of cultural differences, socio-political, and economic divergence. However, the roots of whatever Nigeria currently practices as data protection regulation bear many unmistakable semblances with the EU GDPR—a legal transplant in need of relatable re-engineering.

Contextualizing Legal Transplant

When the concept or rule of legal transplant—a tool of comparative legal methodology—was conceived by Watson in the seventies, it did not particularly appeal to academics’ review interests until the dawn of the millennium, when researchers began to describe the ‘invention’  as'seminal'' 'magisterial’  ‘landmark’  and ‘indelible imprint’ [7-13]. Notwithstanding the scathing critiques that follow his theory, Watson’s theory remains the academic foundation of a method of comparative law that conceptualises the development of law by borrowing from other jurisdictions with (or without) similarities in historical and other factors that influence legislative interventions [14]. In other words, a legal framework can conveniently combine mixed legislative approaches. He buttresses his position with the argument that, where legal rules or principles are similar per country, transplantation ought to be seamless regardless of psychological or historical differences [15].

Without discounting the impact of legal transplanting on legal development, the reviewers of Watson’s theory have argued that a consideration of the impossibility of legal transplant across geographical divides must necessarily include the cultural, socio-political, and historical realities of the borrower or recipient of the transplant [16-17].

There is no gainsaying that legal transplant has been adopted in many areas of the law, with varying levels of success or failure. Miller considers the failures, especially along the broad lines of legitimacy, a strong system of governance, cost-efficiency, external pressure, internal entrepreneurial interests, etc [18].

Within the context of data protection, even in Europe, the GDPR’s catchment area, despite the obligation of member states to transpose the regulation’s provisions, indiscriminate legal transplant of provisions has been deemed impracticable or unfitting in some sectors [19]. Referencing Bradford’s theory on Brussel’s effect, Schwartz identifies certain models for the justification of the legal transplant of EU data protection law hinged on large markets, regulatory capacity, persuasion, cultural proclivities, etc [20-23].

For Nigeria, in her characteristic legal transplantation drive, the many failed legislative attempts at enacting a principal data protection law had been fashioned after the English Data Protection Act and the Canadian Personal Information and Electronic Documents Act (PIPEDA), with varying implications and consequences [24]. This pattern continued up until the issuance of the NDPR and subsequent enactment of the NDPA, with both pieces of legislation mirroring the GDPR in material respects.

Instructively, the NDPA does not recognize data protection as a fundamental right, rather it borrows the protection of “fundamental rights and freedoms” from the GDPR and goes further to extend the protection to all the fundamental rights under the fourth chapter of the Nigerian Constitution [25].  Unlike the NDPA, the GDPR repeatedly references ‘fundamental rights and freedoms’ to put its ambit of protection under the regulation beyond conjecture [26].  For the NDPA, this raises some concerns to wit: the NDPA’s long title is clear enough to reveal that the Act specifically protects personal information and sundry matters but the inclusion of fundamental rights unrealistically widens the scope to cover all fundamental rights under the Nigerian Constitution [27,28].  For context, the Nigerian Constitution guarantees the right to life, personal liberty, dignity of human person, freedom of association, freedom of movement, and right to own and acquire immovable property [29].  Hence, while some of these rights are connected or incidental to the protection of personal information others are not. The ambitious provision gives the wrong impression that the Act can be relied on for the protection of all fundamental rights and freedoms. Even though this is found in the GDPR, it does not accord with legal logic practicable in Nigerian courts [30]. Only the Nigerian Constitution guarantees all fundamental rights and freedoms in one document, hence the inclusion of the phrase in the NDPA is only cosmetic. It will face avoidable procedural and enforcement pushbacks and bottlenecks.

Extraterritorial Reach

While the extraterritorial attempt by GDPR provisions is still a subject of unsolved scepticism and critique, the NDPA repeats the same ambitious expression of intention to regulate activities outside its geographical territory [31-33].  Apart from the reality that the NDPR suffers substantially the same extraterritorial faults as the GDPR, Nigerian courts may struggle with jurisdictional and legitimacy issues when dealing with the landmines associated with some digital platforms as subjects of transnational and international law [34-36]. 

Further complications may also arise from the terms of use on the choice of law or forum when the relationship between digital platforms and users is viewed from the prism of contract which often invokes the jurisdiction clause. Ultimately, in Morah, the Nigerian Supreme Court hinted at the possibility of a law being extraterritorial in application if such an enactment is not restricted by territory [37].

Personal or household processing (Exception or exemption)

Regardless of the historical objectives of data protection legislation to regulate free flow and businesses’ use of personal data, the Lindquist judgement  has shown that by the nature of their activities on the Internet, private persons process as much data as corporate entities [36,39].  In formulating this exemption in Europe, the draftsmen and policymakers approached their decision from constitutional and regulatory perspectives. They were of the opinion that, subjecting data protection dictates to personal use would not only intrude into people’s private lives but enforcement of statutory obligations against private persons may also be impracticable [40]. 

Rather than finetune this exemption (along the lines of nature of interest, objectives, gains and access) in the light of current realities around the ‘private and personal’ use of the Internet and digital platforms especially in Nigeria, the NDPA imports the exemption under the GDPR without some sort of holistic re-evaluation of its ramifications and mechanisms for the Nigerian environment. Under the GDPR, personal or household processing by a natural person with no business or commercial connection is exempted from the fangs of the regulation with no further qualification [41].  In applying this comparatively clear exemption, the European courts have established two basic considerations to wit: (a) publication beyond private sphere into public space and (b) unrestricted access to large number of people [42].

Unlike the ‘sweeping’ provision under the GDPR, the NDPA rather makes the personal or household exemption almost aesthetic by the proviso that- ‘the purpose does not constitute a violation of the fundamental right to privacy of a data subject’ [43, 44].  This makes a mockery of the exemption in the first place since NDPA was among other objectives, enacted for the protection of privacy. How then do you exempt an activity from privacy legislation on one hand and then ‘erase’ the exemption where the activity violates privacy? This appears a legislative merry-go-round. Secondly, since under Nigerian law, enforcement of fundamental rights is horizontal, one then wonders why privacy is singled out under this exemption when the entire NDPA seeks to enforce all fundamental rights and freedoms, what is more, is that, as with some other crucial terms, the NDPA omits to define ‘personal or household activities’ and thereby further makes an inherently complicated concept even more contentious [45].

Again, instead of a wholesale exemption, the NDPA ought to have (un)learnt from the GDPR’s broad exemption (requiring the court’s intervention) by providing for partial exemption of personal and household processing from certain obligations under the Act in a similar fashion with the commendable selective exemption of activities carried out by competent authorities from fangs of data protection [46].  The absolute exemption of processing for journalistic or academic purposes under the NDPA is neither GDPR-like nor well thought-out [47].  Exuding an appearance of inelegant drafting and typographical error, the NDPA subjects the journalistic exemption for public interest purposes and then puzzlingly provides that (data subjects) rights must be ‘incompatible’ with such purposes [48]. 

The inclusion of data processed for legal claims or court proceedings  under the exemptions not only directly ‘confronts’ the lawful basis of processing for legal obligations, but a notion that encourages court proceedings to be immune from privacy and data protection obligations is also inimical to the whole essence of the protection offered by the concept [49,50].  Even the GDPR does not absolutely exclude legal claims from the scope of application, rather its only compartmentalizes legal claims with the necessity for data retention, exercise of right to object and facilitation of cross-border transfers [51].

Some procedural rules of courts in Nigeria, like their counterparts in Europe, often recognize the desire for data protection in general or specific circumstances before, during or after court proceedings. For example, the Matrimonial Causes Act empowers the court to limit access to or restrict the publication of certain personal data in divorce suits in the interest of parties' privacy or third parties’ [52].  Against the order of provisions, and in one fell swoop, the Act overrides all exemptions by imposing a duty of care on all controllers and processors together with an obligation to comply with all principles by inserting the word “notwithstanding anything” [53]  In terms of application and scope, this may breed unquantifiable confusion. Inexplicably, the NDPA impliedly absolves ‘competent authorities’ of obligations to: seek and obtain consent; honour data subject’s rights; conduct DPIA; take precautionary measures when processing sensitive data; verify children’s age; ensure data security - since they are omitted from the list of obligations provided under section 3(2). This inelegantly drafted provision waters down the potency of NDPA, especially in terms of obligations placed on public bodies [54].  In all these, the question that then arises is - what exactly is exempted from the ambit of the NDPA? This rhetoric is what the data protection authority (DPA) may have to supplement with regulations or guidelines.

Independence of the Data Protection Authority (DPA)

Regardless of her non-domestication of the ECOWAS Supplementary Act, Nigeria’s international obligation to establish an independent data protection authority subsists under the Act [55]. The NDPA shows a lukewarm attitude to the independence of the Nigerian DPA by expressing a desire for independence in one breathe and then taking away the likelihood of independence through: appointment of officers on a cabinet minister’s recommendation; insecure tenure of office threatened by unchecked power to hire and fire as well as the slavish provision that subjects the DPA to the directive of the minister on issues of policy and statutory functions [56-58].  Even though the ECOWAS Court is dismissive of speculations that such a constituted system is prone to executive interference, Nigeria’s antecedents point to the timidity of such executive bodies when other government agencies are culpable of data breaches [59, 60].  Conversely, the Information Commissioner’s Office (ICO) in the United Kingdom demonstrated a measure of independence in its enforcement drive that saw a sanction on the cabinet office for a data breach [61].  The Nigerian DPA appears to have been statutorily established with ‘interference by default and design.’  This feature will undoubtedly negatively hamper its inter-government enforcement of data protection.

Data (Protection or Privacy) Impact Assessment (DPIA) [52]

Data protection law and practice law are plagued with many semantic arguments and contentions even when terms and concepts bear (almost) the same meanings. The regular contests are between personal data and personally identifiable information; data privacy or data protection; principles of data protection or principles of data processing etc [62-64]. Armed with the benefit of these semantic choices, the drafters of NDPA could have consistently picked their preferred term and run it through the entire document. For instance, the legislation crisscrosses the use of ‘data protection’ and ‘data privacy’ by referencing these concepts in different contexts [65].  The draftsmen’s indecision on conceptual preferences visibly appears under the provision for data privacy impact assessment [66].  In the marginal note, the preferred term is data privacy impact assessment, while in the body of the section, data protection impact assessment is used [67]. While it may be argued that such interchangeable use of similar terms is inconsequential, accuracy is one of the principles of data protection and it is in Nigeria’s interest that her law on data protection is consistent in the terminologies and concepts adopted.

Historically, Article 35 on DPIA was inserted into the GDPR as an obligation on controllers or processors to investigate and evaluate identified risks associated with the deployment of certain technologies in their business activities [68].  As laudable as this statutory obligation appears, the GDPR’s reservation of DPIA for processing ‘likely to result in a high risk to rights and freedoms of natural persons [69, 70]’ seemingly subjects the decision to conduct DPIA to the whims of controllers and processors notwithstanding the provision of article 35(a)-(c) listing the required circumstances. In analysing some drawbacks of the obligation to conduct DPIA under the GDPR, Kloza et al argue that opponents doubt its efficacy “pointing out the broad discretion often afforded as to whether and how such impact assessments should be conducted [71].”  They further note that: “The GDPR leaves data controllers some amount of discretion in carrying out a DPIA, at least in two aspects: first, in determining whether the envisaged processing operations fall within the predefined high-risk criteria; second, in whether residual risks are sufficiently high so as to trigger the DPA consultation obligation [72].”

In Nigeria’s case, there are no travaux préparatoires on the NDPA to establish whether the draftsmen were aware of this shortcoming under the GDPR yet went ahead to adopt the approach short of providing examples of processing activities requiring DPIA as done under the GDPR [73-76].

Transplanting the GDPR’s ‘discretionary’ approach will be counterproductive for a new data protection regime like Nigeria where businesses and the entire ecosystem do not have the benefit of precedents or relatable guidance on when DPIA is mandatory or optional. To build a strong industry, since the NDPR provides for self-audit, the NDPA should have also mandated DPIA (at least), all controllers and processors ‘of major importance’ or specific controllers to periodically identify the (high and low) risks in the data management through DPIA [77-79]. The obligation can then trickle down to the other cadres of controllers and processors as the new Act gathers momentum. This will not only increase the desired data protection awareness, but it will also improve the culture of compliance and generally reduce the risks of privacy violations in the ordinary course of their businesses.

Unsurprisingly, the NDPA repeats two unanswered questions in the GDPR to wit: First, how does a controller ascertain when the regulated type of processing activities will violate privacy rights without first performing some sort of assessment? And secondly, how does one differentiate high risks from other levels? If such an (un)documented mechanism exists in Europe, it, certainly, is unknown to the budding Nigerian industry, hence DPIA ought to be the standard rather than the exception, especially for certain categories of controllers and processors [80-83].

Omission of Data Protection by Design and By Default

Under the GDPR, in demonstrating compliance with the obligations to ensure organisational and technical measures, controllers are enjoined to build their systems with data protection by design [84-87].  However, the transplanted provisions of the NDPA on controllers’ obligations pertaining to DPIA, accountability, technical and organisational measures readily present a (missed) opportunity for the draftsmen to introduce the concept of data protection by design and by default as tools for mitigation of privacy risks in the usual processing of personal data as contemplated thereunder. Data protection by design inherently awakens the consciousness of controllers to build systems which contemplate privacy risks from the earliest stage of development. Hence, the objectives of DPIA are achieved with minimal effort and remarkable accuracy as far as privacy risks are concerned [88].  Since DPIAs are meant to be conducted as precautionary procedures, the NDPA ought to have prescribed privacy by design to be incorporated and embedded into the processing cycle as a proactive measure rather than a reactive one [89-93].

Age of Consent

Prior to Nigeria’s consciousness around data protection, many legislation had defined the parameters of a child’s age, including: age 14 years; person under twenty years; person before puberty or a person who has not reached the age of discretion [94-98].  Again, the NDPA’s preference for 13 years as age of consent was (un)arguably influenced by the GDPR which sets the range between 13 and 16 years [99]. In similar terms, the uncertainty surrounding the adequacy of protection for children engendered by this optional digital age of consent in Europe is also blindly copied by the NDPA’s subsequent reference to the Child’s Right Act which sets the age of consent at 18 years [100].  Overall, the section needs to be clarified by the Nigerian DPA especially when subsection 5 is clearly analyzed with respect to its reference to ‘child of 13 years and above.’ What then happens to children of 13 years and below? This is another clear example of bad drafting.

Right to Data Portability

In a bid to compulsorily provide for a right to data portability using (the undefined) ‘structured, commonly used, and machine-readable format’ as found in the GDPR, the NDPA exhibits another drafting error where the existence of a right to data portability is to be guaranteed by the DPA on one hand, yet the succeeding paragraph entitles data subject to enjoy the (yet to be established) right [101].   The confusion continues when the next subsection empowers the DPA to stipulate circumstances of the exercise of the right. While it is conceded that data portability may not always be readily exercisable given technological capacity, the preceding paragraph that empowers the DPA to “establish” the right by regulation makes the provision ‘as is’ toothless and otiose. The provision also raises the question of whether the right to data portability is not already in existence in Nigeria. The ready-made affirmative answer is found in the mobile number portability programme deployed in Nigeria since 2013 empowering telephone subscribers to migrate their telephone numbers from one service provider to another[102].

Cross Border Transfers

The NDPA belongs to the ‘new generation’ of data protection laws in Africa,  and one would have expected the NDPA to take a lead from the gaps in the GDPR and plug them in a relatable manner for the peculiarly Nigerian environment. While the GDPR does not define ‘establishment’ or ‘main establishment,’ it defines ‘cross border processing’  within the context of data flow in the EU – although a faulty definition, it represents a guide towards approaching cross-border transfers of personal data to third countries [103].  While copying the GDPR's approach to cross-border transfers out of Europe, the NDPA however indiscriminately and counterproductively prohibits the cross-border flow of personal data to all countries including African countries with whom Nigeria shares a single market bond under the Agreement Establishing the African Continental Free Trade Area (AEAfCFTA) [104, 105].  The NDPA’s omission to define cross-border transfer further subjects its meaning to conjecture and the whims of the DPA and this will breed its own specie of conceptual and enforcement problems.

Adequate Level of Protection: A Neo-Colonialist Concept?

The adequacy requirement gained prominence under the repealed EU Data Protection Directive 95/46/EC but continues under the GDPR regime [106].  Even though the test focuses on the cross-border flow of personal data, its fangs are not directed at entities within the EU but ‘third countries’ outside the Union [107].  Apart from the desire to ease the free flow of personal data within the EU, the adequacy requirement was conceived as a pressure tool ‘providing a clear and public incentive to those third countries still in the process of developing their system of protection’ [108]. 

Given this background, a transplantation of this strictly European concept of adequacy - a tool of economic and socio-political influence on developing countries especially- into the NDPA was not well-thought-out or debated since it does not serve any identifiable or relatable purpose under Nigerian law as is. In a copy-and-paste approach by the NDPA, while the European Commission makes adequacy decisions based on the existence of data protection rules, effective administrative and judicial redress for data subjects, independent supervisory authority, international commitments etc, the Nigerian legislation also repeats all or most of these assessment yardsticks in a reworded order [109].

Rather, Africans, Nigerians in particular, need to re-evaluate the objectives of the adequacy requirements and then consider whether they align with their country’s current needs as far as transborder personal data flows are concerned. This soul-searching is particularly important when the objectives of the relatively new AEAfCFTA are considered vis a vis the ease of doing cross-border business among African countries and beyond [110]. 

Enforcement and Compliance

Even after over 5 decades of data protection in Europe, enforcement is still largely a mirage [111]. However, the searchlight is usually on the big techs, yet the sanctions are either subject to protracted legal challenges or are not sufficiently serving their anticipated deterrence billing. Interestingly, in contrast to the non-custodial sanctions under the GDPR, to boost its enforcement drive, the NDPA donates the power of arrest to the DPA in the marginal notes but omits such powers in the text of the provision [112, 113].  Even though the GDPR is bereft of arrests and custodial sentences, the NDPA would have somewhat weaned itself off the European regulation’s influence if it had followed through with its provision on imprisonment with actual power to effect or initiate arrests [114].

It is now cliched that the NDPA like its predecessor–the NDPR, substantially mirrors the GDPR [115].  Regardless, the meaning of terms and concepts in the NDPR could have been tweaked to reflect the Nigerian reality and peculiarities. Since the GDPR does not define salient terms like anonymization or anonymous personal data, joint controllers, vital interest, sex life, and personal or household processing, the NDPA also fails to define these terms. The GDPR has six provisions on biometric data, hence, defining the term in the regulation is more expedient than in NDPA which only references biometric data under a list of sensitive data with no further qualification or provision on the term [116].

The definition of biometric data in the GDPR was substantially lifted into the NDPA except for the far-reaching substitution of ‘natural person’ in the GDPR with ‘individual’ in the NDPA [117-118].  While the term ‘natural person’ as used in the GDPR harbours little or no semantic confusion as to its ambit, the word ‘individual’ under Nigerian law is capable of reference to an artificial entity or legal contraption [119].  This then creates some confusion about the meaning of biometric data which is exclusively an attribute of natural organisms, especially since it involves the analysis of human behavioural features like fingerprints etc [120].

Like the GDPR, personal data under the NDPR is defined only in terms of “information” and thereby ignoring the interplay of documents bearing this information. Without necessarily following a predisposed repetition of GDPR’s definitions, the NDPA could have explored or traced the elasticity of personal data to certain documents that are inseparable from the information they carry. For example, specific documents like international passports, birth certificates, driver’s licenses are almost inseparable from their embedded information hence they can particularly constitute personal data [121].

The NDPA curiously defines sensitive data within the context of special categories of personal data in article 9 of the GDPR however to exclusion of sexual orientation. Again, the NDPA misses an opportunity to include other special categories of personal data that are realistically sensitive in the Nigerian environment i.e. income/financial details, next of kin, family life data, criminal records, trade secrets, contact addresses, usernames, passwords and credit/debit card details etc [122-123].  Lifting from the GDPR, the NDPA also includes ‘sex life’ in its definition of sensitive data without considering the impracticality of such inclusion, especially considering the expansive definition of the term which includes a person’s sexual activities and relationships [124]. The (unintended) implication is that the processing of a person’s marital status, family information and even social life may be covered by the potentially nebulous notion of ‘sex life.’

The NDPA defines ‘processing’ in substantially identical terms to the GDPR but the Nigerian law strangely ends its definition by excluding data in transit thus: ‘and does not include the mere transit of data originating outside Nigeria [125].’  While it remains unknown why the draftsmen excluded transit of data from the definition, such decision is however self-contradictory not only because the definition of processing includes transmission but also in the light of controllers’ obligation to secure ‘transmission of data over an electronic communication network’ and the extraterritorial ambitions of the NDPA [126].

Some Novelties

Notwithstanding its substantial reproduction of some provisions of the GDPR, the NDPA earns some commendation over certain innovative inclusions for whatever they are worth. The NDPA’s categorisation of controllers along the lines of their major or minor ‘importance’ is peculiar to Nigeria even if the immediately suspected motive is for the purpose of revenue generation through registration etc [127].  The objective of such dichotomy is also found in the draftsmen’s reluctance to burden SMEs and private persons with the onerous responsibility of fulfilling some data protection obligations ideally reserved for larger firms. For example, controllers of major importance are duty-bound to engage data protection compliance organisations which will file compliance returns on their behalf, appoint data protection officers etc [128, 129].

Right from the NDPR days, the Nigerian data protection legal framework had enjoyed the pedigree of being the first to introduce a non-governmental compliance agent as another player in the enforcement cycle. Styled ‘Data Protection Compliance Organisations (DPCO), these entities are licensed by the DPA to ‘monitor, audit and report compliance’ by controllers to the former [130].  This ‘innovation’ is not however entirely alien to the GDPR which also contemplates a similar entity with requisite expertise accredited under article 41(1) to monitor compliance [131]. 

Interestingly, the NDPA converts the data subject’s right to information on processing activities into a controller’s obligation to inform data subjects of processing activities at the earliest stage of processing with little or negligible legal implications [132].  In unmistakable terms, following through on this obligation, the NDPA mandates such information to be provided through a ‘clear, concise, transparent, intelligible, and easily accessible’ privacy policy [133].  To bolster its compliance and enforcement drive, the Nigerian DPA is empowered to enter, search and seize evidence from premises under a warrant issued by a competent court [134].  Even by European standards, these are unconventional powers of a supervisory authority under the GDPR from which the NDPA derives undeniable inspiration [135].

Undoubtedly, what constitutes sensitive personal data varies per jurisdiction and its categorization is influenced by the degree of risks, online computing, and development in data mining techniques, fluidity of use for untoward purposes etc...[136]. For example, certain Nigerian legislation recognizes usernames, passwords and financial records as sensitive data [137].  Perhaps, the reality that the rapid development of technology also continues to widen the categories of sensitive personal data is not lost on the draftsmen, hence the NDPA empowers Nigeria’s DPA to make regulations classifying other kinds of personal data as sensitive within the context of data protection and security [138].

Intriguingly, the draftsmen appreciate the enormity of the tasks awaiting the DPA with respect to the issuance of guidelines and regulations to give teeth to some provisions under the NDPA, hence they agreed that a new legal regime should not be ushered in by completely discarding the existing framework. This informed the transitional provision which on one hand transmutes the old institution – the Nigeria Data Protection Bureau – into the statutorily established Nigeria Data Protection Commission and on the other hand, preserves the old regulations to co-exist with the NDPA until repealed or replaced [139].

Costs of (Nonlocalized) Transplantation of the EU GDPR

Characteristically, legal transplants usually suffer adaption problems where there exists cultural and socio-economic divergence between the ‘law borrowers’ and the ‘lenders.’  Smit notes that while it usually takes time to adapt, legal transplants have more chances of success when introduced without external pressure [140].

For the Nigerian legal environment, the federal government’s recent display of political will to enact a principal legislation in the NDPA is traceable to the World Bank’s digital identity project and its encouragement by funding Nigeria’s activities towards developing a legal framework on data protection [141].

Notwithstanding any demonstration of willingness by the Nigerian DPA to enforce the new Act, the consequences of unlocalised transplantation of some provisions of the GDPR readily hampers the practicality, ramifications and implementation of the NDPA together with its imported concepts in Nigeria.

The downside to the unrelatable legal transplant is that while some provisions are habitually ignored as a result of their unfitting or impracticable miens others are inappropriately applied, hence yielding undesired or unprogressively results. For example, while the processing of sex life will attract little or no regulatory attention even though it is statutorily robbed with sensitivity, automated decision-making – an uncommon business practice in Nigeria – may not even be subjected too much scrutiny by the regulator since it is most unidentifiable given Nigeria’s current techno-economic development. The most striking legal transplant which may turn out otiose, moribund or completely cosmetic is found in the provisions on adequacy requirements. This is another regurgitation of a European concept which turns out impotent in practice as it adds little or no practical benefits in compliance. Ultimately, the predominantly unrelatable transplantation of some EU GDPR concepts and rules into the NDPA do not necessarily achieve the principal objective of privacy protection even where it ticks the boxes of regulatory compliance.

In any discourse on data protection, the EU’s role in the globalization of standards can never be discounted. However, Nigerian policymakers and draftsmen must be territory-sensitive when considering the adoption of existing precedents on concepts, procedures, systems and implementations on data protection. While the GDPR remains a global standard for data protection, the NDPA has an opportunity to (un)learn from European precepts to fashion out a bespoke compliance and enforcement mechanism for Nigeria. Without discounting the innovative introductions in the NDPA, it’s (almost) wholesale replication of GDPR’s principles, rights, concepts and mechanisms deserves some localized re-engineering to make it relatable and practicable for the Nigerian environment.

1. Acting as a self-appointed data protection authority, the National Information Technology Development Agency (NITDA) momentarily regulated data protection in Nigeria by issuing the Nigeria Data Protection Regulation 2019 (NDPR).
2. Guidelines for the Management of Personal Data by Public Officers 2020 and the NDPR Implementation Framework 2020.
3. Aloamaka PC. ‘Effective Data Protection in Nigeria: Challenges’ (2022) 08 Commonwealth Law Review Journal 656.
4. Odusote A. ‘Data Misuse, Data Theft and Data Protection in Nigeria: A Call for a More Robust and More Effective Legislation’.12 Beijing Law Review 1284. 2021.
5. Omotubora A. ‘How (Not) to Regulate Data Processing: Assessing Nigeria’s Data Protection Regulation 2019 (NDPR)’ (2021) 2 Global Privacy Law Review. 2023.
6. Emmanuel F. ‘A Review of Digital Rights Lawyers Initiative v Unity Bank on Approaching the Administrative Redress Panel as a Condition Precedent to an Action Under the Nigeria Data Protection Regulation. The Gravitas Review of Business & Property Law. 2022; 13: 66
7. Omotubora A. How (Not) to regulate Data Processing: Assessing Nigeria’s Data Protection Regulation 2019 (NDPR). Glob Priv Law Review. 2021; 2: 186.
8. Legrand P. ‘The Impossibility of “Legal Transplants. Maastricht Journal of European and Comparative Law. 1997; 4: 111.  
9. Watson A. ‘Legal Transplants: An Approach to Comparative Literature (2nd Edition)’ . 1993.
10. Cairns JW. ‘Watson, Walton, and the History of Legal Transplants. Georg J Intern and Comparat Law. 2012; 41:                       
11. Carbonneau TE, ‘Book Review’ (2000) 48 American Journal of Comparative Law, 29.
12. Lei C. Contextualizing Legal Transplant: China and Hong Kong. Methods of Comparative Law (Edward Elgar Publishing Ltd 2012. 
13. Foster F. American Trust Law in a Chinese Mirror. Minnesota Law Review. 2010.
14. Graziadei M. Legal Transplants and the Frontiers of Legal Knowledge. Theoretical Inquiries in Law. 2009; 10.
15. Miller JM. A Typology of Legal Transplants: Using Sociology, Legal History and Argentine Examples to Explain the Transplant Process. The Amer J Comp Law. 2003; 51.
16. Pagallo U, Bassi E. The Governance of Unmanned Aircraft Systems (UAS): Aviation Law, Human Rights, and the Free Movement of Data in the EU’ (2020) 30 Minds and Machines 439.
17. Milda Macenaite and Eleni Kosta, ‘Consent for Processing Children’s Personal Data in the EU: Following in US Footsteps? Informat & Comm Technol Law 146. 2017; 26.
18. Bradford A. The Brussels Effect: How the European Union Rules the World (Oxford University Press. 2020.
19. Schwartz PM. The Data Privacy Law of Brexit: Theories of Preference Change. Theoret Inq Law. 2021; 22: 111.
20. Iwobi A. Stumbling Uncertainly into the Digital Age: Nigeria’s Futile Attempts to Devise a Credible Data Protection Regime’ Transnat Law Contemp Problems. 2017; 26:
21. Rodota S. Data Protection as a Fundamental Right. Reinventing Data Protection?
22. Fuster GG. The Emergence of Personal Data Protection as a Fundamental Right of the EU. 2014.
23. Tzanou M. Data Protection as a Fundamental Right next to Privacy? “Reconstructing” a Not so New Right. International Data Privacy Law. 2013; 3:
24. See recitals 2, 4, 16, 47, 51, 53, 98, 111, 162; articles 1(1), 4(24), 5(1)(e), 9(2)(h), 9(1)(j), 22(2)(b), 45(2)(a) and 50(b) etc of the GDPR.
25. In Aliu Bello v Attorney General of Oyo State (1986) LPELR-764(SC). Karibi-Whyte, JSC ruled on the essence of long title in a legislation thus: ‘The long title of a statute is now accepted as an important part of it and may be relied upon as explaining its general scope and aids in its construction”.
26. Constitution of the Federal Republic of Nigeria. 1999; 4.
27. Gstrein OJ, Zwitter A. Extraterritorial Application of the GDPR: Promoting European Values or Power? 2021.
28. Granmar CG. Global Applicability of the GDPR in Context. Internat Data Privacy Law. 2021; 11: 225.  
29. Azzi A. The Challenges Faced by the Extraterritorial Scope of the General Data Protection Regulation. J Intell Property, Informat Tech Elect Comm Law. 2018; 9: 126.                      
30. Fabio B. Digital Platforms and Global Law. Edward Elgar Publishing. 2021.
31. Joseph Morah v Federal Republic of Nigeria (2018) LPELR-44054 (SC).
32. Warso Z. There’s more to it than Data Protection-Fundamental Rights, Privacy and the Personal/Household Exemption in the Digital Age. Comp Law Sec Rev. 2013; 29:
33. Xanthoulis N. Negotiating the EU Data Protection Reform: Reflections on the Household Exemption. E-Democracy, Security, Privacy and Trust in a Digital World. 2014.
34. GDPR, recital 18 and article 2(2)(c).
35. Case C-73/07 Satakunnan Markkinapo¨rssi and Satamedia [2008] OJ C 44/6; Case C-212/13 Rynes [2014] OJ C 46/6; Case C-25/17 Jehovan todistajat [2018] OJ C 319/7. See also
36. Chen J. Who Is Responsible for Data Processing in Smart Homes? Reconsidering Joint Controllership and the Household Exemption. Internat Data Priv Law. 2020; 10: 279.
37. Melinda Rucz. SLAPPed by the GDPR: Protecting Public Interest Journalism in the Face of GDPR-Based Strategic Litigation against Public Participation. J Media Law. 2022; 14: 378.
38. NDPA, section 3(1).
39. In Cletus Madu v J.S. Neboh (2001) FWLR (Pt. 52) 2271, the Nigerian Court of Appeal confirmed that: “A person whose fundamental right has been infringed by a private individual can maintain an action under the Enforcement Procedure Rules of the Fundamental Rights against the person who committed the wrong. In other words, contrary to the pronouncement by the lower court, a victim of human right inflicted by a private person is not precluded from seeking a redress under the Fundamental Rights (Enforcement Procedure) Rules 2009 against the person who committed the wrong as redress to be ventilated under that procedure is not limited to the wrong committed by the State or government.” See also Igwe IO, Nwocha ME, Steve AA. Enforcement of Fundamental Rights in Nigeria and the Unsolved Issue of Poverty among the Citizens: An Appraisal. Beijing Law Review. 2019; 10: 1.
40. From example, crime and public health emergency control by competent authorities etc are exempted from certain obligations apart from compliance with principles of data processing, appointment of data protection officer and liability for data breach. See NDPA, section 3(2) (a)-(e).
41. GDPR suggests derogation from journalistic and academic purposes only when they are necessary to balance the interests of freedom of expression and data protection. See article 85(2).
42. NDPA, section 3(2)(d).
43. NDPA, section 3(2)(e).
44. Olumide B. Who Will Bell the Cat? Developing an Inclusive Information Privacy Culture for the Nigerian Judiciary. Gravitas Rev Buss Property Law. 2023; 14: 81.
45. GDPR, recital 65, article 21(1) and 49.
46. Oviasu FE, Oviasu VO. LPELR–2836 (SC). Section 108 of the Matrimonial Causes Act provides that. 1973.
47. NDPA, section 24(3).
48. NDPA, section 3(2) (a)-(e).
49. Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS.
50. NDPA, section 7.
51. NDPA, section 14(1).
52. NDPA, section 60.
53. See Incorporated Trustees of Digital Rights Lawyers Initiative v Federal Government of Nigeria (No. ECW/CCJ/JUD/02/23), the Community Court of Justice of the ECOWAS ruled on the independence of Nigeria’s supervisory authority thus: “Regrettably, the Applicant fails again to provide any evidence of the composition of NITDA or why it lacks the independence required under the law. As stated earlier in this judgment, the Applicant has left the Court to assume that it cannot be independent simply because NITDA is connected to the government. However, most data protection authorities are set up by the government, and it is not this ministerial act which determines independence but the operational mechanisms of the body. In this regard, Applicant ought to have demonstrated how the current organizational structure and execution of NITDA undermines its independence as envisaged under the Act.”
54. Okedara S. Nigeria Immigration Service and the Burden of Data Protection. Glob Freed Express. 2019.
55. Cabinet Office Fined £500,000 for New Year Honours Data Breach. 2022.
56. Binas R. Data Protection Impact Assessment: A Meta-regulatory Approach Internat Data Priv Law. 2017; 7: 22-35.
57. Wright D, Hart PD. Privacy Impact Assessment. 2012.
58. Narayanan A, Shmatikov V. ‘Myths and Fallacies of “Personally Identifiable Information”. Communications of the ACM 24. 2010; 53.
59. Bygrave LA. Privacy and Data Protection in an International Perspective. Scandina Stud Law. 2010.
60. On data protection, see sections 1(1)(f), 5(b) (c), (j) 28(2), 32, 33 and for data privacy, see sections 28 and 58.
61. NDPA, section 28(1).
62. Under Nigerian law, marginal notes do not necessarily form parts of the law, but they provide reference and guidance. See Osun State Electoral Commission v Action Congress (2010) LPELR-2818(SC).
63. Bieker F, et al. A Process for Data Protection Impact Assessment under the European General Data Protection Regulation’ in Stefan Schiffner and others (eds). Privacy Technol Policy. 2016.
64. GDPR, article 35(1).
65. Kloza Dand, et al. Data Protection Impact Assessments in the European Union?: Complementing the New Legal Framework towards a More Robust Protection of Individuals. Policy Brief D.Pia.Lab. 2017; 1.
66.  
67. Article 35(2) GDPR expressly requires DPIA in cases of: “(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale.”
68. Nigeria Data Protection Regulation, reg. 4.1(5).
69. The NDPA dichotomised controllers and processors along the line of their processing activities. See section 65.
70. Binns R. Data Protection Impact Assessments: A Meta-Regulatory Approach. Internat Data Privacy Law. 2017; 7: 22.
71. Trix Mulder, et al. New European Privacy Regulation: Assessing the Impact for Digital Medicine Innovations. European Psychiatry. 2018; 54: 57.  
72. Clarke R. An Evaluation of Privacy Impact Assessment Guidance Documents. Internat Data Privacy Law. 2011; 1:
73. Bygrave LE. Data Protection by Design and by Default?: Deciphering the EU’s Legislative Requirements. Oslo Law Review. 2017; 4: 105.
74. Danezis G. Privacy and Data Protection by Design - from Policy to Engineering. 2014.
75. Hildebrandt M, Tielemans L. Data Protection by Design and Technology Neutral Law. Computer Law Securit Rev. 2013; 29: 509.
76. Veale M, Binns R, Jef Ausloos. When Data Protection by Design and Data Subject Rights Clash. International Data Privacy Law. 2018; 8: 105.
77. Cavoukian A. Privacy by Design, the 7 Fundamental Principles. 2011.
78. Okwueze v Okwueze (1989) 3 NWLR (Pt. 159) 321 and Okon v State (1988) 1 NWLR (Pt. 69)172.
79. Liliana Pasquale et al. Digital Age of consent and Age Verification: Can They Protect Children’ (IEEC Software. 2022; 39: 50-57.
80. Hert PD. The Right to Data Portability in the GDPR: Towards User-Centric Interoperability of Digital Services. Computer Law & Security Review. 2018; 34: 193.
81. Wong J, Henderson T. The Right to Data Portability in Practice: Exploring the Implications of the Technologically Neutral GDPR. Internat Data Privacy Law. 2019; 9: 173.
82. Vanberg AD. The Right to Data Portability in the GDPR: What Lessons Can Be Learned from the EU Experience? Journal of Internet Law. 2018; 21: 12.
83. NDPA, section 38.
84. Bakare B, Kukuchuku S. Assessment of Mobile Number Portability (MNP) in Nigeria. 2019; 9: 15.
85. Nimako SG, Ntim BA, Mensah AF. ‘Effect of Mobile Number Portability Adoption on Consumer Switching Intention’ Internat J Market Stud. 2014; 6: 117.
86. Abdramon O, Veronica O. Evaluation of Subscriber Attitude to Mobile Number Portability Implementation in Nigeria. 2012; 3.
87. As of June 2023, the NDPA was the most recent data protection law in Africa.
88. The GDPR has been reviewed from many perspectives. For some reviews, see
89. Teixeira GA, Silva MMD, Pereira R. The Critical Success Factors of GDPR Implementation: A Systematic Literature Review. Digital Policy, Regulation and Governance. 2019; 21: 402.
90. Politou E, Alepis E, Patsakis C. Forgetting Personal Data and Revoking Consent under the GDPR: Challenges and Proposed Solutions. Journal of Cybersecurity. 2018; 4.
91. Sirur S, Jason RC Nurse, Webb H. Are We There Yet? Understanding the Challenges Faced in Complying with the General Data Protection Regulation (GDPR)’, Proceedings of the 2nd International Workshop on Multimedia Privacy and Security. 2018.
92. Maria Christofidou, Nathan Lea and Pascal Coorevits, ‘A Literature Review on the GDPR, COVID-19 and the Ethical Considerations of Data Protection during a Time of Crisis. Yearbook of Medical Informatics. 2021; 30: 226.
93. GDPR, article 4(23).
94. Guaman DS, Alamo JMD, Caiza JC. GDPR Compliance Assessment for Cross-Border Personal Data Transfers in Android Apps. 2021; 15961.
95. Voss WG. Cross-Border Data Flows, the GDPR, and Data Governance. Washing Internat Law J. 2019; 29: 485.
96. Sullivan C. EU GDPR or APEC CBPR? A Comparative Analysis of the Approach of the EU and APEC to Cross Border Data Transfers and Protection of Personal Data in the IoT Era’ Comp Law Secur Review. 2019; 35: 380;
97. Minssen T et al. The EU-US Privacy Shield Regime for Cross-Border Transfers of Personal Data under the GDPR: What Are the Legal Challenges and How Might These Affect Cloud-Based Technologies, Big Data, and AI in the Medical Sector?’ Europ Pharmaceut Law Rev (EPLR). 2020; 4:
98. Liss J, et al. Demystifying Schrems II for the Cross-Border Transfer of Clinical Research Data. J Law Biosci lsab. 2021; 8: 32.
99. The GDPR presumes adequacy in favour of member states but requires third countries to pass the adequacy test (or provide other safeguards) before data can flow to them. See
100. Roth P. Adequate Level of Data Protection in Third Countries Post-Schrems and under the General Data Protection Regulation. J Law, Informat Sci. 2017; 25:
101. Salami E. ‘Implementing the AfCFTA Agreement: A Case for the Harmonization of Data Protection Law in Africa. J Afri Law. 2022; 66: 281.
102. Sucker F, Beyleveld A. Cross-Border Data Flows in Africa: Policy Considerations for the AfCFTA Protocol Digital Trade. 2023.
103. GDPR, article 45.
104. GDPR, article 45(8).
105. Ruth P. Adequacy level of Data protection’ in Third Countries Port Schrems and under the General Data Protection Regulation. J Law, Inform Sci. 2017; 25: 
106. NDPA, section 42(2) (a)-
107. (f).
108. Unlike the EU’s approach to flow of data to ‘third countries, Africa lacks ‘a unified approach’ to free flow of data across and outside the continent. See
109. Sucker F, Beyleveld A. Cross-Border Data Flows in Africa: Policy Considerations for the AfCFTA Protocol Digital Trade. 2023;
110. Hlomani H, Ncube CB ‘Data Regulation in Africa: Free Flow of Data, Open Data Regimes and Cybersecurity’ in Bitange Ndemo and others (eds). Data Governance and Policy in Africa 2023.
111. Voigt P, Bussche AVD. Enforcement and Fines under the GDPR’ in Paul Voigt and Axel von dem Bussche (eds). The EU General Data Protection Regulation (GDPR): A Practical Guide. 2017.
112. The GDPR only prescribes administrative fines and other civil corrective measures. See articles 70(1) (j), 83.
113. NDPA, section 58.
114. NDPA, Sections 49(1) (b) and 58(3).
115. Babalola O. The EU GDPR and Nigeria’s NDPR: A Comparative Analysis’. J Data Protec Priv. 2016; 6: 372.
116. Defines biometric data as:‘personal data resulting from specific technical processing relating to the physical, physio¬ logical or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.’
117. Defines biometric data as ‘personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of an individual, which allow or confirm the unique identification of that individual, including without limitation by physical measurements, facial images, blood typing, fingerprinting, retinal scanning, voice recognition and deoxyribonucleic acid (DNA) analysis’
118. The NDPA defines ‘biometric data’ as: “…personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of an individual, which allow or confirm the unique identification of that individual, including without limitation by physical measurements, facial images, blood typing, fingerprinting, retinal scanning, voice recognition and deoxyribonucleic acid (DNA) analysis”
119. In the decision in Alhaji Aliyu Ibrahim v Judicial Service Committee (1998) 14 NWLR (Pt. 584) 1, the Nigerian Supreme Court defines ‘individual’ thus: “The words "as individuals" do not necessarily refer at all times to natural persons. To the exclusion of artificial persons, public bodies or persons who go by their official titles, such as an Attorney-General or a permanent secretary. In my view, the word "individual" may, in appropriate cases, be construed in law as extending not only to natural persons but to artificial persons as well.”
120. Jasserand CA. Avoiding Terminological Confusion between the Notions of “Biometrics” and “Biometric Data”: An Investigation into the Meanings of the Terms from a European Data Protection and a Scientific Perspective. International Data Privacy Law. 2016; 6: 63.
121. For example, the Federal High Court in Nigeria has declared a High school certificate as personal data in Nlemoha v West Africa Examination Council (Suit No. FHC/L/CS/342/2019), see Babalola O. ‘Casebook on Data Protection (Noetico Repertum, Lagos. 2020; 97.
122. For example, the Nigerian Cybercrime (Prevention, prohibition, etc) Act, defines ‘phishing’ as attempts to access sensitive data such as usernames, passwords and credit card details. See section 58.
123. Recital 75 and Article 9(1) of the GDPR designate a natural person’s sex life as a special category of personal data that must not be processed except where certain safeguards or legal bases exist but no literature exists on the justification or explanations of its inclusion in the special categories.
124. NDPA, section 65.
125. NDPA, section 33(2) (e).
126. NDPA, section 44, 45.
127. NDPA, section 6(d), 33 and 61(1) (g).
128. NDPA, section 32.
129. NDPA, section 5(c) and 33.
130. Babalola O. Data Protection Compliance Organizations (DPCO) Under the NDPR, and Monitoring Bodies under the GDPR: Two Sides of the Same Compliance Coin?’ Global Privacy Law Review. 2022; 3: 98.
131. NDPA, section 27(1).
132. NDPA, section 27(3). The appropriate nomenclature could read a policy or a notice depending on the use and audience. See
133. Jensen C. Privacy Policies as Decision-Making Tools | Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2023.
134. Schaub F. Rebecca Balebako and Lorrie Faith Cranor, ‘Designing Effective Privacy Notices and Controls’ IEEE Internet Computing. 2017; 21: 70.
135. NDPA, section 58(3) (d).
136. Supervisory authorities in Europe wield investigative powers; review certifications; can gain access to premises; issue warnings; issue reprimands; issue compliance orders; issue bans; order suspension of data flows etc. but nothing in the GDPR expressly confers them with powers to seize items or arrest suspected offenders like their Nigerian counterpart. See articles 57 and 58 GDPR.
137. Quinn P, Malgieri G. The Difficulty of Defining Sensitive Data-The Concept of Sensitive Data in the EU Data Protection Framework’ German Law J. 2021; 22: 1583.
138. NDPA, section 30(2).
139. NDPA, section 64.
140. Smits JM. Elgar Encyclopedia of Comparative Law (Edward Elgar Publishing. 2006.
141. Tunji S. Buhari Failed to Sign Data Protection Bill despite W’Bank Funding. 2023.