Protecting Nigerians from data breaches

In an increasingly digitized world, data has become the new currency, influencing everything from commerce to governance. Personal information is now stored, processed, and shared at an unprecedented scale, making data protection a matter of paramount importance. With the rapid adoption of technology across Nigeria, including in banking, telecommunications, e-commerce, and public services, the volume of personal data collected and stored has exploded. This data includes sensitive information such as biometric details, financial records, medical histories, and more. Unfortunately, this digital expansion has not been matched by adequate safeguards. In today’s interconnected world, data breaches have become a critical concern, posing severe risks to personal privacy, business integrity, and national security.

Nigeria, as Africa’s largest economy and a hub for technological innovation, is increasingly vulnerable to data breaches. Although strides have been made to establish a framework for data protection, significant gaps remain in terms of existence, compliance, and enforcement. Nigeria’s primary regulation for data protection is the Nigeria Data Protection Regulation (NDPR), introduced in 2019 by the National Information Technology Development Agency (NITDA). The NDPR was established to ensure the privacy of Nigerian citizens and residents by regulating the collection, processing, storage, and transfer of personal data. It is modeled, in part, on international frameworks like the European Union’s General Data Protection Regulation (GDPR) but is uniquely tailored to the Nigerian context. The NDPR outlines several key provisions, including data privacy rights, consent requirements, breach notification, and data security measures. While the NDPR lays a strong foundation, its enforcement has been fraught with challenges, limiting its impact. Challenges in compliance and enforcement are evident in limited awareness, weak enforcement, overlapping jurisdictions, lack of cyber-security infrastructure, and minimal public-private collaboration. A significant portion of businesses and individuals remain unaware of the NDPR and its requirements.

Many organizations, particularly small and medium-sized enterprises (SMEs), do not understand their obligations under the regulation. Unlike the GDPR, which imposes fines of up to €20 million or 4% of an organization’s annual global turnover, penalties under the NDPR have been inconsistently applied. Enforcement relies heavily on NITDA, which faces resource and capacity constraints. The absence of a central data protection authority creates confusion among regulatory bodies, diluting enforcement efforts. Many organizations operate with outdated systems and minimal cyber-security defenses, making them vulnerable to breaches despite regulatory requirements. Effective data protection requires collaboration between the government, private sector, and civil society. In Nigeria, this synergy is largely underdeveloped.

In the light of the significant operational gaps and other challenges confronting the National Data Protection Regulation (NDPR), it is less surprising that reports of data breaches and cyber-attacks are increasingly common, with many Nigerians falling victim to identity theft, financial fraud, and unauthorized surveillance. Such reports reveal a worrying trend of data breaches across sectors in Nigeria, underscoring public sector vulnerabilities, financial sector threats, healthcare data exposures, and private sector failures. For instance, a researcher uncovered an 8.8-severity breach involving the personal data of Konga customers in 2021, exposing sensitive information and raising concerns about e-commerce security in Nigeria. Over 500 Nigerian e-commerce platforms fell victim to Magecart syndicates, which deployed skimmers to steal customer payment data in 2022. According to Dr. Vincent Olatunji, Nigeria’s National Commissioner for Data Protection, several banks and institutions were fined over ₦200 million for violating citizens’ data privacy rights in 2023.

These examples highlight the vulnerabilities in Nigeria’s digital ecosystem and the risks faced by individuals and businesses alike. These breaches highlight systemic vulnerabilities and lax compliance with existing data protection regulations, all of which pose grave implications for personal security, business safety, and national security. The Nigeria Data Protection Act provides a legal framework to address these challenges through a number of measures including penalties for non-compliance, compensation for victims, mandatory reporting, and public awareness. From the foregoing, it is obvious that the Nigeria Data Protection Act offers a pathway to secure digital transformation as Nigeria strives to become a global leader in technology and innovation. Unfortunately, inadequate cyber-security frameworks, poorly trained personnel, and weak regulatory oversight have left both private and public institutions vulnerable.

The global landscape of data protection is shaped by stringent laws and standards designed to safeguard personal and sensitive information. From the European Union’s General Data Protection Regulation (GDPR) to the United States’ California Consumer Privacy Act (CCPA) and the Payment Card Industry Data Security Standard (PCI DSS), these frameworks highlight the priority placed on data security across the world. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) applies to most organizations conducting business in Canada, with clear requirements for obtaining consent, ensuring transparency, and safeguarding data. The States’ Health Insurance Portability and Accountability Act (HIPAA) enforces strict rules for protecting patient health information, with penalties for breaches ranging from $100 to $50,000 per violation.

As the digital economy continues to expand, safeguarding data has become a global priority, with regulatory bodies imposing stringent fines for violations. In 2024, several major fines and settlements highlighted the cost of non-compliance with data protection laws. These cases serve as a stark reminder of the importance of robust data security practices and the consequences of lapses. While the Nigerian Data Protection Commission (NDPC) has expressed intentions to tackle data breaches, it must transition from rhetoric to actionable measures, drawing inspiration from the exemplary enforcement steps taken by other countries in 2024. For instance, Meta faced the largest settlement of 2024, paying $1.4 billion to Texas for unlawfully capturing and using biometric data. This case underscores the importance of securing consent for biometric data and adhering to local data protection laws. The Irish Data Protection Commission fined LinkedIn for GDPR violations related to advertising practices, signaling the necessity for transparency in data usage, particularly in advertising. Uber was penalized for GDPR non-compliance, specifically for failing to protect driver data stored in the US. This case highlights the importance of international data transfer safeguards. Meta faced another fine for mishandling users’ passwords, demonstrating the importance of robust password security practices.

A healthcare provider – Lehigh Valley Health Network – settled for $65 million after a data breach exposed sensitive medical information. This emphasizes the critical need for security in healthcare data. Marriott’s settlement for a massive multi-year data breach highlights the necessity of ongoing vigilance in securing customer data in the hospitality industry. 23andMe, a biotech firm, agreed to a settlement after a major data breach in 2023, emphasizing the need for stringent data security in DNA and health-related services. T-Mobile faced penalties for multiple data breaches, signaling the importance of preventing repeat incidents through proactive security measures. A cloud data breach cost AT&T a $13 million settlement, reflecting the critical need for securing cloud-based storage systems. New York secured a settlement from insurance companies over a breach affecting 120,000 citizens, underlining the importance of protecting sensitive financial and personal data.

The financial penalties levied globally in 2024 illustrate the growing emphasis on protecting personal data and the significant consequences of failing to do so. Nigeria has the opportunity to strengthen its data protection framework by learning from global best practices and addressing its unique challenges. The creation of the Nigeria Data Protection Bureau (NDPB) in 2022 is a positive step, but its capacity must be bolstered. A well-funded, centralized authority with clear jurisdiction would ensure consistent enforcement and reduce overlaps. The NDPR should be updated to align with global frameworks like the GDPR and CCPA. This includes stricter penalties for non-compliance and comprehensive guidelines on breach reporting and consumer rights. A nationwide campaign to educate businesses and individuals about the importance of data protection is essential. Workshops, webinars, and public service announcements can help demystify data privacy regulations. While enforcement is critical, voluntary compliance can be incentivized through tax breaks, certifications, and public recognition for organizations that implement robust data protection measures.

Both public and private sectors must prioritize investments in modern cyber-security systems. This includes training personnel, upgrading infrastructure, and adopting advanced technologies like encryption and artificial intelligence. The government must foster collaboration with private entities, civil society, and international organizations. Partnerships can drive innovation, share best practices, and provide resources for effective enforcement. Citizens play a crucial role in ensuring data protection. By understanding their rights under the NDPR, Nigerians can hold organizations accountable and report breaches to the appropriate authorities. Digital literacy programmes should be prioritized to empower individuals to safeguard their personal information online. Failure to address data protection comprehensively has far-reaching implications. Data breaches erode consumer trust, disrupt businesses, and expose individuals to financial and identity fraud. Additionally, Nigeria risks losing opportunities to attract foreign investment if it cannot guarantee robust data protection.

The announcement by Vincent Olatunji, National Commissioner/CEO of the Nigeria Data Protection Commission (NDPC), outlining the Commission’s plans for stricter enforcement of the 2023 Nigeria Data Protection Act (NDPA), marks a significant step in addressing the persistent issue of data breaches in Nigeria. While the promise of “massive enforcement” and “heavy penalties” for defaulting data controllers and processors is commendable, the question remains: can the NDPC move beyond rhetoric to meaningful action? Nigeria’s digital economy has grown rapidly in recent years, making data protection a critical concern. From financial institutions to e-commerce platforms, various sectors handle vast amounts of sensitive personal data.

However, the landscape is rife with challenges, including insufficient compliance with data protection laws, a lack of public awareness about data rights, and limited enforcement of existing regulations. High-profile breaches, such as those involving Konga customers and the infiltration of over 500 Nigerian e-commerce platforms by cybercriminal syndicates, have underscored the urgency for action. Yet, despite these incidents, the NDPC has yet to issue significant fines or penalties, leaving many Nigerians skeptical about the effectiveness of the NDPA’s implementation.

The NDPC’s 2025 agenda represents a pivotal opportunity to reset the narrative. Olatunji’s assertion that data rights will be fully protected and violators will face strict consequences aligns with global best practices, where regulatory bodies have imposed substantial fines to ensure compliance. To translate its promises into action, the NDPC must focus on the following key areas including robust enforcement framework, capacity building, public awareness campaigns, collaboration with global bodies, and industry engagement. While the NDPC’s ambitions are laudable, several challenges could hinder their execution. Bureaucratic inefficiencies, inadequate funding, and potential resistance from powerful organizations may slow enforcement efforts. Additionally, the judiciary must be prepared to support the NDPC’s actions by adjudicating data protection cases promptly and fairly. Data protection is not just a legal requirement but a cornerstone of trust in the digital economy.

For Nigeria, a nation striving to attract foreign investment and foster technological innovation, ensuring robust data security is non-negotiable. The NDPC’s success will have far-reaching implications for personal privacy, business integrity, and national security. The NDPC’s announcement is a promising start, but Nigerians have heard similar commitments before. To earn public trust and establish itself as a credible regulator, the NDPC must back its words with decisive action. Heavy penalties for non-compliance, coupled with sustained public engagement and transparent processes, will demonstrate that the Commission is serious about protecting Nigerians’ data rights. The 2025 agenda is a defining moment for the NDPC. Nigerians, now more than ever, are counting on the Commission to deliver on its promise to safeguard their data in an increasingly digital world. The Federal Government’s commitment to imposing fines for data breaches is a step in the right direction, but it is not enough. A holistic approach is required, encompassing regulatory reform, public education, technological investment, and enhanced enforcement mechanisms. Protecting Nigerians from data breaches is not just a regulatory obligation; it is a moral and economic imperative. By building a resilient data protection ecosystem, Nigeria can safeguard its citizens, strengthen its economy, and position itself as a leader in digital innovation. The time for action is now.

.Agbedo, is a Professor of Linguistics, University of Nigeria Nsukka, and a Public Affairs Analyst