Skip to main content
NOPE
In Effect Law Data Protection Context Relevance

Nigeria NDPA

Nigeria Data Protection Act 2023

Nigeria's comprehensive data protection law. Section 37 restricts automated decisions. Age of consent 13+ with "where feasible" verification. 72-hour breach notification.

Jurisdiction

Nigeria

NG

Enacted

Jun 12, 2023

Effective

Jun 12, 2023

Enforcement

Nigeria Data Protection Commission (NDPC)

Who Must Comply

This law applies to:

  • Data controllers/processors in Nigeria
  • Foreign entities processing Nigerian residents' data

Who bears obligations:

Data ControllerData Processor

Safety Provisions

  • Section 37: Restrictions on solely automated decisions; right to human intervention
  • Section 30: Sensitive data (health, children) requires explicit consent
  • Section 31: Children's data requires parental consent; age 13+ with verification "where feasible"
  • Section 40: 72-hour breach notification to NDPC
  • Section 43: DPIA for high-risk processing

Enforcement

Enforced by

Nigeria Data Protection Commission (NDPC)

Penalties

NGN 10M or 2% revenue (whichever higher)

Max fine: $10,000,000
Revenue %: 2%

Up to NGN 10M (~$6,500) or 2% revenue for major controllers.

Quick Facts

Binding
Yes
Mental Health Focus
Yes
Child Safety Focus
Yes
Algorithmic Scope
Yes

Why It Matters

Largest African population (~220M). "Where feasible" age verification signals regulatory expectation.

What You Need to Comply

You need: explicit consent for health data; parental consent for under-13s; age verification "where feasible"; human review; 72-hour breach notification.

NOPE can help

Cite This

APA

Nigeria. (2023). Nigeria Data Protection Act 2023. Retrieved from https://nope.net/regs/ng-ndpa

BibTeX

@misc{ng_ndpa,
  title = {Nigeria Data Protection Act 2023},
  author = {Nigeria},
  year = {2023},
  url = {https://nope.net/regs/ng-ndpa}
}

Related Regulations

In Effect ZM Data Protection

Zambia DPA

Zambia's comprehensive data protection law with special protections for vulnerable persons and DPIA requirements for high-risk processing.

In Effect BW Data Protection

Botswana DPA

Botswana's modernized data protection law requiring Data Protection Impact Assessment and establishing age 16 for consent.

In Effect SC Data Protection

Seychelles DPA

Seychelles' modern data protection law requiring DPO for large-scale processing and recognizing Cross-Border Privacy Rules certification.

In Effect RW AI Safety

Rwanda AI Policy

First African country to adopt comprehensive national AI policy. Establishes Responsible AI Office (RAIO) under MINICT. Implements RURA ethical guidelines covering beneficence, non-maleficence, autonomy, justice, explicability, transparency. Non-binding framework.

In Effect INTL Child Protection

UNICEF AI for Children

Most specific international guidance on children and AI. Ten requirements for child-centered AI including development/wellbeing support, data/privacy protection, and safety.

In Effect NP AI Safety

Nepal AI Policy

Nepal national AI policy establishing governance framework and development priorities. Creates AI Governance Council (chaired by Minister for Communications and IT), AI Regulation Council, National AI Centre, and AI Regulatory Authority. Six pillars including ethics, human resource development, and sectoral application.

Back to all regulations Check if this applies to you