Introduction
In an age where data fuels the digital economy, enforcement has emerged as the heartbeat of data protection. Without it, privacy rights are aspirational at best. In Nigeria, the Nigeria Data Protection Act (NDPA) 2023 gives real power to the Nigeria Data Protection Commission (NDPC) to hold companies accountable, impose penalties, and protect your customers’ rights.
This article breaks down the NDPC’s enforcement powers, illustrates them with recent enforcement actions, and highlights how Nigeria is gradually shifting from a compliance-on-paper culture to a compliance-in-practice model.
Statutory Basis for Enforcement
The NDPC derives its enforcement authority from the NDPA 2023. Specifically:
- Section 6 empowers the Commission to “monitor, investigate and impose penalties with the provisions of the Act.” ¹
- Section 48(4) authorizes the imposition of administrative fines—financial penalties that do not require court action—of up to ₦10 million or 2% of the data controller’s gross annual turnover, whichever is higher.²
These provisions grant the NDPC significant powers to ensure adherence to data protection principles.
Enforcement in Action: Recent Cases
Fidelity Bank Case: A Landmark Enforcement Action
In August 2024, the NDPC fined Fidelity Bank ₦555.8 million (approximately $358,580), representing 0.1% of the bank’s 2023 gross revenue, for violating data protection laws.³ The investigation, initiated in April 2023 following a customer’s complaint, revealed that Fidelity Bank processed personal data without informed consent, including the use of cookies and banking apps in violation of the law.⁴
This case marked the largest fine imposed by the NDPC at the time and underscored the Commission’s commitment to enforcing data protection regulations.
Meta Platforms Inc.: Joint Enforcement with FCCPC
In July 2024, Nigeria’s Federal Competition and Consumer Protection Commission (FCCPC), in collaboration with the NDPC, fined Meta Platforms Inc. $220 million for violating consumer and data protection laws.⁵ The investigation concluded that Meta used Nigerian user data without consent, imposed exploitative privacy policies, and treated Nigerian users differently compared to other regions with similar regulations.⁶
This joint enforcement action highlighted the collaborative efforts between regulatory bodies to uphold data protection standards.
Beyond these cited cases, the NDPC has taken action against multiple organizations:
- In June 2024, the Commission announced that four banks and three companies paid a combined ₦400 million in fines for data protection violations.⁷
- Over 1,000 investigations have been conducted across various sectors, including financial institutions, schools, insurance companies, and consultancy firms, for breaches of citizens’ data.⁸
These actions demonstrate the NDPC’s proactive approach to ensuring compliance across different industries.
Powers Beyond Fines: How the NDPC Gets Results
The Commission’s ability to enforce the law depends greatly on its power to gather facts independently. Section 46 of the NDPA empowers the NDPC to conduct audits, investigations, and compliance assessments, either suo motu (on its own motion) or based on complaints⁹.
In practice, this includes:
- Issuing data access notices,
- Compelling the production of documentation,
- Interviewing relevant officers,
- Visiting premises where processing takes place¹⁰.
Corrective Powers: A Spectrum of Tools
While public focus often centres on fines, the NDPC’s enforcement toolkit includes several non-financial corrective measures:
- Issuing warnings and reprimands;
- Ordering the restriction or erasure of data¹¹ ;
- Temporarily or permanently prohibiting processing¹² ;
- Suspending or conditioning data transfers¹³.
These tools allow the Commission to tailor enforcement responses based on the nature and severity of the violation.
Cooperation Beyond Borders
The NDPA anticipates the increasingly global nature of data flows. Section 41 empowers the NDPC to collaborate with foreign authorities, participate in joint investigations, and share enforcement intelligence under mutual assistance frameworks.
This is critical as more Nigerian platforms adopt cloud infrastructure and process data offshore. The NDPC has begun liaising with regional bodies like the Network of African Data Protection Authorities (NADPA-RAPDP) to harmonize enforcement standards and pursue transnational investigations¹⁴.
Notable Steps Toward Transparent Enforcement
Through mechanisms such as:
- The Complaints Handling Procedure (2024),
- The Data Controllers’ Registration Framework, and
- The General Application and Implementation Directive (GAID) 2025,
The NDPC is steadily building a transparent enforcement architecture. These tools allow stakeholders to anticipate regulatory expectations, track complaint resolution timelines, and mitigate compliance risks before they escalate¹⁵.
Conclusion
The NDPA does more than codify data rights—it enforces them through the NDPC’s robust statutory powers. With investigations, penalties, corrective orders, and international cooperation on the rise, the era of passive data governance is ending.
Businesses must now treat data protection not as a back-office compliance task, but as a boardroom priority. As recent enforcement actions show, the NDPC is no longer just a policy body—it is Nigeria’s active data watchdog. The risks of non-compliance are real: legal, financial, and reputational.
Disclaimer: This article is intended for general information purposes only. It does not constitute legal advice. Organizations should seek tailored advice from a qualified legal professional to address specific compliance needs.
For further information or assistance with data protection compliance and advisory services, please contact the Lex Luminar team at support@lexluminar.com
Footnotes
- NDPA 2023, Section 6.
- NDPA 2023, Section 48(4).
- Reuters, “Nigerian data agency fines Fidelity Bank for breaches,” August 22, 2024.
- BusinessDay NG, “NDPC fines bank N555.8 million over data privacy violations,” August 21, 2024.
- Reuters, “Nigeria fines Meta $220 million for violating consumer, data laws,” July 19, 2024.
- Ibid.
- Vanguard News, “Four banks, three companies pay N400m fine for data violation — NDPC,” June 12, 2024.
- Nairametrics, “Seven firms pay N400 million to NDPC as sanction for data breach,” June 12, 2024.
- NDPA 2023, s.46.
- Ibid, s.46(4).
- NDPA 2023, s.34(1)(d).
- Ibid, s.34(e).
- Ibid, s.41.
- NADPA-RAPDP 2024 Annual Report on Enforcement Cooperation, pp. 8–11.
- NDPA 2023, s.47, 48.