Resolving Data Protection Disputes: Understanding the Legal Framework

Introduction

In an increasingly digital Nigeria, protecting personal data has become critical. But when things go wrong—like a data breach or misuse of personal information—what options do individuals or businesses have to resolve disputes? This article simplifies the legal framework governing data protection disputes in Nigeria, providing practical guidance for navigating it effectively.

The Nigerian data protection regime, fortified by multiple laws and regulations, empowers individuals and authorities to address privacy violations. At its core is the Nigeria Data Protection Act 2023 (NDPA)¹, which enshrines the constitutional right to privacy and outlines the rights of data subjects and the obligations of data controllers and processors. The NDPA 2023 establishes the Nigeria Data Protection Commission (NDPC) as the new regulatory authority, further strengthening the protection of personal data.

This article examines the legal framework governing data protection in Nigeria, highlighting common disputes, the role of the NDPC, enforcement mechanisms, and providing practical guidance for stakeholders.

The Major Players in Data Dispute Resolution

The leading player is the Nigeria Data Protection Commission (NDPC), established under the Nigeria Data Protection Act (NDPA) 2023. The NDPC is empowered to investigate complaints, enforce the law, and even impose sanctions².

But it doesn’t stop there. Other players include:

• The Federal High Court, while the Federal High Court does not have a dedicated data protection docket, it does have jurisdiction over data protection matters where they involve the interpretation of federal law or actions by federal institutions — including the NDPC ³;
• Alternative Dispute Resolution (ADR) channels, encouraged by both the NDPA and emerging sectoral directives⁴.

Other Relevant Laws

• The Constitution of the Federal Republic of Nigeria (1999) guarantees the right to privacy in Section 37.
• Cybercrimes (Prohibition, Prevention, etc.) Act 2015: Addresses offences related to computer systems and data.
• Freedom of Information Act 2011: Provides public access to information held by public institutions.

Common Types and Sources of Data Protection Disputes

Data protection disputes in Nigeria often arise from:

• Unauthorized Access or Disclosure: Unauthorized sharing or exposure of personal data.
• Lack of Consent: Processing personal data without obtaining valid consent.
• Data Breaches: Security incidents that result in the compromise of personal data.
• Inadequate Data Security Measures: Failure to implement appropriate technical and organizational measures.
• Cross-Border Data Transfers: Transferring personal data to countries without adequate data protection laws.

Role of the Nigeria Data Protection Commission (NDPC)

The NDPC serves as the regulatory authority for data protection in Nigeria, with responsibilities including:

• Monitoring Compliance: Ensuring adherence to data protection laws and regulations.
• Investigating Complaints: Probing alleged violations and enforcing corrective measures.
• Issuing Guidelines: Providing directives and best practices for data controllers and processors.
• Imposing Sanctions: Levying fines and penalties for non-compliance.

Individuals can file complaints directly with the NDPC if they believe their rights under the NDPA have been violated⁵. The process is administrative and can result in:

• Orders to delete or correct data;
• Monetary penalties;
• Mandatory changes to data handling practices⁶.

The Frank Ijege v NDPC case offers an example. The complainant alleged that a fintech company had unlawfully disclosed his personal data. The NDPC investigated, found a breach, and issued corrective orders⁷. This case exemplified the Commission’s ability to act swiftly and independently without requiring court involvement.

Seeking Judicial Redress: Going to Court

Beyond regulatory actions, Nigerian courts have played a pivotal role in affirming data privacy rights and providing individuals with avenues to seek redress.

Case Study: Miss Folashade Molehin v. United Bank for Africa Plc

In May 2024, the Federal High Court ruled in favour of Miss Molehin, who sued UBA for opening a domiciliary account in her name without consent. The court held that UBA’s actions violated her data privacy rights under Section 37 of the Nigerian Constitution and the NDPA. Consequently, the court awarded her ₦7.5 million in general damages⁸.

Under Section 37 of the Nigerian Constitution, every Nigerian has the right to privacy⁹. The NDPA expands this by providing a statutory right to seek redress in court if data rights are violated¹⁰.

Judicial redress is particularly useful when:

• The harm is severe or affects business operations;
• Administrative remedies are inadequate;
• A party wants a binding declaration or damages.

ADR as a Modern Pathway

While not yet prevalent, ADR mechanisms such as mediation and arbitration are gaining traction in resolving data protection disputes, particularly in sectors where confidentiality and swift resolution are crucial. The NDPC encourages organisations to incorporate ADR clauses in their data processing agreements, promoting amicable settlements and reducing the need for litigation.

The NDPC’s framework and the General Application and Implementation Directive (GAID) 2025 strongly encourage Alternative Dispute Resolution (ADR) in data protection disputes¹¹. Mediation, negotiation, and arbitration are being adopted in:

• Contractual data-sharing disputes;
• Employer-employee data breach matters;
• Inter-corporate data transfers.

ADR offers distinct benefits:

• Privacy: Sensitive data disclosed in open court;
• Speed: Disputes are resolved faster than in litigation;
• Flexibility: Parties can craft tailored solutions to meet their specific needs.

Compliance and Dispute Avoidance Tips for Organizations

Disputes are often preventable. Here’s what data controllers and processors should do:

• Maintain clear consent records and lawful processing grounds¹²;
• Respond promptly to data subject access requests (DSARs);
• Document internal procedures for breach response;
• Train staff on NDPA obligations and dispute management;
• Include ADR clauses in data processing agreements¹³.

Practical Guidance and Policy Insights

For Businesses:

1. Register and prepare for audit: Determine if you’re a controller of significant importance and register with NDPC. Then, Keep records of consent, assessments, and investigations ¹⁴.
2. Appoint a DPO: Essential for major controllers; train staff as well¹⁵.
3. Embed privacy by design: Secure systems, minimize data collection, and log access.

For Individuals:

1. Know your rights and exercise them: The NDPA grants rights to access, rectify, delete, and object to the use of your data. Use the NDPC complaint portal or sue if your rights are violated¹⁶.
2. Report breaches: Notify NDPC within 72 hours if individual rights are at risk¹⁷.
3. Be vigilant and Vet vendors: Read privacy notices; report suspicious activity. Use NDPA-compliant data processing agreements ¹⁸.

Conclusion

A combination of administrative, judicial, and alternative dispute resolution mechanisms governs data protection disputes in Nigeria. Understanding when to engage each dispute resolution mechanism—and how to prepare—is vital for protecting rights and avoiding penalties. With enforcement on the rise and the legal framework maturing, now is the time for both individuals and businesses to take proactive steps.

This article is intended for informational purposes only. It does not constitute legal advice and should not be relied upon for that purpose. Data protection laws are subject to change and may affect different entities differently. We recommend consulting a qualified legal professional for advice specific to your circumstances.

For further information or assistance with data protection compliance and advisory services, please contact the Lex Luminar team at support@lexluminar.com

Footnotes

1. NDPA 2023, Section 4(1).
2. NDPA 2023, Sections 5 and 6
3. Constitution of the Federal Republic of Nigeria 1999 (as amended), Section 37.
4. GAID 2025, Article 25(5)
5. NDPA 2023, Section 46.
6. Nigeria Data Protection Regulation 2019, Part 2.1
7. Frank Ijege v Nigeria Data Protection Commission (2024), NDPC Complaint File No. 004/2024.
8. Reinforcing Protection of Data Privacy Rights in Nigeria: A Review of the Federal High Court Decision in the Case of Miss Folashade Molehin v United Bank for Africa Plc,” Lawyard.
9. Constitution of Nigeria, Section 37.
10. NDPA 2023, Section 50.
11. GAID 2025, Clause 25(5); NDPC Annual Report 2024.
12. NDPA 2023, Sections 26.
13. Standard Data Processing Agreement Template (NDPC, 2024), Clause 12.
14. NDPA, s.44, s.42
15. NDPA, s.32
16. NDPA, ss.34, 36
17. NDPA, s.40
18. NDPC Awareness Campaign Materials (2024–2025)