Introduction
The digital age has transformed the way we live, work, and communicate. Artificial Intelligence (AI) is changing the way we collect, utilise, and share personal data. From facial recognition to chatbots, AI systems rely on large amounts of personal information. These tools are invaluable in areas such as healthcare, banking, and government services. But they also raise serious legal questions – especially about privacy, consent, and accountability.
For many African countries, including Nigeria, the primary challenge is striking a balance between the benefits of the digital age and AI and the protection of people’s privacy and rights. This article examines emerging trends, challenges to data protection, current developments in Africa, and potential solutions to close the gaps.
How AI Affects Data Protection
AI systems need data—lots of it. The more data AI systems get, the smarter they become. But many of these systems:
- Group people based on behaviour and personal traits (profiling),
- Guess sensitive things like someone’s religion or health condition,
- Make decisions without human input, sometimes in ways we can’t explain¹.
This creates a problem because it doesn’t align well with basic privacy principles, such as obtaining consent, using data for a clear purpose, and ensuring data accuracy.
Emerging Trends in Data Protection
- Increasing Use of Cloud Computing and Cross-Border Data Flows
Cloud services allow businesses to store and process data remotely, often in multiple countries². This has expanded the reach of data beyond national borders, making regulation and enforcement more complex and challenging. Companies rely on global cloud providers, which increases the risks associated with cross-border data transfer and compliance with local laws and regulations.
- Growth of Internet of Things (IoT) Devices
IoT devices—such as smart home appliances, fitness trackers, and connected cars—generate vast amounts of personal data³. These devices are often poorly secured, raising concerns about unauthorised access to sensitive data.
- Adoption of Privacy-Enhancing Technologies (PETs) and Privacy-Preserving Technologies (PPTs)
Privacy-enhancing technologies (PETs) and Privacy-Preserving Technologies (PPTs) are rapidly becoming key tools for safeguarding personal data while enabling its secure use⁴. These technologies include encryption, anonymization, pseudonymization, and secure computation methods that limit the exposure of sensitive information.
For instance, differential privacy techniques allow organizations to extract valuable insights from data without compromising individual identities⁵. Homomorphic encryption enables data processing on encrypted data, reducing the risk of data leakage during computation⁶. In Nigeria and the broader African context, awareness and implementation of PETs remain limited but growing, constrained by technical expertise and infrastructure challenges⁷. The greater adoption of these technologies can enhance compliance with the Nigeria Data Protection Act and align with international data protection standards.
What’s Happening in Africa?
Across Africa, AI is being used more and more:
- Kenya utilises AI in mobile loan apps to determine who receives loans⁸.
- South Africa uses AI in hospitals for early disease detection⁹.
- Ghana used AI-powered cameras during COVID-19¹⁰.
However, most African countries don’t have strong laws or clear rules on how AI should handle personal data¹¹. A 2023 study by The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) found that less than a third of African countries have legal tools to control the risks of AI¹². Nigeria is making progress, but we still have a long way to go.
In 2023, the Nigerian government launched the Artificial Intelligence Research Scheme to support local AI projects¹³. However, our main data protection law—the Nigeria Data Protection Act (NDPA) 2023—does not deal directly with many of the problems AI creates.
Challenges Facing Data Protection
- Consent and Transparency
AI systems can be complex to understand. The NDPA states that people must provide explicit and informed consent before their sensitive data is used¹⁴. But how can someone agree to something they don’t fully understand?
For example, users may interact with a chatbot without realising that their voice, location, and chat history are being recorded and shared to train AI systems.
Legal risk: If people don’t fully understand how their data is being used, their consent may not meet the standards in Section 26 of the NDPA¹⁵.
- Sending Data Abroad and AI Training
AI companies often move data between countries to train their systems. This means Nigerian data might be stored or used outside the country, beyond the NDPC’s reach.
The NDPA allows cross-border transfers but only if the receiving country has similar protections¹⁶. However, it’s hard to track how AI systems collect or use Nigerian data once it’s overseas. For example, facial images shared on global platforms might end up in international AI training datasets.
Legal implication: Nigeria lacks tools to monitor or stop the misuse of local data by foreign AI systems¹⁷.
- Legal and Regulatory Gaps
Many countries, including Nigeria, are still adapting their legal frameworks to address new digital realities. While the Nigeria Data Protection Act (NDPA) 2023 provides a solid foundation, some areas require strengthening to keep up with emerging technologies¹⁸.
For example, the law needs more explicit rules on data portability, consent in AI contexts, and enforcement mechanisms for cross-border data flows.
- Data Breaches and Cybersecurity Threats
With more data stored online, cyberattacks and data breaches are rising sharply worldwide¹⁹. Nigerian organizations have experienced significant breaches, exposing sensitive personal information to hackers. Many organizations lack adequate cybersecurity infrastructure and incident response plans.With more data stored online, cyberattacks and data breaches are rising sharply worldwide¹⁹. Nigerian organizations have experienced significant breaches, exposing sensitive personal information to hackers. Many organizations lack adequate cybersecurity infrastructure and incident response plans.
- Enforcement and Awareness
Although laws exist, enforcement remains a challenge due to limited resources and expertise at regulatory agencies like the NDPC²⁰. Additionally, many data subjects do not fully understand their rights or how to exercise them.
Solutions and Best Practices
- Strengthen Legal Frameworks
- Amend the NDPA to address emerging technologies, including AI, IoT, and blockchain.
- Introduce more explicit rules on data portability and consent management.
- Enhance Regulatory Capacity
- Provide training and funding to the NDPC to improve enforcement.
- Develop specialized technical units for cybersecurity and AI oversight.
- Promote Public Awareness
- Launch nationwide campaigns to educate citizens on data rights.
- Encourage businesses to adopt transparent data practices and establish clear, comprehensive privacy policies that are easily accessible and understandable.
4. Foster Regional Cooperation
- Collaborate with African Union initiatives on data protection harmonization.
- Participate in international forums to share best practices and influence global standards.
Conclusion
Data protection in the digital age is complex and fast-changing. Nigeria and other African countries stand to benefit significantly from digital technologies—but only if privacy and data rights are safeguarded.
By updating laws, building regulatory expertise, and educating the public, Nigeria can establish a data protection environment that fosters innovation while upholding fundamental rights. This balance will be key to promoting trust and enabling sustainable digital growth in the years ahead.
This article is intended for informational purposes only. It does not constitute legal advice and should not be relied upon for that purpose. Data protection laws are subject to change and may affect different entities differently. We recommend consulting a qualified legal professional for advice specific to your circumstances.
For further information or assistance with data protection compliance and advisory services, please contact the Lex Luminar team at support@lexluminar.com
Footnotes
- Algorithmic systems are often described as “black boxes” due to their lack of transparency and explainability.
- Cloud Security Alliance, “Cross-Border Data Flows in the Cloud Era,” 2022.
- Gartner, “IoT Data Explosion: What It Means for Privacy,” 2023.
- Pew Research Center, “Public Attitudes Toward Privacy and Data Protection,” 2021.
- OECD, “Privacy-Enhancing Technologies: The Road to Trustworthy AI,” 2023.
- Harvard Business Review, “How Differential Privacy Protects User Data,” 2022.
- IBM Research, “Homomorphic Encryption: Unlocking Data Privacy,” 2021.
- Mwalili, P., “Digital Lending in Kenya: Legal Concerns in Use of Credit Scoring AI,” African Law Tech Journal, 2022.
- South African Department of Health, “AI Pilot for Early Detection of Lung Cancer,” 2023.
- Ghana Health Service, “Surveillance Strategy during COVID-19,” 2020.
- Global Data Protection Index (Africa Chapter), 2023.
- CIPESA, “AI and Privacy in Africa: Emerging Risks and Regulatory Responses,” 2023.
- NITDA, “Nigeria AI Research Scheme Announcement,” 2023.
- NDPA 2023, Section 26 – Conditions for consent.
- NDPA 2023, Sections 24–25 – Lawful processing and transparency.
- NDPA 2023, Section 41 – International data transfers.
- European Commission, “The Artificial Intelligence Act,” 2021 (adopted in 2024).
- World Bank, “Digital Privacy and Protection in Africa: Opportunities and Challenges,” 2023.
- Section 40, Nigeria Data Protection Act (NDPA), 2023.
- NDPC Annual Report, 2024.