June 26, 2026

Abstract
The Nigeria Data Protection Commission (NDPC), in a press release dated June 26, 2026, reinforced its commitment to strengthening data controller accountability and outlined critical compliance imperatives under the Nigeria Data Protection Act (NDPA) 2023. The Commission emphasized the evolving landscape of data protection, particularly concerning emerging technologies like Artificial Intelligence (AI) and the complexities of cross-border data transfers. This directive signals an intensified regulatory focus on proactive compliance, robust data governance frameworks, and the diligent exercise of the duty of care by all entities processing personal data within Nigeria or of Nigerian residents. Practitioners must advise clients to review and update their data protection policies, especially regarding breach notification protocols and international data transfer mechanisms, to align with the NDPC's stringent enforcement posture.
Introduction
On June 26, 2026, the Nigeria Data Protection Commission (NDPC) issued a significant press release, reiterating its unwavering commitment to fostering a culture of accountability and robust data protection within Nigeria's burgeoning digital economy. This announcement comes at a pivotal time, as businesses increasingly leverage advanced technologies and engage in global data flows, thereby amplifying the complexities and risks associated with personal data processing. The NDPC's statement underscores the regulator's proactive stance in ensuring that data controllers and processors not only adhere to the letter of the Nigeria Data Protection Act (NDPA) 2023 but also embody its spirit through demonstrable duty of care and ethical data stewardship.
The press release, building on recent engagements and pronouncements, serves as a crucial reminder for legal practitioners and compliance officers of the NDPC's intensified focus on enforcement and the need for continuous adaptation to regulatory expectations. It highlights key areas of concern, including the responsible deployment of emerging technologies and the stringent requirements governing cross-border data transfers. This article will delve into the implications of the NDPC's latest directive, providing a comprehensive analysis of the prevailing legal framework, recent enforcement trends, and practical steps for ensuring compliance in an increasingly regulated environment.
Background
The foundation of Nigeria's contemporary data protection regime is the Nigeria Data Protection Act (NDPA) 2023, which came into effect on June 12, 2023. This landmark legislation replaced the Nigeria Data Protection Regulation (NDPR) 2019, providing a comprehensive statutory framework for safeguarding the fundamental rights and freedoms of data subjects. A cornerstone of the NDPA 2023 is the establishment of the Nigeria Data Protection Commission (NDPC) as the primary independent regulatory authority. The NDPC is vested with extensive powers, including monitoring, investigating, conducting audits, issuing enforcement orders, imposing administrative fines, and developing sector-specific guidelines.
Further operational clarity was provided by the General Application and Implementation Directive (GAID), issued by the NDPC on March 20, 2025. The GAID superseded the NDPR 2019 and its implementation framework, streamlining compliance obligations and introducing classifications for Data Controllers and Processors of Major Importance (DCPMI). These entities, defined by criteria such as processing personal data of over 200 data subjects within six months or operating in critical economic sectors, face enhanced compliance requirements, including mandatory registration with the NDPC and annual filing of Compliance Audit Returns (CARs). The NDPC's mandate extends to promoting data processing practices that secure personal data, protecting data subjects' rights, and strengthening the legal foundations of Nigeria's digital economy.
Analysis
The NDPC's June 26, 2026 press release, aligning with its recent pronouncements at the West Africa Convergence Conference (WACC) 2026, reinforces the 'duty of care' principle for data controllers and processors. This principle, embedded in the NDPA 2023, mandates organizations to implement appropriate technical and organizational measures to ensure the security and protection of personal data. The Commission's emphasis on accountability signifies a shift towards a 'compliance-in-practice' model, moving beyond mere paper compliance. This is evidenced by the NDPC's history of imposing substantial administrative fines, such as the ₦766.2 million penalty against Multichoice Nigeria and the $220 million fine against Meta Platforms for data privacy violations and illegal cross-border data transfers.
A critical aspect highlighted by the NDPC is the responsible integration of emerging technologies, particularly Artificial Intelligence (AI), robotics, and big data. The Commission has acknowledged the need to review the NDPA 2023 to specifically address the regulatory challenges posed by these advancements, moving beyond generic references. This signals that while the NDPA provides a broad framework, future regulations or amendments will likely introduce more granular requirements for AI governance, algorithmic transparency, and data ethics, especially concerning automated decision-making and profiling, which are already subject to data subject rights under the NDPA.
Furthermore, the press release implicitly reinforces the stringent requirements for data breach notifications and cross-border data transfers. Under Section 40 of the NDPA 2023, data controllers are obligated to notify the NDPC of a personal data breach within 72 hours of becoming aware of it, particularly if the breach is likely to pose a risk to the rights and freedoms of data subjects. Failure to adhere to this strict timeline is considered an aggravating factor in penalty calculations. Similarly, cross-border data transfers remain a highly regulated area. The NDPA and GAID prohibit such transfers unless the recipient country ensures an adequate level of data protection, an adequacy decision is issued by the NDPC, approved Cross-Border Data Transfer Instruments (CBDTIs) are in place, or other lawful bases, such as explicit data subject consent after being informed of risks, are established. The NDPC has indicated that the framework for adequacy determinations is still developing, making appropriate contractual safeguards the most practical route for many organizations.
The NDPC's ongoing engagement with various sectors, including finance, telecoms, and hospitality, to develop tailored data privacy frameworks, also indicates a sector-specific approach to compliance. This suggests that while the NDPA and GAID provide general principles, organizations should anticipate and prepare for industry-specific guidelines that may introduce additional obligations or clarify existing ones, particularly for those classified as Data Controllers or Processors of Major Importance.
Conclusion
The NDPC's June 26, 2026 press release serves as a clear signal that data protection compliance in Nigeria is entering a phase of heightened scrutiny and enforcement. Legal practitioners must proactively advise their clients, especially those classified as Data Controllers or Processors of Major Importance, to conduct thorough internal audits of their data processing activities. This includes reviewing existing data protection policies, privacy notices, and consent mechanisms to ensure full alignment with the NDPA 2023 and the GAID 2025. Particular attention should be paid to the robustness of data breach response plans, ensuring that the 72-hour notification window can be met, and that mechanisms for notifying affected data subjects are in place.
Furthermore, organizations engaged in cross-border data transfers must re-evaluate their transfer mechanisms, prioritizing appropriate safeguards like contractual clauses in the absence of formal adequacy decisions. Given the NDPC's stated intent to review the NDPA for emerging technologies, clients should also be advised to monitor regulatory developments concerning AI, robotics, and big data, and to adopt a 'privacy by design' approach in the development and deployment of new technologies. The era of passive data governance is over; continuous compliance, demonstrable accountability, and a proactive duty of care are now non-negotiable for operating successfully within Nigeria's evolving data protection landscape.
Citations
- 1.Nigeria Data Protection Act 2023
- 2.Nigeria Data Protection Commission General Application and Implementation Directive 2025