Nigeria's Data Protection Crisis Alarms CSOs Over Vulnerable Data
A coalition of civil society organisations (CSOs) has issued a stark warning about the vulnerability of Nigerians’ personal data, despite existing data protection laws. The group argues that while Nigeria has built one of Africa’s largest digital identity databases, it has failed to adequately safeguard the information it collects.

A Gap Between Law and Enforcement

In a statement titled Protected From the State, Not By It: Nigeria’s Data Protection Crisis Is a Crisis of Implementation, the coalition highlighted a significant gap between legislative intent and practical enforcement. The core argument is simple: Nigeria collects data aggressively but protects it poorly, leaving citizens at a disadvantage from the start.

121 Million Records, Still Exposed

As of June 2025, the National Identity Management Commission (NIMC) had enrolled over 121 million Nigerians, building a massive digital identity database. The Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Commission (NDPC) were meant to safeguard this information, but recent incidents suggest otherwise.

The CSOs point to reports of unauthorized disclosure of voter registration data from the Independent National Electoral Commission (INEC) database. Investigations have also uncovered sensitive identity records, including National Identification Numbers (NINs), being sold online for as little as ₦100.

Why Public Institutions Avoid Scrutiny

According to the coalition, a major part of the problem is that data protection laws apply unevenly. The NDPA mandates compliance audits for private entities, yet public institutions, which hold the largest volumes of citizen data, face no comparable scrutiny.

The coalition put it plainly: When the regulator’s own data is not safe, no citizen’s data is.

This same imbalance extends to state surveillance. Programs are expanding without a comprehensive legal framework, clear surveillance limits, independent oversight, or required human rights impact assessments before deployment. Compounding this, provisions from the Cybercrimes Act continue to be used against journalists, bloggers, and social media users, even after a 2022 ECOWAS Court of Justice ruling declared aspects of Section 24 arbitrary.

Citizens Caught in the Middle

The result is a system where citizens are simultaneously “under protected from data abuse and over exposed to state monitoring and punishment,” as the CSOs describe it. Personal information is collected aggressively, but the protections meant to secure it remain demonstrably inadequate.

This asymmetry is eroding public trust in digital governance. Citizens have little assurance that their data is safe from misuse, unauthorized access, or unlawful surveillance.

What the CSOs Are Demanding

The coalition has issued a clear set of demands to the Federal Government. They want stronger enforcement of the NDPA, with public institutions held to the same compliance standards as private organizations. They are also calling for the publication of findings from investigations into alleged breaches involving government databases.

Additional demands include an independent oversight framework for surveillance systems, an amendment to Section 24 of the Cybercrimes Act in line with the ECOWAS Court ruling, and stronger accountability mechanisms across all public institutions that handle citizen data.

Without these reforms, the CSOs warn, public trust will continue to erode.

Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates

RELATED ARTICLESMORE FROM AUTHOR