What is Nigeria's Data Protection Act 2023 and does it cover AI automated decisions?

Nigeria's Data Protection Act 2023 (NDPA), signed June 12, 2023, replaced the earlier NDPR 2019. It is administered by the Nigeria Data Protection Commission (NDPC) and applies extraterritorially to any processing of Nigerian residents' personal data. Section 38 grants data subjects the right not to be subject to solely automated decisions with significant legal or similarly significant effects — with rights to human review, to contest, and to receive an explanation of the logic involved.

What are the NDPC penalties for NDPA violations?

NDPC penalties: up to 2% of annual gross revenue or NGN 10 million (whichever is greater) for first violations; up to 4% of annual gross revenue or NGN 20 million for severe or repeated violations. Criminal penalties apply for obstructing NDPC investigations. NDPC can also order processing suspension, mandate remediation, and publicly name violators. The revenue-based model creates proportionally larger exposure for larger AI companies.

When must Nigeria NDPA breach notification be filed?

NDPA Section 43 requires NDPC notification within 72 hours of becoming aware of a breach likely to risk data subjects' rights and freedoms. High-risk breaches require data subject notification without undue delay. AI breach triggers include unauthorized training data access, inference API compromise, and model output leakage revealing personal information. Post-notification investigation reports documenting scope, impact, and remediation must be submitted to NDPC.

Does Nigeria NDPA restrict cross-border data transfers for AI API calls?

Yes. NDPA Section 44 restricts cross-border transfers. Permitted mechanisms: adequacy (NDPC-recognized adequate protection — no comprehensive adequacy list yet, making contractual safeguards the default); contractual safeguards (BCRs or SCCs with NDPA-equivalent obligations); informed consent (data subject consents after being informed of risks); or contract performance. AI companies using US or EU-based inference APIs for Nigerian data must execute NDPC-compliant data processing agreements.

Nigeria NDPA AI Compliance: Section 38 Automated Decision Rights, Annual Audit Obligation, and NDPC Enforcement

Q: What is Nigeria's annual data protection audit requirement for AI companies?

The NDPA requires annual data protection compliance audits for Data Controllers of Major Importance (DCMIs) — entities processing personal data of 1,000+ data subjects within any 6-month period. DCMIs must commission audits from NDPC-licensed Data Protection Compliance Organisations (DPCOs) and submit audit reports to the NDPC annually. Failure to commission or submit the annual audit is an independent NDPA violation. AI companies with Nigerian users at scale almost certainly qualify as DCMIs.

Nigeria's Data Protection Act 2023 (NDPA), signed June 12, 2023, replaced the earlier NDPR 2019 and established comprehensive data protection administered by the Nigeria Data Protection Commission (NDPC). Section 38 grants data subjects the right not to be subject to solely automated decisions that produce significant legal or similarly significant effects — including the right to human review, to contest, and to receive an explanation. The NDPA applies extraterritorially to any processing of Nigerian residents' personal data. Unique to Nigeria's framework: annual data protection audits are mandatory for Data Controllers of Major Importance (DCMIs) — entities processing personal data of 1,000+ data subjects in any 6-month period must register with NDPC, appoint a DPO registered with NDPC, and commission annual audits from NDPC-licensed DPCOs. Financial data, while not enumerated as sensitive, receives enhanced protection under NDPC guidance and CBN regulations. NDPC fines: up to 2% of annual gross revenue or NGN 10 million for first violations; up to 4% or NGN 20 million for severe or repeated violations. 72-hour breach notification required.

Nigeria NDPA Section 38: AI Automated Decision Rights

Section 38 applies to decisions based solely on automated processing — including profiling — that produce legal effects or similarly significant impacts. Covered AI use cases: credit scoring, automated hiring screens, insurance underwriting, loan origination, clinical triage, and any decision producing significant impact on the data subject's finances, health, reputation, or personal opportunities. For each covered decision, data subjects have: the right to request human review; the right to contest the decision; and the right to receive an explanation of the logic involved. AI teams must implement: human review escalation workflows for contested automated decisions; decision explanation mechanisms accessible to data subjects; and audit logs showing whether a decision was automated or human-reviewed. The NDPA's Section 38 is triggered by significant effect — lower than solely automated decisions requiring legal consequences. This means behavioral profiling at scale may fall within scope even without a formal decision output.

Nigeria's Annual DPCO Audit: The Distinctive NDPA Requirement

Nigeria's NDPA and NDPC implementing framework uniquely require annual data protection compliance audits for Data Controllers of Major Importance (DCMIs). DCMI status is triggered by processing personal data for 1,000 or more data subjects within any 6-month period — a threshold that most AI companies with Nigerian users easily meet. DCMIs must: (1) register with the NDPC before commencing processing; (2) appoint a Data Protection Officer registered with the NDPC; (3) commission annual audits from NDPC-licensed Data Protection Compliance Organisations (DPCOs); and (4) submit audit reports to the NDPC annually. Audits examine: processing activities documentation, lawful bases, data subject rights mechanisms, security controls, cross-border transfer safeguards, Section 38 automated decision compliance, and remediation of prior findings. Failure to commission or submit the annual audit is an independent NDPA violation, separate from any substantive processing violation. AI companies should identify NDPC-licensed DPCOs before entering the Nigerian market — the licensing requirement limits which audit firms can conduct NDPA-compliant audits.

Sensitive Personal Data and Lawful Basis for AI Processing

NDPA Section 30 defines sensitive personal data: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data processed for unique identification; health and medical data; sexual life or sexual orientation; criminal convictions and offences. For sensitive categories, only explicit consent, employment law obligations, vital interests, legal claims, public interest research, health care provision, or statutory exceptions are valid lawful bases — legitimate interests is not available. For ordinary personal data, legitimate interests is available with a documented balancing test. Nigerian financial data — bank accounts, transaction records — while not in Section 30, is treated as requiring enhanced protection under NDPC guidance and CBN financial data regulations. AI systems in fintech and healthcare combining sensitive categories with financial data should apply the stricter explicit consent standard to all processing. AI compliance programs must maintain consent records for sensitive data processing, with audit trails demonstrating the recorded consent and its scope.

Cross-Border Transfers for AI Infrastructure

NDPA Section 44 restricts cross-border transfers of Nigerian personal data. Permitted mechanisms: adequacy (NDPC-recognized adequate protection in the destination country — the NDPC has not yet published a comprehensive adequacy list, making contractual safeguards the practical default); contractual safeguards (binding corporate rules or standard contractual clauses with NDPA-equivalent obligations); informed consent (data subject consents after being informed of transfer risks); or contract performance (transfer necessary for a contract with the data subject). For AI companies using US, EU, or Asia-Pacific inference APIs, data processing agreements must meet NDPC standards. Transfer agreements must address Section 38 automated decision obligations — overseas inference providers must not use Nigerian personal data for secondary automated decision purposes without authorization. The absence of an NDPC adequacy list creates uncertainty for AI companies in advance of its publication.

NDPC Enforcement Priorities and Revenue-Based Penalties

The NDPC has been actively issuing compliance directives since 2024 with a focus on sectors with the largest AI-driven data processing footprints. Priority enforcement sectors: fintech (mobile money, digital lending, credit scoring), healthcare AI, employment platforms, and telecommunications. Penalty structure: up to 2% of annual gross revenue or NGN 10 million (whichever is greater) for first violations; up to 4% of annual gross revenue or NGN 20 million for severe or repeated violations; criminal penalties for obstructing NDPC investigations. The revenue-based model creates proportionally larger exposure for larger AI companies — a company with $10M annual revenue faces up to $400K USD in potential fines for severe violations. NDPC can also order processing suspension, mandate remediation, and publicly name violators. Breach notification: NDPA Section 43 requires NDPC notification within 72 hours of discovering a breach likely to risk data subjects' rights; high-risk breaches require data subject notification without undue delay.