A COALITION of civil society organisations has warned that Nigerians’ personal information remains vulnerable to abuse despite existing data protection laws.
In a statement titled “Protected From the State, Not By It: Nigeria’s Data Protection Crisis Is a Crisis of Implementation,” the group said Nigeria developed one of Africa’s largest digital identity databases but failed to adequately protect the information it collects.
The coalition, comprising Media Rights Agenda (MRA), Paradigm Initiative (PIN), Digital Rights Lawyers Initiative (DRLI), Accountability Lab Nigeria, PROMAD Foundation, DigiCivic Initiative and others.noted that the National Identity Management Commission (NIMC) had enrolled more than 121 million Nigerians as of June 2025, while the country also operates under the Nigeria Data Protection Act (NDPA) 2023 and a dedicated Nigeria Data Protection Commission (NDPC).
However, the organisations argued that these safeguards failed to translate into meaningful protection for citizens.
According to the group, recent incidents involving alleged unauthorised access to sensitive government databases have exposed weaknesses in oversight and accountability mechanisms.
They cited reports surrounding the disclosure of voter registration information from the Independent National Electoral Commission (INEC) database and investigations that uncovered the online sale of sensitive identity records, including National Identification Numbers (NINs), for as little as ₦100.
“When the regulator’s own data is not safe, no citizen’s data is. A government that cannot protect its citizens’ data should, at minimum, be cautious about how aggressively it collects and deploys it. Nigeria has done the opposite. Under the NDPA, data controllers are required to undergo compliance audits filed with the NDPC, an obligation enforced against private entities even as public institutions, the largest holders of citizens’ data, face no comparable scrutiny,” the coalition stated.
The organisations also expressed concern about the expansion of state surveillance programmes, arguing that Nigeria lacked a comprehensive legal framework governing public surveillance systems.
They said existing laws did not clearly define the limits of surveillance, provide independent oversight, or require human rights impact assessments before such systems are deployed.
The coalition further criticised the continued use of provisions of the Cybercrimes Act against journalists, bloggers and social media users, despite a 2022 judgment by the ECOWAS Court of Justice declaring aspects of Section 24 of the law arbitrary and repressive.
According to the group, Nigeria’s data governance system currently places citizens in a vulnerable position where personal information is aggressively collected but inadequately protected.
“This is the asymmetry at the heart of the crisis: citizens are under-protected from data abuse and over-exposed to state monitoring and punishment,” the CSOs said.
They called on the Federal Government to strengthen enforcement of the Nigeria Data Protection Act, ensure public institutions are subjected to the same compliance requirements as private organisations, and publish the findings of investigations into alleged breaches involving government databases.
The coalition also urged authorities to establish an independent oversight framework for surveillance systems, amend Section 24 of the Cybercrimes Act, in line with the ECOWAS Court ruling, and strengthen accountability mechanisms across public institutions handling citizens’ data.
It warned that public trust in digital governance would continue to erode unless citizens are assured that their personal data is protected from misuse, unauthorised access and unlawful surveillance.
Nurudeen Akewushola is an investigative reporter and fact-checker with The ICIR. He believes courageous in-depth investigative reporting is the key to social justice, accountability and good governance in society. You can reach him via nyahaya@icirnigeria.org and @NurudeenAkewus1 on Twitter.

