Every time an app instantly approves or declines your loan, a machine has silently made a decision about you. It has scored you, profiled you, and ruled on your request, often without any human involvement. Under Nigeria’s Data Protection framework, this is already regulated. And the rules are about to get significantly stricter. The Nigeria Data Protection Commission (NDPC) has announced a review of the Nigeria Data Protection Act (NDPA) 2023, specifically targeting the use of artificial intelligence, robotics, and big data. For Nigerian businesses and consumers, this is one of the most significant regulatory shifts in the country’s digital economy in years.
The Nigeria Data Protection Commission (NDPC) has announced plans to review the Nigeria Data Protection Act (NDPA) 2023, specifically addressing the challenges posed by artificial intelligence, robotics, and big data. This announcement was made in Abuja in June 2026, marking three years since the Act was enacted. The regulator highlighted that when the law was initially written, it could only reference “emerging technologies” in vague terms. Today, AI is central to almost every aspect of our lives – the regulations need to catch up and regulate it directly.
This is one of the most significant regulatory developments for Nigeria’s digital economy in years. Here is what this means for businesses and ordinary Nigerians.
Why AI is No Longer “Out of Scope”
It is a common misconception that Nigeria lacks regulations for AI. But that is not true. In fact, regulations do exist; they are simply framed in broader terms.
At the foundation of these regulations is Section 37 of the 1999 Constitution, which guarantees every citizen the right to privacy regarding their person, home, correspondence, and communications. Data protection laws serve as the modern vehicle that enforces this fundamental right.
The NDPA 2023 builds upon this foundation. Section 37 of the NDPA is particularly significant for AI, granting individuals the right not to be subjected to decisions based solely on automated processing, including profiling, when those decisions carry legal or significant consequences. There are exceptions , such as consent, contractual agreements, or statutory provisions. However, even in these cases, individuals maintain the right to request human intervention, express their viewpoints, and contest outcomes.
When we layer in Section 25 (which requires a lawful basis for processing personal data), Section 27 (which mandates that individuals be informed about automated decision-making and profiling), and the requirement for a Data Protection Impact Assessment before engaging in any high-risk processing, it becomes clear that AI, machine learning, and big data analytics are already subject to stringent regulations in Nigeria. The upcoming review will simply clarify and enhance this framework.
Enforcement Actions: NDPC Fines Fidelity Bank ₦555.8 Million
Despite this regulatory clarity, enforcement data shows that some businesses still treat compliance as an afterthought.
In August 2024, the NDPC imposed a ₦555.8 million fine on Fidelity Bank for processing customer data without proper consent – the largest fine issued by the Commission at that time. Around the same period, Meta faced a $220 million penalty from the FCCPC, in collaboration with the NDPC, for mishandling Nigerian users’ data. MultiChoice Nigeria was also sanctioned ₦766.2 million in a separate incident.
And it is not just large corporations that are under scrutiny. The NDPC has been targeting numerous digital lending apps that harvested borrowers’ contacts and photos, subsequently shaming defaulters by broadcasting embarrassing messages to everyone in their phonebook. These cases highlight the serious human implications behind the legal language.
Under Section 48 of the NDPA, a data controller of substantial importance may be penalised up to ₦10 million or 2% of its annual gross revenue, whichever is greater. A clearer and more targeted AI-specific law will only broaden the regulatory scope.
Implications for Your Business
If your organisation employs AI to evaluate credit, screen resumes, target advertisements, detect fraud, recommend products, or analyse customer behavior, know that stricter, more targeted regulations are coming
Anticipate tighter rules surrounding algorithmic profiling, enhanced consent standards, mandatory impact assessments for high-risk AI applications, and an increased emphasis on meaningful human oversight – the regulator has stressed that machines should not be left to make all decisions independently. Businesses that delay action until the final amendments are made will find themselves scrambling to comply. In contrast, those that are well-prepared now can turn compliance into a competitive advantage and a strong trust signal to customers and investors.
How OAL Can Help You Stay Ahead
For businesses navigating this shifting landscape, preparation now is far less costly than remediation later.
Our technology and data protection team assists organisations across various sectors including fintech, telecommunications, healthcare, e-commerce, and public services to prepare effectively: from conducting data protection audits and gap assessments to drafting privahcy policies and AI governance frameworks. We also provide Data Protection Impact Assessments, structure lawful consent processes, train your staff and Data Protection Officers, and represent your interests in dealings with the NDPC. We decode complex regulations into straightforward, actionable decisions you can implement.
Connect with OAL’s data protection and technology team today. Let us review your AI and data systems before the regulator does, and embed data protection practices that your clients, investors, and regulators can see and trust.
This article is for general information only and does not constitute legal advice. For guidance on your specific circumstances, please consult OAL directly.