Navigating the AI Frontier: Why Nigeria is Rewriting Its Data Protection Act for the...

The world is in the midst of a technological transformation unlike any it has experienced before. Artificial intelligence (AI), machine learning, robotics, big data analytics, and emerging autonomous systems are rapidly changing the way societies function, how businesses operate, and how governments deliver services. Algorithms now influence decisions that affect employment opportunities, access to credit, healthcare outcomes, educational prospects, and even the information citizens encounter online. As technology increasingly becomes embedded in every aspect of human life, legal and regulatory frameworks around the world are struggling to keep pace.

Nigeria is no exception. In June 2026, as the country marked the third anniversary of the Nigeria Data Protection Act (NDPA) 2023, the Nigeria Data Protection Commission (NDPC) announced plans to initiate a comprehensive review of the legislation to address the challenges posed by artificial intelligence, robotics, and other emerging technologies. The move reflects a growing recognition that while the NDPA 2023 represented a significant milestone in Nigeria's digital governance journey, the rapid evolution of technology demands a more nuanced and future-oriented legal framework.

The enactment of the NDPA in 2023 was rightly regarded as a watershed moment for privacy regulation in Nigeria. The legislation established a comprehensive framework for the processing of personal data and elevated the country's standing among jurisdictions that have adopted modern data protection regimes. It introduced important principles relating to lawfulness, fairness, transparency, accountability, purpose limitation, and data minimisation, while also establishing the Nigeria Data Protection Commission as the central authority responsible for enforcing data protection obligations.

However, the technological environment in which the NDPA was enacted has evolved significantly. The law was designed primarily for a digital ecosystem in which data is collected, processed for specific purposes, stored, and eventually deleted. Artificial intelligence systems, particularly modern generative AI models, operate in an entirely different manner. They ingest enormous amounts of data, identify patterns and correlations, and embed information into complex neural networks comprising millions or even billions of parameters. In such systems, data is not simply stored in a database but transformed into mathematical representations that may become difficult, if not impossible, to isolate or erase.

This reality exposes fundamental questions that existing data protection laws struggle to answer. Can a data subject exercise the right to be forgotten once their personal information has contributed to the training of an AI model? How can an individual correct inaccurate information that has been integrated into a machine learning system? Who bears responsibility when an autonomous system makes a discriminatory or harmful decision? These questions highlight the growing tension between traditional privacy frameworks and the emerging realities of artificial intelligence.

The issuance of the General Application and Implementation Directive (GAID) 2025 represented an important effort to strengthen the operational framework of the NDPA. The Directive introduced structured compliance mechanisms, including tiered classifications for Data Controllers and Processors of Major Importance, mandatory audit requirements, and enhanced governance obligations such as the appointment of Data Protection Officers and the conduct of Data Protection Impact Assessments and Legitimate Interest Assessments. The GAID significantly improved the practical implementation of data protection obligations in Nigeria and consolidated various compliance requirements into a unified framework.

Yet, despite these achievements, the Directive remains largely anchored in a traditional understanding of data processing. It assumes a relatively linear lifecycle in which information is collected, processed for predetermined purposes, and eventually deleted. Artificial intelligence systems, however, do not operate within such straightforward parameters. They continuously evolve, learn from data, and generate new insights and inferences. Consequently, the current framework offers limited guidance on issues such as algorithmic accountability, automated decision-making, the secondary use of data for AI training, and the rights of individuals affected by algorithmic systems.

At the centre of this regulatory challenge lies the issue of data itself. Modern AI systems are powered by enormous quantities of information, much of which consists of behavioural data generated through people's interactions with digital services. Every online search, click, purchase, location signal, and social media interaction contributes to a digital footprint that can be analysed and utilised to train increasingly sophisticated algorithms. Generative AI models, in particular, often rely on vast datasets compiled through the scraping of publicly available information and other digital content.

This practice raises significant legal questions under the NDPA. The Act requires that personal data be processed on the basis of a valid legal ground, including consent or legitimate interests. Yet obtaining informed and specific consent from millions of individuals whose information may be scraped for AI training purposes is practically impossible. Relying on legitimate interests presents its own difficulties, as it requires a balancing exercise between the commercial objectives of AI developers and the privacy rights of individuals. Whether the economic benefits of developing powerful AI systems can justify the extensive use of personal information without explicit consent is a question that regulators around the world are still grappling with.

The stakes become even higher when one considers the growing use of algorithmic profiling and automated decision-making systems. Artificial intelligence increasingly influences decisions in sectors such as finance, healthcare, insurance, education, and public administration. Credit scoring algorithms determine who qualifies for loans and at what interest rates. Recruitment software screens job applicants and identifies suitable candidates. Predictive analytics systems assist healthcare professionals in diagnosing diseases and recommending treatments.

While these technologies offer substantial efficiencies and benefits, they also carry significant risks. Many AI systems operate as "black boxes," producing outcomes that are difficult for even their developers to explain fully. Individuals subjected to automated decisions often have little understanding of how those decisions were reached, what data was considered, or how they can challenge an adverse outcome. In the absence of adequate safeguards, algorithms can perpetuate historical biases, reinforce discriminatory practices, and create new forms of exclusion.

As Nigeria considers reforming its data protection framework, it has the advantage of learning from the experiences of other jurisdictions. The European Union has developed one of the world's most sophisticated digital regulatory frameworks through instruments such as the Digital Services Act, the Digital Markets Act, and the Artificial Intelligence Act. These regulations impose obligations relating to algorithmic transparency, systemic risk assessments, and the protection of minors, while establishing heightened responsibilities for dominant digital platforms.

The United States has adopted a more fragmented approach, combining federal initiatives focused on national security and innovation with state-level legislation addressing issues such as algorithmic discrimination, consumer privacy, and child safety. Singapore, on the other hand, has pursued a pragmatic and innovation-friendly model centred on co-regulation, technology neutrality, and privacy-preserving solutions. Its approach to age assurance and digital safety offers particularly valuable lessons for jurisdictions seeking to balance child protection with privacy rights.

Certain sectors in Nigeria deserve special attention as the country revisits its data protection laws. The healthcare sector increasingly relies on AI-driven diagnostics, genomic analysis, and biometric technologies. These innovations have the potential to revolutionise healthcare delivery but also involve the processing of highly sensitive personal information. An amended legal framework should require enhanced oversight and rigorous audits for AI systems operating in the health sector, ensuring that algorithms are tested for bias and that training datasets accurately reflect the diversity of the Nigerian population.

The financial services sector presents another compelling case for reform. Nigeria's thriving fintech industry relies heavily on automated systems for credit assessment, fraud detection, and behavioural profiling. While these technologies have expanded financial inclusion and improved service delivery, they also carry the risk of creating self-reinforcing cycles of exclusion if left unchecked. Individuals denied loans or subjected to adverse financial decisions by automated systems should have the right to receive meaningful explanations and to request human review of such decisions.

The protection of children in digital spaces has also emerged as a major policy concern. Educational technology platforms and social media services increasingly collect vast amounts of behavioural data from minors. Although the NDPA contains provisions relating to the processing of children's data, the emergence of AI-driven platforms and conversational systems creates new challenges that require more targeted intervention. The law should provide stronger safeguards against behavioural profiling and targeted advertising directed at children while ensuring that privacy notices and disclosures are communicated in a manner that children can understand.

One of the most complex issues in this regard concerns age verification. Digital platforms need reliable methods to determine whether users are minors, particularly when providing access to potentially harmful or age-inappropriate content. Traditional approaches that require individuals to upload identity documents create significant privacy risks by encouraging the widespread collection and storage of sensitive information. The solution increasingly lies in privacy-enhancing technologies that can verify age without requiring individuals to surrender unnecessary personal data.

Technologies such as on-device age estimation, cryptographic zero-knowledge proofs, and adaptive verification systems offer promising alternatives. These approaches allow platforms to establish whether a user satisfies an age threshold without collecting excessive personal information or creating large repositories of sensitive identity data. They demonstrate that privacy and child safety need not be competing objectives but can instead be pursued simultaneously through thoughtful technological design.

Looking beyond immediate challenges, Nigeria's lawmakers must also prepare for the emergence of Artificial General Intelligence and increasingly autonomous frontier systems. The country's next generation of data protection laws must be sufficiently flexible and forward-looking to govern technologies that may not yet exist. This will require a shift from purely principles-based regulation towards more specific obligations relating to algorithmic accountability, transparency, and risk management.

Among the reforms deserving consideration are mandatory algorithmic impact assessments for high-risk AI systems, the establishment of a specialised registry for frontier AI models, and the expansion of the existing Data Protection Compliance Organisation framework to include algorithmic and AI safety auditing. Nigeria should also consider developing a sovereign training data commons that would provide legally compliant and culturally representative datasets to support the development of indigenous AI systems and reduce reliance on foreign data sources.

The proposed review of the Nigeria Data Protection Act represents a defining moment in the country's digital evolution. It offers an opportunity to create one of Africa's most forward-looking and technologically sophisticated regulatory frameworks, one capable of protecting fundamental rights while simultaneously encouraging innovation and economic growth.

Artificial intelligence is transforming societies at an unprecedented pace. The laws that govern data and digital rights must evolve just as quickly. The challenge for Nigeria is not simply to regulate today's technologies but to build a legal framework capable of adapting to tomorrow's innovations. If approached thoughtfully, the forthcoming reforms could position Nigeria as a continental leader in digital governance and demonstrate that technological advancement and the protection of human rights are not competing priorities but mutually reinforcing objectives in the age of algorithms and Artificial General Intelligence.