‘Adequate protection’: an analysis of Nigeria’s data protection laws within an emerging global data protection framework




Adewumi, Adekunle

Journal Title

Journal ISSN

Volume Title



The implementation of the European Union’s General Data Protection Regulation in 2018 appeared to be the catalyst for several countries to take data protection seriously, owing to concerns about transborder data flow restrictions, and has resulted in the global expansion of data protection laws. One of such countries is Nigeria, whose National Information Technology Development Agency (NITDA) introduced the Nigerian Data Protection Regulation (NDPR) in 2019. Nigerians are becoming more aware of the need to protect their personal data, and while the NDPR fulfils the need for a data protection law, it does not automatically mean that personal data of data subjects is adequately protected within Nigeria. Due to the lack of internationally binding data protection agreements, determining what constitutes an “adequate” data protection framework is challenging. The GDPR currently maintains the highest data protection standard and provides an assessment criterion in Article 45(2) for determining whether countries outside the EU have adequate data protection frameworks. In this regard, I assess how “adequate” Nigeria's data protection framework is in terms of the GDPR assessment criteria in Article 45(2). The Nigerian case is then compared to the Canadian data protection framework, which has received an adequacy decision from the EU. Based on this comparison, I make recommendations that, if implemented, will lay the groundwork for a data protection regime that meets the needs of Nigerian data subjects.



Data Protection, GDPR, Nigeria