How Nigeria's Data Protection Act 2023 (NDPA) applies to private AI — cross-border transfers, automated decision-making, registration obligations, and compliance steps.
Nigeria's Data Protection Act 2023 (NDPA) replaced the earlier NDPR framework with a comprehensive statutory data protection regime. The Nigeria Data Protection Commission (NDPC) enforces the Act, which establishes requirements for data processing across all sectors. If your AI system processes personal data of Nigerian residents, the NDPA applies.
The NDPA introduces several provisions that directly affect AI system design, especially around automated decision-making and cross-border data governance.
Personal data may be transferred outside Nigeria only where the destination provides adequate protection or where approved safeguards are in place — contractual protections, binding corporate rules, or statutory derogations such as explicit consent.
The NDPC has been active on this front, issuing guidance on adequacy assessments and transfer mechanisms. A private AI system running within Nigeria eliminates these considerations entirely. No transfer, no adequacy question, no contractual safeguard to draft and maintain.
Important: Even with local infrastructure, if your organisation is part of a multinational group and personal data flows exist for other business purposes (HR, finance), those transfers still need to comply independently.
The NDPA specifically addresses automated decision-making and profiling. Data subjects have rights around decisions made solely by automated means that produce legal effects or significantly affect them.
This is directly relevant to AI systems. If your private AI makes decisions about customers, employees, or citizens — credit assessments, hiring filters, benefit determinations — you need governance around how those decisions are made and a mechanism for human review.
Private AI systems actually make this easier to implement because you control the entire decision pipeline. You can log every automated decision, provide explanations, and build human-in-the-loop workflows directly into the system. Cloud AI APIs often provide less transparency into their decision logic, making Section 40 compliance harder.
Data Controllers and Data Processors of Major Importance (DCPMIs) are subject to registration, reporting, audit, and accountability requirements established by the NDPC. The Commission publishes guidelines on thresholds and reporting obligations.
Private AI systems support these obligations by giving you complete visibility into your processing activities. You can accurately report on what data your AI touches, where it's stored, who accesses it, and how it's processed — information that's harder to assemble when you rely on third-party AI services.
Private AI eliminates cross-border transfer compliance (ss. 47-52) and gives you full control to implement automated decision-making governance (s. 40). Registration and reporting obligations still apply, but private AI provides the visibility needed to satisfy them. The NDPA's automated decision-making provisions are a critical design consideration for any AI system — private or not.
Security measures, cross-border transfers, and DPO requirements under Rwanda's data protection law.
Read guide →Egypt's personal data protection law — registration, licensing, cross-border transfer restrictions, and security obligations.
Read guide →We help organisations map their data protection obligations across African jurisdictions and design AI systems that comply from the ground up.
Talk to Us →