• Thursday, 18th December, 2025

Ethical Problems in AI and Digital Legislation in Nigeria (Part 2)

Nigeria | 5 months ago

Introduction 

The inaugural part of this treatise, was naturally introductory. We discussed AI and human rights; Ethics by design; AI’s capacity for systematic bias; Data subjects and Data controllers; its Evolution; Conceptual Origins; Early Aspirations and Technological Milestones – from automation to autonomy. This week’s feature explores the concept of digital identity in the Nigerian context; the Universality of Rights in a Technological Age; Data Sovereignty; Legal and Policy Transformation under the NDPA, 2023. We shall conclude with an analysis of enforcement Challenges and Sovereignty Implications. Enjoy.   

Understanding Digital Identity in the Nigerian Context

In a society where State legitimacy and public participation increasingly rely on digital infrastructure, the importance of a recognised, secure, and universally accepted digital identity system cannot be overstated. In Nigeria, this digitalisation drive is exemplified by the National Identity Management Commission (NIMC), and the roll-out of the National Identity Number (NIN). The NIN, a unique identifier assigned to every citizen, is now mandatory for access to numerous public and private services, from opening a bank account to acquiring a SIM card. While this system was conceived to promote security, administrative efficiency, and socio-economic inclusion, it has also raised significant legal and ethical questions around data privacy and equity.

Digital identity, by design, captures more than names and addresses. It encapsulates biometric data, demographic profiles, and behavioural patterns. Unlike analog records, digital identities are persistent, searchable, and if misused, are capable of facilitating unprecedented surveillance. The fact that digital identities are required to function within multiple systems means they are not only foundational to governance, but also vulnerable to misuse.

The rollout of the NIN system, while extensive, has not always been transparent or inclusive. In several rural and marginalised communities, infrastructural challenges have led to under-enrolment, effectively excluding vulnerable Nigerians from accessing essential services. The mandate requiring all SIM cards to be linked with NINs, resulted in millions of Nigerians being disconnected from mobile services due to non-compliance. Although framed as a security measure, critics argue that the policy veered dangerously close to coercion, raising questions about informed consent, especially among digitally illiterate populations.

A similar issue arose with the release of the NIMC Mobile ID App, which exposed sensitive personal data of individuals. As documented in the official NDPA 2023 Overview, this event served as a painful reminder of the consequences of launching national digital tools without adequate privacy assessments. The failure to conduct a proper Data Protection Impact Assessment (DPIA), a now mandatory requirement under Section 28 of the Nigeria Data Protection Act, 2023, illustrates how gaps in governance can lead to direct violations of constitutional privacy rights.

The danger in these practices is not just technical, it is ethical. When individuals cannot opt out of digital systems that control access to rights and services, identity ceases to be a tool of empowerment and becomes one of coercion. This erosion of autonomy is antithetical to both Nigerian constitutional principles, and the broader human rights frameworks that Nigeria is party to.

The Universality of Rights in a Technological Age

Human rights are universal and indivisible, meaning that they apply equally to all individuals regardless of race, gender, nationality, or context, and that no right is inherently superior to another. Yet, the application of these rights in an era of AI-driven technologies requires careful interpretation and, at times, doctrinal innovation.

AI does not exist in a legal vacuum. It interacts with existing rights such as:

* The right to privacy (Article 12 UDHR; Article 17 ICCPR);

* The right to non-discrimination (Articles 2 and 7 UDHR);

* The right to freedom of expression (Article 19 UDHR, Article 19 ICCPR); and

* The right to an effective remedy (Article 8 UDHR).

The key challenge lies not in defining new rights, but in applying these long-standing rights to new contexts in which technologies mediate relationships between individuals, States, and corporations.

Digital Rights as Human Rights

The growing discourse around digital rights, reflects an attempt to re-articulate classical human rights in response to technological disruption. While not enshrined in a single binding treaty, digital rights are increasingly recognised in international jurisprudence and soft law instruments. These include:

* The UN Guiding Principles on Business and Human Rights (UNGPs), which place a duty on private tech companies to respect human rights;

* The European Convention on Human Rights (ECHR), as interpreted by the European Court of Human Rights in landmark cases on surveillance and data retention; and

* Regional charters such as the African Charter on Human and Peoples’ Rights, which have begun to address the intersection of technology and fundamental freedoms.

AI-driven violations – ranging from algorithmic discrimination to opaque decision-making – undermine the enjoyment of rights in subtle but systemic ways. A rights-based approach to AI regulation, therefore, demands proactive safeguards that anticipate harm, rather than simply reacting to it after the fact.

Data Sovereignty: Who Owns Nigerian Data?

With the rapid expansion of national digital infrastructure across Nigeria, a far more pressing issue has risen to the fore: the question of who truly owns and governs the data that powers this infrastructure. As digital systems increasingly underpin the delivery of public services, financial transactions, education platforms, health records, and national security functions, data becomes not only a technical asset, but a core element of State power. Data sovereignty means that data generated within a country’s borders is governed by that nation’s laws and regulatory frameworks; this ensures local control over data access, storage, and usage. It has become a critical aspect of national policy and governance. In Nigeria, this issue has grown increasingly complex, particularly in light of the pervasive presence of foreign cloud providers, offshore data processors, and international technology firms that collect, process, and sometimes export Nigerian user data without clear or enforceable jurisdictional frameworks.

Foreign digital platforms have historically played a central role in the Nigerian data ecosystem, either as providers of essential services like email, storage, and analytics, or as developers of social media and financial applications used daily by millions of Nigerians. While these platforms often promise global connectivity and technical sophistication, they also introduce serious risks. Data generated within Nigeria is frequently routed through foreign servers, stored in jurisdictions with significantly different privacy protections, and subjected to external political and commercial interests. This dislocation of Nigerian data is what scholars term extraterritorial data flow which raises serious questions about control, privacy, and national security. The potential misuse of this data, whether for commercial exploitation, surveillance, or even geopolitical leverage, makes the issue of domestic data governance all the more urgent.

Legal and Policy Transformation Under the NDPA 2023

Until recently, Nigeria’s response to the challenge of data governance was anchored in the Nigeria Data Protection Regulation (NDPR) 2019, a document that represented the country’s first serious attempt to outline data protection principles. Although ambitious in intent, the NDPR lacked statutory legitimacy and binding legal authority. It was enforced through an administrative agency, the National Information Technology Development Agency (NITDA), which did not possess the institutional muscle or legal foundation to compel adherence, particularly among foreign-owned technology firms and large domestic entities. Moreover, the regulation was undermined by inconsistent compliance reporting, weak auditing mechanisms, and an overall lack of public awareness. As a result, the NDPR, despite its foundational role, functioned more like a policy placeholder than a comprehensive legislative solution.

The Nigeria Data Protection Act (NDPA) 2023, however, marked a decisive departure from this earlier, fragmented approach. By repealing the NDPR and replacing it with a statutory regime, the NDPA elevated data protection to a matter of national sovereignty and legislative importance. At the core of the Act, is the recognition that personal data is not merely an individual right but a collective national asset, something that demands regulation in line with Nigeria’s development priorities, cultural context, and constitutional principles. The Act establishes the Nigeria Data Protection Commission (NDPC) as an independent regulatory body with clear statutory powers to issue binding decisions, investigate infractions, sanction non-compliance, and develop guidance frameworks for both private and public actors. This institutional reform, for the first time, gives Nigeria a coherent and enforceable data governance framework rooted in law, rather than agency-issued regulation.

One of the NDPA’s most transformative provisions is its regulation of cross-border data transfers, detailed in Sections 41 to 43. According to these provisions, personal data may only be transferred outside of Nigeria if the receiving country offers an adequate level of data protection, if there exists a binding agreement to uphold Nigerian standards, or if the data subject has provided explicit and informed consent. This clause responds directly to longstanding criticisms that sensitive Nigerian data has often been offshored to jurisdictions with weak regulatory frameworks, where it is vulnerable to unauthorised access and misuse. By setting stringent requirements for international data flow, the NDPA not only strengthens national data control, but also aligns Nigeria with global best practices such as the European Union’s General Data Protection Regulation (GDPR), albeit adapted for local conditions.

Enforcement Realities and Sovereignty Implications

Despite the NDPA’s progressive legal architecture, enforcement remains a critical bottleneck. Nigeria’s current digital infrastructure does not yet offer the forensic or technical capability to systematically track how and where data flows once collected, especially when it enters complex multinational systems. Many Government Ministries, departments, and agencies (MDAs) continue to rely on foreign vendors for software development, cloud hosting, and even cybersecurity services. This reliance has directly contributed to the underutilisation of Nigeria’s expanding data infrastructure, despite over $220 million in investments spread across approximately 11 data centres nationwide. These centres, which require between $10 million and $20 million to establish depending on their Tier classification, are currently operating at less than 30% capacity. While private telecom operators and ICT firms have made significant strides in hosting their data locally, the public sector expected to champion data localisation has instead intensified capital flight by outsourcing sensitive information storage to foreign countries, including Israel, Ukraine, the United Kingdom, and the United States. (To be continued).

THOUGHT FOR THE WEEK

“Technology, through automation and artificial intelligence, is definitely one of the most disruptive sources”. (Alain Dehaze)

Related Articles

Founded on January 22, 1995, THISDAY is published by THISDAY NEWSPAPERS LTD., 35 Creek Road Apapa, Lagos, Nigeria with offices in 36 states of Nigeria , the Federal Capital Territory and around the world. It is Nigeria’s most authoritative news media available on all platforms for the political, business, professional and diplomatic elite and broader middle classes while serving as the meeting point of new ideas, culture and technology for the aspirationals and millennials. The newspaper is a public trust dedicated to the pursuit of truth and reason covering a range of issues from breaking news to politics, business, the markets, the arts, sports and community to the crossroads of people and society.

Helpful Links

Contact Us

You can email us at: hello@thisdaylive.com or visit our contact us page.