The Nigeria Data Protection Act (NDPA) of 2023 establishes comprehensive data protection requirements with specific scope and applicability provisions. The Act applies to the processing of Personal Data whether conducted by automated means or not.

Material Scope

Primary Applicability

The Act covers any operation performed on Personal Data including collection, recording, organization, structuring, and storage, whether through automated or non-automated means. However, the mere transit of data originating outside Nigeria through Nigeria is excluded from the definition of "Data Processing."

Key Exemptions

The Act does not apply in the following cases:

• Processing solely for personal or household purposes, provided it does not violate fundamental privacy rights
• Criminal investigation activities
• Public health emergencies
• National security matters
• Journalistic, educational, or literary purposes when in the public interest
• Legal proceedings (commencement or defense)

Territorial Scope

The Act applies in three specific scenarios:

• Data Controllers or Processors domiciled in, resident in, or operating in Nigeria
• Data Processing taking place within Nigeria
• Non-Nigerian Data Controllers or Processors who process Personal Data of Data Subjects located in Nigeria

Cross-Border Considerations

The Act demonstrates broad extraterritorial authority by covering any processing of Nigerian data subjects' personal data by controllers or processors not established in Nigeria, regardless of the nature of processing. This differs from frameworks like the GDPR, which includes specific targeting criteria.