Olumide Babalola
By Olumide Babalola
Background
While facilitating one of the sessions at the just concluded ECOWAS Data Governance Knowledge Exchange in Dakar, Senegal yesterday 30th July 2025, a statement was made on the purported ‘repeal’ of the Nigeria Data Protection Regulation 2019 (NDPR) by the NDPA General Application and Implementation Directive (GAID) and I thought to pen my thoughts on this misconception that is now dangerously going rife.
In February 2025, the Nigeria Data Protection Commission (NDPC) issued the General Application and Implementation Directive (GAID) to provide interpretive guidance and administrative direction for implementing the Nigeria Data Protection Act (NDPA) 2023. One of the most misunderstood provisions of this directive is Article 3(3), which states: “Upon the issuance of the GAID, the Commission shall cease to apply the Nigeria Data Protection Regulation (NDPR) 2019 as a legal instrument for regulating data privacy and protection…”
This provision has expectedly triggered intense discussions in privacy and regulatory circles. Some stakeholders have interpreted this as a repeal of the Nigeria Data Protection Regulation (NDPR) 2019, while others argue that it merely reflects an administrative decision by the Commission. This article examines whether Article 3(3) of the GAID can be construed as repealing the NDPR and clarifies its implications under Nigerian law.
1. The Nature of the GAID and the NDPR
The NDPR 2019 was issued by the National Information Technology Development Agency (NITDA) as a subsidiary legislation under its enabling Act. It was, until the enactment of the NDPA 2023, the major dedicated regulatory instrument for data protection in Nigeria. However, in a bid to provide clarity to some provisions of the NDPA, the NDPC released the GAID 2025 as a directive, issued under Sections 61–62 of the NDPA 2023, to guide stakeholders on the implementation of the Act. Unlike the NDPR, the GAID arguably does not purport to be a legislative instrument but rather an administrative guideline with interpretive effect.
2. What Article 3(3) Actually Says
The controversial text reads: “Upon the issuance of the GAID, the Commission shall cease to apply the Nigeria Data Protection Regulation (NDPR) 2019 as a legal instrument for regulating data privacy and protection…” Two key phrases require attention: (a) “shall cease to apply” – This suggests a decision by the NDPC to stop enforcing or using the NDPR in its regulatory activities; and (b) “as a legal instrument for regulating data privacy and protection” – This qualifies the cessation strictly in the context of regulation by the Commission. It must be noted that, at no point does Article 3(3) use the word “repeal” or imply that the NDPR is legally invalidated.
3. Why Article 3(3) Does Not Amount to a Repeal
(a) Cessation of Application ≠ Repeal
Under the Nigerian law, a repeal renders a legislation null, void, and of no legal effect, either expressly or by necessary implication. In Mozie v State (2012) LPELR – 14353 (CA), the court held that, to repeal a law means: “Abrogation of an existing law by legislative act; To make (a law) no longer valid; To annul a law.” Further in Aje Printing (Nig.) Ltd. v. Ekiti L.G.A. (2021) 13 NWLR (Pt. 1794) 498, the court noted that: “Where a statute is repealed, it is deemed obliterated completely (except to transactions past and closed) as if it had never been enacted as a law that had never existed.”
Now can it be said that GAID has abrogated or annulled the NDPR?. Article 3(3), however, simply states that the Commission will no longer apply the NDPR. This is a policy and enforcement decision, not a legislative act. The NDPR remains a valid and extant subsidiary legislation unless expressly repealed or set aside by a court of competent jurisdiction. Thus, while the Commission may no longer rely on it for enforcement, the NDPR continues to exist within Nigeria’s body of subsidiary laws.
(b) Nigerian Law on Repeal
Under Nigerian law, the repeal of a legislation — principal or subsidiary — must be express especially because the courts will not presume such repeal. On how to repeal a piece of legislation, the court in KLM Airlines v. Kumzhi (2004) 8 NWLR (Pt. 875) 231 held that: “A repeal of a statute must be done by clear words or language in a subsequent statute. Consequently, the court will not presume that a statute has been repealed. Since the GAID does not expressly repeal the NDPR and it lacks the language of repeal (“is hereby repealed”), nor does it derive its authority from a legislative mandate to annul existing subsidiary legislation, then it is, in my opinion, almost impossible to make such argument.
4. Implications of Article 3(3)
According to the NDPC, they will now regulate data protection primarily under the NDPA and GAID, no longer relying on the NDPR as an enforcement tool. However, it will be interesting to see what their disposition would be to a controller under investigation which seeks to rely on a provision of the NDPR in its defence. It must be noted that other agencies, tribunals, or courts are not bound by the NDPC’s internal policy decision to ignore the NDPC in their regulatory strides. Where the circumstances demand, they may still cite or apply the NDPR, especially for where such provisions are only contained in the NDPR.
5. Conclusion
Article 3(3) of the GAID does not repeal the NDPR 2019. It merely reflects the NDPC’s administrative decision to discontinue using the NDPR as a regulatory instrument in light of the comprehensive framework provided by the NDPA 2023 and GAID 2025. Until expressly repealed by a competent authority or replaced through legislative action, the NDPR remains part of Nigeria’s body of subsidiary laws. This distinction is vital to avoid misinterpretation and to ensure proper legal continuity in Nigeria’s evolving data protection regime.
WhatsApp Telegram X Facebook
