By Olumide Babalola, PhD
Penning this article has given me a strong feeling of déjà vu. I have written on this subject matter twice before, first in February 2024 and again in December 2024. Yet here I am, compelled to return to it once more. Some of the very issues I raised two years ago remain unresolved, and new contradictions have since emerged, threatening to undermine the clarity and consistency that the Nigeria Data Protection Commission (NDPC) ought to project.
It is not a pleasant thing to keep writing about the same regulatory confusion. But as a stakeholder in Nigeria’s data protection ecosystem, I believe it is my duty to speak up, not out of malice, but out of a genuine desire for regulatory clarity, fairness, and the rule of law.
A Brief Recap: My February 2024 Article
In February 2024, I published an article titled “We are all controllers and processors of major importance”: My Brief Comments on the NDPC’s Guidance Notice on the registration of controllers and processors of major importance. That piece was published on The Nigeria Lawyer blog and can be found at: https://thenigerialawyer.com/we-are-all-controllers-and-processors-of-major-importance-my-brief-comments-on-the-ndpcs-guidance-notice-on-the-registration-of-controllers-and-processors-of-major-importan/
In that article, I expressed my concerns about the overly broad scope of the Guidance Notice. I argued that the categories of controllers and processors covered by the Notice were so ridiculously wide that they appeared to capture virtually every person or entity processing data in Nigeria, unless such persons had no need for accountability at all. I concluded with the following words:
“While I sympathise with the NDPC on their necessary revenue drive, they need to avoid all forms of desperation and unjustifiable means towards achieving their imposed target. The categories of controllers or processors covered are ridiculously wide to cover everyone processing data in Nigeria except such persons do not need accountability. As things stand, the Guidance Notice requires further clarification or explanatory notes from the NDPC to clarify the uncertainty surrounding who is covered and who is not.”
I must commend the NDPC for taking feedback seriously. To their credit, the Commission reviewed some portions of the Notice in response to concerns raised by stakeholders. That is what a responsive and responsible regulator should do. However, as I shall demonstrate in this article, a new and perhaps even more fundamental error has surfaced. One that sits squarely on the face of the certificate of registration issued to controllers of major importance.
The Problem: An Expiry Date on a “One-Off” Registration
Upon a careful examination of the certificate of registration issued by the NDPC to data controllers and processors of major importance, one cannot help but notice the presence of an expiration date, otherwise referred to as a validity period. On its face, this means that a holder of such a certificate would be required to renew or reapply for registration after the stated period elapses.
At first glance, this expiry date may not appear to be a serious problem. Many regulatory certificates have validity periods. But the trouble begins when one reads this certificate side by side with the General Application Implementation Directive issued by the NDPC in 2025.
For the avoidance of doubt, let me reproduce Article 9(2) of the GAID in full:
“A data controller or a data processor in the category of UHL or EHL shall register once and shall only be required to file CAR annually.”
The language here is unambiguous. It states in clear and simple terms that registration for data controllers in the categories of Ultra-High Level (UHL) and Extra-High Level (EHL) is a one-off event. Once registered, they are not required to renew their registration. The only ongoing obligation is the annual filing of a Compliance Audit Report (CAR).
So here lies the conflict: The GAID (a document issued by the NDPC to guide controllers on how to observe the provisions of the Nigeria Data Protection Act (NDPA) 2023) says registration is once and for all. But the certificate of registration, also issued by the same NDPC, carries an expiry date that suggests the opposite.
This is not a mere typographical oversight. It is a substantive contradiction that creates legal uncertainty for regulated entities. A data controller who reads the GAID will reasonably believe that they need to register only once. But when they receive their certificate and see an expiry date, they will be confused. Must they renew? Will there be additional fees? Is the GAID still valid? Or has the Commission silently departed from its own guidance?
Why This Conflict Matters
Some might be tempted to dismiss this as a minor administrative error. But I respectfully disagree. This conflict matters for several important reasons:
First, it undermines regulatory predictability. Data controllers and processors need to plan their compliance budgets and timelines. If the NDPC says one thing in its guidance and does another in its certificates, businesses cannot confidently plan for the future.
Second, it creates a potential legal quagmire. If a data controller relies on Article 9(2) of the GAID and chooses not to renew their registration after the expiry date on their certificate, could the NDPC penalise them for operating without a valid registration? The answer is unclear and that uncertainty itself is a problem.
Third, it erodes trust in the regulator. The NDPC is still a young Commission, finding its footing under the new NDPA 2023. To build trust, it must speak with one voice. Its guidance documents, certificates, and enforcement actions must be consistent. When they contradict each other, stakeholders begin to wonder: does the Commission know what it is doing?
Fourth, it imposes unnecessary costs on regulated entities. If controllers are forced to renew their registration annually, contrary to the clear provision of the GAID, that translates into additional compliance costs. These costs will ultimately be passed on to data subjects or absorbed by businesses, many of which are still recovering from challenging economic conditions.
The GAID’s Purpose and Authority
It is important to recall what the GAID is and why it matters. The preamble to the GAID states that it was issued to guide data controllers and processors on the observance of the provisions of the NDPA 2023. In other words, the GAID is not a mere suggestion. It is a regulatory instrument issued by the Commission to provide binding guidance on how to interpret and comply with the law. When the GAID says that registration is one-off, that carries regulatory weight. Data controllers are entitled to rely on that statement. Therefore, when the NDPC issues a certificate that directly contradicts its own GAID, the Commission creates a conflict that only it can resolve.
A Call for Urgent Clarification
I believe this is not an error that should be overlooked or swept under the carpet. The NDPC must step forward and provide an urgent clarification. Specifically, the Commission should address the following questions:
a) Is registration under the GAID truly a one-off exercise, as stated in Article 9(2)?
b) If yes, why do certificates of registration carry an expiry date?
c) Is the expiry date a mistake? If so, will the Commission reissue corrected certificates without additional cost to registrants?
d) If the expiry date is intentional, does that mean the NDPC has departed from Article 9(2) of the GAID? If so, when will the GAID be formally amended to reflect this change?
e) What is the legal consequence, if any, of allowing a certificate to expire? Does the registration lapse, or does the certificate simply become a historical record while the registration remains valid?
Until these questions are answered, data controllers and processors of major importance will remain in a state of confusion. And confusion is the enemy of compliance.
Conclusion
I believe the NDPC has made commendable progress in a short period. The enactment of the NDPA 2023 and the issuance of various guidance documents, including the GAID, have laid a solid foundation for a robust data protection regime in Nigeria. The NDPC has also shown a willingness to listen to stakeholders and revise its guidance where necessary. However, the current conflict between the GAID’s provision on one-off registration and the expiry date on certificates of registration is a misstep that cannot be ignored. It is an avoidable error that creates legal uncertainty, undermines trust, and imposes unnecessary compliance burdens on regulated entities.
I therefore respectfully call on the NDPC to act swiftly. The Commission should issue a public clarification or an explanatory note addressing this conflict head-on. If the expiry date is indeed an error, the Commission should say so clearly and take steps to correct it. If the NDPC has changed its position on the one-off nature of registration, then the GAID should be formally amended to reflect the new reality, and stakeholders should be properly notified.
Regulatory clarity is not a luxury, it is a necessity. Without it, even the most well-intentioned data controllers will struggle to comply. And when compliance becomes impossible due to the regulator’s own contradictions, the entire data protection ecosystem suffers.
The ball is now in the NDPC’s court. I hope they will do the right thing, not just for themselves, but for every data controller, processor, and data subject in Nigeria.
