Data Protection or Data Privacy: What Does Section 37 Really Guarantee?
There is a growing view that Section 37 of the 1999 Constitution ("Nigerian Constitution") guarantees data protection as a fundamental right. In Re Incorporated Trustees, the Court reached the conclusion that “data protection is guaranteed under section 37 of the Constitution of the Federal Republic of Nigeria". In our view, this interpretation and the applicable submissions are questionable. What the Nigeria Constitution guarantees is not “data protection” as we understand it in modern regulatory terms, but rather data privacy in the narrow sense of confidentiality, albeit to a greater degree and within the context of security and integrity.
In our view, the difference between data protection and data privacy is not just academic. It has real legal and practical consequences.
What’s the Difference?
"Data protection" refers to the entire body of rules, standards, and obligations that govern how personal data should be collected, stored, processed, and shared. It includes requirements like (a) publishing a privacy policy on your website, (b) appointing a Data Protection Officer, (c) ensuring cross-border data transfer protocols (d) filing compliance audit reports.
On the other hand, data privacy, which we prefer to describe as confidentiality, is just one principle within the corpus of rules referred to as data protection, and that is what Section 37 guarantees. In our view, the Constitution protects the private lives of individuals, which includes the right to keep certain information confidential. It does not, however, create constitutional obligations around data processing policies, audit filing, or even cybersecurity controls.
The Consequences of Confusing the Two
If we treat every breach of statutory data protection obligations as a breach of constitutional rights, we risk (a) flooding the courts with claims that should be regulatory in nature (b) converting technical compliance failures into human rights violations ( c) undermining the proper role of the Nigeria Data Protection Commission (NDPC) (d) imposing an evidentiary burden on a constitutional court and most importantly, abusing the fundamental rights enforcement process.
Failure to display a privacy policy or appoint a data protection officer, as was the allegation in Re Incorporated Trustees, should not be a constitutional or fundamental human rights matter. Rather, such issues should be addressed through administrative tribunals or actions grounded on a breach of the Nigerian Data Protection Act in a High Court, not by triggering a constitutional or fundamental human rights proceedings.
What Should Be Protected Under Section 37?
In our view, only violations that touch on confidentiality, such as unauthorized disclosure of sensitive personal data, surveillance without legal basis, or interception of private communication, should reasonably qualify as breaches of Section 37. In our view, this is the true scope of constitutional data privacy. Thus, every other principle of data protection should be litigated outside of section 37. In a case where a breach of confidentiality also bothers on security and integrity, we expect this ought to be submitted first to an expert tribunal or to a High Court as a statutory matter, and where considered necessary, subsequently, to the constitutional jurisdiction of the Federal High Courts.
What do you think?
You may speak with our Technology and Data Protection lawyers, here: 08060817371 or via bhlegalsupport@balogunharold.com

Olu A.
LL.B. (UNILAG), B.L. (Nigeria), LL.M. (UNILAG), LL.M. (Reading, U.K.)
Olu is a Partner in the Firm’s Transactions & Policy Practice. Admitted as a Barrister & Solicitor of the Supreme Court of Nigeria in 2009, he has spent over a decade advising clients on high-value transactions and policy matters at some of Nigeria’s leading law firms.
olu@balogunharold.com
Kunle A.
LL.B. (UNILAG), B.L. (Nigeria), LL.M. (UNILAG), Barrister & Solicitor (Manitoba)
Kunle is a Partner in the Firm’s Transactions & Policy Practice. Admitted as a Barrister & Solicitor of the Supreme Court of Nigeria in 2009, he has spent over a decade advising clients on high-value transactions and policy matters at some of Nigeria’s leading law firms.
k.adewale@balogunharold.comRelated Articles
The Host Community Development Trust: Key Commercial Issues
A central issue concerns the scope of the powers of the Nigerian Midstream and Downstream Petroleum Regulatory Authority to issue the Midstream Petroleum (Host Communities Development Trust) Regulations 2024.
Payment Transaction Data Localisation in Nigeria: New CBN Rules and Their Legal Implications
While the CBN payment transaction data directive appears straightforward, its legal implications depend on how its key requirements are interpreted and operationalised in practice.
The Legal Framework for Classified Information in Nigeria: Key Considerations
It would be prudent for the Federal Government undertake a comprehensive review of the Official Secrets Act to ensure that it reflects contemporary national security, technological and governance realities.
Data Localisation in Nigeria: Key Considerations for Cloud Service Providers and AI Companies
Nigeria does not yet have a single, economy-wide data localisation statute. Instead, the regime has developed incrementally on a sector-by-sector basis, through a combination of primary legislation, sectoral regulations, licensing conditions, and regulatory guidelines issued by agencies