2 hours ago
2
Nigeria is stepping up efforts to strengthen its digital economy, with the central bank announcing that payment transaction records generated within Abuja to be stored on local servers—a decision that came amid concerns raised by a coalition of civil society organizations (CSOs) about the country’s weak data protection guardrails.
Beginning on January 1, 2027, banking institutions, fintech companies, and other licensed payment service providers operating in Nigeria are mandated to store sensitive transaction records on local servers instead of foreign-based servers, The Guardian reported.
This will provide the country greater control over critical data infrastructure, allowing authorities to easily access records, conduct audits, enforce compliance, and investigate, especially in cases where criminal offenses are involved, reducing delays often caused by intermediation between local and foreign entities.
Apart from data sovereignty, the Central Bank of Nigeria (CBN) added that moving transaction records from foreign servers will help drive investments in local data centers and cloud storage capacity.
Institutions subject to this mandate may face sanctions if they fail to comply, the CBN warned.
Data crisis threatens Nigeria’s digital economy progress
While Nigeria is making a concerted effort to boost its data sovereignty, CSOs have voiced their concerns over the authorities’ apparent weak handling of citizens’ personal information despite having data protection laws in place.
The coalition, comprising Media Rights Agenda, Paradigm Initiative, Digital Rights Lawyers Initiative, and Accountability Lab Nigeria, among others, released the “Protected From the State, Not By It: Nigeria’s Data Protection Crisis Is a Crisis of Implementation,” where they criticized regulators’ failure to effectively enforce data protection laws, which led to rising cases of digital fraud and rampant illegal sale of sensitive information.
This came after reports of alleged unauthorized access to the Continuous Voter Registration (CVR) database of the Independent National Electoral Commission (INEC) during a nationwide CVR exercise.
INEC earlier released the preliminary findings of its investigation into the matter, saying that it found no external breach of its systems and that the personal information of over 90 million registered voters was not compromised.
“Preliminary findings from the Commission’s audit trail so far indicate that there was no external breach of the CVR database, no hacking incident, and no unauthorised external access to the Commission’s ICT infrastructure,” the commission explained, as quoted by the media outlet Punch. “Rather, the information in question was accessed through valid user credentials assigned to personnel participating in the ongoing CVR exercise but released without authority.”
Despite this, CSOs argued that the incident underscored the lack of oversight, adding that it showed that while data privacy laws are in place, sensitive information can be easily moved from a secure government database and into the hands of private political entities.
The coalition also pointed out regulators’ failure to conduct human rights impact assessments on public surveillance systems before related programs were deployed, urging the government to act on these issues by subjecting public institutions to the same compliance requirements as private organizations.
“This is the asymmetry at the heart of the crisis: citizens are under-protected from data abuse and over-exposed to state monitoring and punishment,” the CSOs stated.
Watch: Blockchain could revolutionize cybersecurity
English (US) · 