Editor's note: In this piece, legal practitioner Tolulope Idowu examines a landmark lawsuit filed under the Nigeria Data Protection Act 2023, using an unsolicited SMS case to probe the evolving landscape of digital rights, data privacy enforcement, and institutional accountability in Nigeria.

In a developing legal battle that could shape how Nigerian institutions handle personal data, a private individual has filed a lawsuit against a popular Ibadan-based school, Valencia College, for allegedly violating his data privacy rights under the Nigeria Data Protection Act (NDPA) 2023.

The Applicant, Boluwatife Sanya, instituted an action before the High Court of Oyo State after receiving an unsolicited SMS from the school, advertising its admission programme. According to the Statement of Claim filed in court, the Applicant never provided the school with his personal data, particularly his mobile number, and did not consent to any form of marketing communication.

The dispute arose on or about 6th March 2025, when the Applicant received a marketing SMS from the school inviting recipients to apply for admission into its upcoming 2025/2026 academic session. The Applicant maintains that he has never interacted with the school, submitted any form of application, or requested any service that could reasonably justify the use of his personal information.

The Applicant, through his legal representative, Tolulope Idowu, argues that the SMS constitutes a violation of Sections 24 and 25 of the NDPA, which require that personal data must be collected and processed lawfully, fairly, and with the data subject’s informed consent.

The suit, filed pursuant to the Applicant’s rights under Section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as amended) Sections 24(1)(a), 25 & 35 of the Nigeria Data Protection Act 2023, seeks among other reliefs an order of court that, unlawfully processed personal data without the Applicant’s consent, used the data for direct marketing in an illegal and unfair manner, failed to provide transparency on how the data was obtained and honour the Applicant’s data subject rights to access and consequently, infringed the Applicant’s right to privacy guaranteed under Section 37 of the 1999 Constitution of the Federal Republic of Nigeria.

The Applicant is also seeking the following reliefs: an order for the deletion of all data belonging to the Applicant in the Defendant’s database and damages for breach of statutory duty and violation of the Applicant’s constitutional rights.

NDPA and the expanding scope of digital rights

The Nigeria Data Protection Act, which was signed into law in 2023 and replaced the earlier NDPR framework, introduced a comprehensive legal regime for the processing of personal data. It gives every Nigerian the right to: know who is processing their data, access their data from any data controller, withdraw consent at any time, and seek redress when their rights are infringed.

Additionally, while Article 18(1) (a) of the NDPA General Application and Implementation Directive 2025 specifically provides that where personal data is processed for the purpose of direct marketing, the consent of the Data subject is the only basis on which such personal data may be processed, Section 34 of the NDPA 2023 further allows any individual to demand full access to their data and the purposes for which it is being processed.

More importantly, Section 37 of the 1999 Constitution guarantees the privacy of citizens, their homes, correspondence, and communications. Any unauthorised intrusion into this space can therefore trigger both statutory and constitutional remedies.

Legal practitioners have described the case as “an important test for how seriously the courts and institutions treat privacy in Nigeria's digital age.”

If the court rules in favour of the Applicant, it could mark a turning point for data privacy litigation in Nigeria. Many organisations — schools, fintechs, health institutions, marketers — routinely collect and use data without consent, often through third-party bulk SMS vendors and online data harvesting.

This case brings to the fore the urgent need for organisational compliance with data protection laws, particularly in obtaining and processing personal data for direct marketing.

In recent months, the Nigeria Data Protection Commission (NDPC) has ramped up enforcement activities, including issuing compliance notices, investigating breaches, and publishing guidance on lawful processing. Legal experts suggest that failure to comply with the Act could soon attract administrative penalties, including fines and criminal liability, in addition to civil claims like the present case.

This lawsuit represents a bold assertion of legal rights under Nigeria’s fast-evolving data protection regime. It also highlights a growing awareness among citizens that their privacy is not just a personal concern, but a legal right that can and should be defended.

Tolulope Idowu is a legal practitioner specialising in data protection and privacy law. He is Lead Associate at A.A. Ademidun & Co., a full-service law firm in Ibadan, Nigeria.

Disclaimer: The views and opinions expressed here are those of the author and do not necessarily reflect the official policy or position of Legit.ng.

PAY ATTENTION: Сheck out news that is picked exactly for YOU ➡️ find the “Recommended for you” block on the home page and enjoy!

Proofreading by James Ojo, copy editor at Legit.ng.

Source: Legit.ng