On March 18, 2025, the Nigerian Senate received a bill sponsored by Senator Ned Munir Nwoko, titled: A Bill for an Act to Alter the Nigeria Data Protection Act, 2023, to Mandate the Establishment of Physical Offices within the Territorial Boundaries of the Federal Republic of Nigeria by Social Media Platforms (SB.648). This bill proposes that all operators of social media platforms must establish and maintain a physical office in Nigeria, and any failure to do so for more than 30 days would result in a prohibition from operating within the country.
The argument by Senator Ned presents a passionate argument centred on sovereignty, national pride, user protection, job creation, and technological development. He believes that multinational social media platforms such as Meta, X (formerly Twitter), Instagram, TikTok, Snapchat, Youtube, and others, should have a tangible, physical presence in Nigeria to bridge the gap between their massive Nigerian user base and their often distant corporate operations.
But while the motivation behind the bill may be rooted in a desire to improve regulatory oversight and economic participation, the legislative approach is misdirected. The attempt to amend the Nigeria Data Protection Act (NDPA), 2023, to achieve this objective raises serious questions about policy coherence, legislative overreach, and alignment with global best practices.
NDPA – A Law for Privacy, Not Platform Regulation
The Nigeria Data Protection Act (NDPA), 2023, is a legislation aimed at safeguarding the personal data and privacy rights of Nigerian citizens. It was enacted to serve as a framework for regulating how organisations collect, store, process, and share personal data.
The law applies to:
- Data controllers and processors domiciled in Nigeria;
- Foreign entities that process the personal data of Nigerian data subjects, regardless of location.
The Act’s objectives centre on ensuring lawful, fair, and transparent processing of personal information, granting rights to data subjects, and providing remedies for misuse of personal data not on regulating corporate presence or content moderation, which extends jurisdiction to data controllers and processors whether they are domiciled in Nigeria or not so long as they process the personal data of Nigerian residents.
This extraterritorial reach means that even without a physical presence, foreign companies (including social media platforms) are legally bound by NDPA’s requirements when handling Nigerians’ personal data
At its core, the NDPA is not a law that regulates corporate infrastructure, economic presence, or employment obligations. That responsibility lies within the domain of investment regulations, digital economy policy, or a standalone digital platform regulation framework.
To use the NDPA as the foundation for a policy that mandates physical offices for social media platforms is to stretch the law far beyond its intended purpose and potentially compromise its regulatory clarity and effectiveness.
Mixing Apples and Oranges
The proposed amendment to Section 5 of the NDPA seeks to insert a clause (5p) that mandates:
“…all data controllers, data processors, or operators of social media platforms to establish and maintain a physical office situated within the territorial boundaries of the Federal Republic of Nigeria…”
The language is confusing at best, and overreaching at worst. It conflates:
- Data controllers/processors—which include banks, fintech, health institutions, telcos, government agencies, educational institutions and others, with
- Operators of social media platforms and bloggers are singled out despite already being regulated under the existing NDPA framework.
On its face, Section 5(p) is a significant expansion of the NDPC’s mandate. Under the current Act, Section 5 enumerated NDPC’s duties such as monitoring data processing activities, enforcing compliance, registering major data controllers, etc. – duties centred on data protection and privacy oversight. The new subsection (p) adds a territorial establishment requirement as a condition of doing data business in Nigeria, which is a new regulatory burden. It effectively intertwines data protection compliance with a localisation mandate.
The critical issue is whether this mandate aligns with NDPA’s core principles and objectives. The NDPA’s principles (found in Part V of the Act) deal with the lawful basis for processing, data minimisation, security safeguards, transparency, and data subject rights. Requiring a physical office does not advance any of those privacy principles directly. One might argue that having local offices could improve accountability, companies with a presence might respond more readily to NDPC inquiries or data subjects’ complaints.
From an enforcement perspective, NDPC would certainly find it easier to serve notices, conduct audits, or impose penalties on an entity that has a legal address and staff in Nigeria. Thus, indirectly, Section 5(p) could bolster compliance with the NDPA by making companies more reachable.
However, there is a strong counter-argument that enforcement ease does not justify the measure within a privacy law context. Data protection laws typically rely on penalties and legal accountability to incentivise compliance, even for foreign companies, without dictating how a company structures its global operations. The NDPA and General Application and Implementation Directive (GAID) 2025 already provides that data controllers/ processors of “major importance” (essentially large-scale operators) must register with the Commission and fulfil certain extra obligations.
This existing mechanism targets significant players for oversight. Introducing a physical office requirement for all controllers and processors regardless of size or risk profile may be disproportionate. It imposes a compliance burden (incorporation, staffing, local infrastructure) that is not obviously tied to better data protection outcomes, especially for smaller or low-risk entities.
An organisation could be fully compliant with NDPA’s data handling rules yet still be deemed in violation simply for lack of a local office. That suggests the focus of Section 5(p) is orthogonal to NDPA’s privacy objectives – it is a tool to exert jurisdictional control and perhaps foster economic benefits, rather than a tool to directly enhance how personal data is protected.
In evaluating alignment, we must also consider NDPA’s underlying intent. The Act intends to protect Nigerians’ personal data wherever it is held or processed and to ensure entities processing such data are accountable. Section 5(p) takes a more territorial approach. This shifts the tenor of the law from data protection to a form of digital trade regulation. It may set up NDPC to act in a quasi-immigration or licensing capacity for tech firms, which is a new role.
There is a valid concern that this does not square well with the spirit of a data protection framework, which should ideally remain technology-neutral and geography-neutral in protecting data rights.
This kind of blanket addition undermines the principles of proportionality, fairness, and legal certainty.
Section 65 Amendments: Defining “Social Media Platforms” vs General Scope
The amendment bill does not stop at adding Section 5(p). It also seeks to modify Section 65 of the NDPA, which contains definitions and interpretations of terms used in the Act. The proposal is to introduce new or expanded definitions for key terms, specifically: “Data Controllers,” “Data Processors,” and “Operators of Social Media Platforms.” Additionally, the term “Physical Office” is defined for the first time in the data protection context.
The current Act defines a data controller as any individual or body that alone or jointly determines the purpose of processing personal data and a processor as one who processes data on behalf of a controller.
The amendment’s redefinition seems to add emphasis (e.g., explicitly mentioning “means” of processing for controllers and the requirement of following instructions for processors). This raises a minor concern: is it necessary to redefine these terms that were already understood? In practice, the changes may be intended to bolster NDPC’s ability to hold companies accountable by cementing that controllers “bear legal responsibility” for compliance. While this addition is not harmful, it is largely duplicative of what the law implied.
The more striking addition is the definition of “Operators of Social Media Platforms.” The bill defines this as “legal persons or entities responsible for owning, managing, or controlling digital platforms that facilitate user interaction, content sharing, or communication.”
In essence, this targets companies like Meta (Facebook/Instagram/WhatsApp), X (Twitter), Google (YouTube), ByteDance (TikTok), and similar platforms whose primary service is enabling users to post content and interact. The inclusion of this definition signals that the law is singling out social media platforms as a specific category of data controller/processor.
Under the NDPA, such platforms were of course already covered as data controllers (they determine why and how user data is processed on their services). There was no special category for social media or bloggers the Act applied generally to all private or public entities handling personal data, from banks to hospitals to tech companies. By carving out “operators of social media platforms,” the amendment positions social media services as a distinct regulatory class, subject presumably to the physical office requirement and perhaps other obligations.
Although not explicitly defined in the bill’s text we have (the word “blogger” does not appear in the quoted definitions), the political discourse around the bill includes bloggers in the target group. Independent bloggers and online content creators would also be required to register and have a physical presence or at least affiliation in Nigeria
This goes even further than the text of NDPA, suggesting an additional regulatory scheme for online publishers. Such a requirement is unusual in a data protection law; it resembles a media regulation or professional licensing rule. Regardless, the intent is clearly to rope in not just large corporate social networks but also individual or small-scale online publishers under this framework.
The NDPA is, by design, a law of general application that applies to “all transactions for the processing of personal data, irrespective of the medium”, provided the data subject is Nigerian or located in Nigeria (with some exceptions for purely household use etc.). It does not discriminate among types of data controllers based on industry or medium; a small blog and a multinational platform have the same obligations to respect data privacy, scaled to appropriate levels.
If the rationale is that social media platforms pose unique risks to personal data or privacy, the NDPA already has tools to address that for instance, the NDPC can issue regulations targeting sectors or certain kinds of processing.
Consistency and focus could be better maintained by keeping NDPA’s terminology general – and if needed, issuing sector-specific guidelines – rather than rewriting the law to call out specific industries.
Presence Is Not the Same as Compliance
Across the globe, compliance with data protection laws does not hinge on physical presence. Instead, countries with mature data protection regimes primarily focus on the appointment of local data protection representatives’ adherence to cross-border data transfer rules, accessibility to regulatory oversight and redress mechanisms, and robust internal governance and compliance systems.
These countries recognise the decentralised and borderless nature of digital services, and instead focus on accountability, transparency, and enforceability. If Nigeria is to remain a part of the global digital economy, it must avoid policy routes that may appear protectionist or outdated.
The goal globally is to balance openness to innovation with enforceable user protections not to create barriers to entry that may discourage investment or innovation.
Not All Multinationals Are Built the Same
The sponsors of the Bill compares social media platforms to multinational companies like Chevron, Nestlé, DHL, and Total, entities that have physical infrastructure in Nigeria. This comparison is problematic.
Oil and gas companies operate rigs, and plants, and require significant physical presence to function. Logistics companies need warehouses, fleets, and customs interfaces. These companies engage in tangible, local commercial activity that necessitates a physical presence.
Social media platforms, however, are cloud-based digital infrastructures. Their operations are built on distributed data centres, remote workforces, and global user bases. The value they offer to Nigerian users is in digital connectivity, innovation, and access, not physical buildings.
To equate them with traditional companies is to misunderstand the nature of the digital economy, and worse, to craft legislation that could isolate Nigeria from international digital services.
Addressing Legitimate Concerns with the Right Tools
To be clear, many of the concerns raised by the Bill sponsor are valid:
- Delays in content moderation
- Lack of responsiveness to user complaints
- Limited regulatory engagement
- Missed opportunities for job creation
But these problems cannot be solved by forcing physical offices through data protection law which is fundamentally about privacy rights, consent, data security and more—not physical corporate presence.
Nigeria’s digital future depends on its ability to craft smart, targeted, and globally relevant laws that reflect the unique nature of the digital economy. While it is imperative to ensure social media platforms and bloggers respect Nigerian laws and protect Nigerian users, this goal cannot be achieved through incoherent amendments to data protection law.
The NDPA must remain a privacy-first legislation focused on consent, security, data minimisation, and the rights of individuals. Any broader regulatory goals involving digital platforms must be pursued through separate legislative instruments, grounded in research, consultation, and international alignment.
