Nigeria Media Law Guide

NIGERIA MEDIA LAW GUIDE

Defamation and Privacy Law in the Federal Republic of Nigeria

Contributor: Ariteshoma Etete, Associate, CLG Nigeria

1. Introduction

In Nigeria, the legal framework governing defamation, privacy and the protection of personal data is derived from constitutional provisions, common law principles and statutory enactments. The right to privacy is principally founded on section 37 of the 1999 Constitution of the Federal Republic of Nigeria (as amended) which provides that, “Right to private and family life: The privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications is hereby guaranteed and protected”.

By this provision, the protection of privacy constitutes a fundamental human right in Nigeria. Beyond the Constitution, Nigeria has developed a more extensive legal and regulatory framework for the protection of personal data through legislation such as the Nigeria Data Protection Act, 2023 (NDPA) and other sector-specific laws and regulations.

Although the Constitution does not specifically provide for defamation, the law of defamation in Nigeria has evolved through common law principles and statutory provisions, including the Criminal Code Act and Penal Code Act, which seek to protect individuals against false statements capable of injuring their reputation.

2. Defamation

Defamation, in law, is the publication or communication of a false statement concerning a person that results in damage to that person’s reputation. Defamation can take the form of libel (written or permanent form) or slander (spoken or transient form).

Civil liability for defamation in Nigeria is primarily governed by common law principles, while criminal liability is provided under applicable statutory provisions. Defamation under the Criminal Code Act, is defined as “defamatory matter likely to injure the reputation of any person by exposing him to hatred, contempt, or ridicule, or likely to damage any person in his profession or trade by any injury to his reputation.”[1] While under the Penal Code Act, “whoever, by words either spoken or reproduced by mechanical means or intended to be read by signs or by visible representations makes or publishes any imputation concerning any person, intending to harm or knowing or having reason to believe that such imputation will harm the reputation of such person, is said to defame that person.”[2]

The distinction between the Criminal Code and Penal Code reflects Nigeria’s dual criminal law structure. The Criminal Code generally applies in the southern states of Nigeria, while the Penal Code applies in the northern states. These statutes contain provisions criminalising defamatory publications and provide differing definitions and penalties.

It is important to note that, publication in defamation does not require widespread dissemination. It is sufficient that the statement is communicated to at least one person other than the claimant, provided it is understood in a defamatory sense[3]. In Nigeria jurisprudence, publication also includes communication through electronic and digital platforms such as social media, blogs, and online publications, which are increasingly recognised by courts as valid forms of publication[4].

2.1 Civil Remedies for Defamation

From a civil standpoint, the primary remedies available in an action for defamation in Nigeria are damages and injunctive relief.

2.1.1 Damages

An award of damages for defamation is assessed based on a range of factors, including the seriousness of the defamatory imputation, the extent of publication, the status and reputation of the claimant, the conduct of the defendant, and any aggravating or mitigating circumstances such as apology or retraction[5].

2.1.2 Injunctive Relief

Courts may, in appropriate cases, grant injunctive relief to restrain the publication or continued dissemination of defamatory content. However, such relief is granted cautiously, particularly at the interlocutory stage, due to the constitutional guarantee of freedom of expression under Section 39 of the Constitution of the Federal Republic of Nigeria (as amended). The court generally considers whether damages would be an adequate remedy and whether the balance of convenience (weighs which party will suffer greater harm depending on whether the injunction is granted or refused) favours granting the injunction.

2.1.3 Elements of Civil Defamation

For a claimant to succeed in an action for defamation, it must generally be established that:

2.1.3.1    The statement complained of is defamatory.
2.1.3.2    The statement refers to the claimant.
2.1.3.3    The statement was published to at least one person other than the claimant.

2.2 Criminal Punishments for Defamation

Criminal defamation in Nigeria is provided for under the Criminal Code Act (applicable in Southern Nigeria) and the Penal Code Act (applicable in Northern Nigeria).

Under the Penal Code Act, any person who defames another shall be punished with imprisonment for a term that may extend to two years, or with a fine, or with both[6]. The Penal Code Act further extends the punishment of any person who prints or engraves a matter knowing it to be defamatory with imprisonment for a term that may extend to ten years, a fine or both, while the sale of printed or engraved material containing defamatory matter is punished with imprisonment for a term that may extend to five years, with a fine, or both.

Under the Criminal Code Act, any person who publishes any defamatory matter is guilty of a misdemeanour and is liable to imprisonment for one year; and any person who publishes any defamatory matter knowing it to be false, is liable to imprisonment for two years [7]. Where a defamatory matter is published with the intent to extort, it constitutes a felony punishable with imprisonment for up to seven years [8] .

2.2.1 Elements of Criminal Defamation

In addition to the elements required for civil defamation, criminal defamation under the Criminal Code Act and the Penal Code Law requires proof of a mental element (mens rea). For criminal liability to be established, it must generally be shown that:

2.2.1.1    The accused published or caused to be published a defamatory statement concerning another person.
2.2.1.2    The statement clearly refers to the complainant.
2.2.1.3    The accused intended to harm, or knew or had reason to believe that the statement would harm, the complainant’s reputation; and
2.2.1.4    The statement is false or treated as false under the applicable statutory provision.[9]

2.3 Defences

A person accused of defamation (whether civil or criminal) may rely on several defences[10] including:

2.3.1 Justification

The defence of justification applies where the defendant proves that the defamatory statement is substantially true. Under both the Criminal Code Act and Penal Code Act, truth coupled with public benefit operates as a complete defence to defamation[11]. The publication of defamatory matter is not an offence if the publication is, at the time it is made, for the public’s benefit and if the defamatory matter is true. Until it is clearly established that an alleged libel is untrue, it will not be clear that any right at all has been infringed. Under a plea of justification, the onus is on the defendant to show that the alleged defamation is true[12].

2.3.2 Fair Comment

A defendant will only be successful with the defence of fair comment if they can show that they expressed their opinion in good faith based on facts truly stated on a matter of public interest. For a defendant to be availed of defence of fair comment, the following conditions must be present:

2.3.2.1    It must be based on facts truly stated
2.3.2.2    It must be an honest expression of opinion
2.3.2.3    It must not contain insinuations of corrupt or dishonourable motives on the person whose conduct or work is criticised save in so far as such imputation is warranted by facts.

 2.3.3 Privilege 

Privilege is either absolute or conditional. The former provides complete immunity regardless of motive or falsity, and typically applies to statements made in judicial proceedings, legislative proceedings, and certain official communications. Conditional or qualified privilege protects statements made in the performance of a legal, moral, or social duty, provided they are made without malice[14].

2.4 Limitation Period for Defamation

The limitation period applicable to defamation actions in Nigeria is governed by the relevant limitation statute within the jurisdiction where the action is instituted. Limitation periods are therefore not entirely uniform across Nigeria and may vary between states.

Under Section 9 of the Limitation Act (applicable in the Federal Capital Territory) and Section 10 of the Limitation Law of Lagos State, an action for damages for slander is generally required to be commenced within three (3) years from the date the cause of action accrued .

Although these provisions specifically refer to slander, they do not expressly prescribe a separate limitation period for libel. In practice, courts may apply general limitation principles applicable to tort claims under the relevant limitation legislation. Accordingly, the applicable limitation period should be considered on a case-by-case basis with reference to the relevant jurisdiction.

3 Invasion of privacy

In Nigeria, privacy protection is governed by a combination of constitutional provisions, statutory enactments, common law principles, and sector-specific regulations. While there is no single comprehensive statute codifying the entire law of privacy, the Nigeria Data Protection Act 2023 (NDPA) establishes the principal legal framework for the protection and processing of personal data in Nigeria while other laws and regulations provide additional protections in specific sectors and contexts.

In addition to the NDPA, sector-specific laws reinforce privacy protection, including: the Cybercrimes (Prohibition, Prevention, etc.) Act 2015, which imposes obligations on service providers to protect user data and electronic communications; the National Health Act 2014, which imposes confidentiality obligations in respect of patients’ health information; and the Credit Reporting Act 2017, which regulates confidentiality and use of credit information.

These instruments collectively demonstrate that privacy protection in Nigeria is fragmented but increasingly regulated through sectoral compliance obligations.
The 1999 Constitution of the Federal Republic of Nigeria (as amended) further guarantees privacy as a fundamental right. Specifically, Section 37 provides for the protection of citizens’ privacy in relation to their homes, correspondence, telephone conversations, and telegraphic communications.

As privacy is not expressly identified as a distinct item under the Exclusive or Concurrent Legislative Lists of the Constitution, privacy-related matters may be regulated through both federal and state legislation depending on the subject matter involved. The Lagos State Legislature for example enacted the Law Reform (Torts) Law, Ch. L82 Laws of Lagos State 2015 which provides for the invasion of privacy and the remedies available. Section 29 of the Law Reform (Torts) Law provides that:

“(1) Anyone who intentionally intrudes, physically or otherwise, on the solitude or seclusion of another or private affairs or concerns, is liable for invasion of privacy, if the intrusion would be highly offensive to a reasonable person.

(2) Anyone who uses the name or likeness of another in a manner and to an extent which suggests to a reasonable person an intention to appropriate the name and likeness of another or that is associated with another is liable to damages.

(3) Anyone who publicizes a matter concerning the private life of another is liable for invasion of privacy, if the matter publicized is of a kind that:

(a) Would be highly offensive to a reasonable person and (b) is not of legitimate concern to the public.”

Section 31 further provides the remedies below:

“The remedies that a Court may grant in an action for invasion of privacy includes:

(a) Injunction

(b) Damages

(c) Order directing the defendant to account to the claimant profits that have accrued or may later accrued to the defendant because of the invasion of privacy

(d) Order directing the defendant to deliver to the claimant any material, article, photograph or documents that have come into the defendant’s possession because of violation of privacy and

(e) Any other appropriate order or relief.”

3.1 Limitation Period

The applicable limitation period for invasion of privacy claims depends on the relevant limitation legislation governing the jurisdiction where the action is commenced. Accordingly, both the Limitation Act, Cap L6, Laws of the Federation of Nigeria 2004 (applicable principally in the Federal Capital Territory) and relevant state limitation laws may apply depending on the forum in which the action is brought[16].

Since invasion of privacy is generally treated as a tortious claim, limitation periods applicable to tort actions may apply subject to any specific statutory provisions. In Lagos State, the Law Reform (Torts) Law, Chapter L82, Laws of Lagos State 2015 provides that applicable limitation statutes continue to apply to actions brought under the Law[17].

4 Data Protection

Although the 1999 Constitution of the Federal Republic of Nigeria (as amended) guarantees the right to privacy as a fundamental human right under section 37, it does not define the scope of privacy or set out a comprehensive regulatory framework for data protection. In Nigeria, data protection is now principally governed by the Nigeria Data Protection Act (NDPA) 2023, which establishes the primary legal framework for the regulation of personal data processing in Nigeria.

The NDPA 2023 builds on earlier regulatory instruments, particularly the Nigeria Data Protection Regulation (NDPR) 2019, issued by the National Information Technology Development Agency (NITDA), which previously served as the main regulatory framework before the enactment of the Act. The NDPA now provides a statutory basis for data protection rights, obligations of data controllers and processors, and enforcement mechanisms in Nigeria.

Importantly, the NDPA 2023 codifies core data protection principles such as lawful and fair processing, purpose limitation, data minimisation, storage limitation, accuracy, integrity, and confidentiality. It also sets out the rights of data subjects, including the right to access, correct, erase, and object to the processing of their personal data, and imposes corresponding obligations on data controllers and processors to ensure compliance. In addition, the Act provides for regulatory oversight and enforcement mechanisms through the Nigeria Data Protection Commission (NDPC), including sanctions for non-compliance.

Beyond the NDPA, various sector-specific laws and regulations contribute to Nigeria’s data protection regime.

4.1    The NITDA Act 2007 establishes the regulatory mandate of NITDA over information technology development and governance in Nigeria. Prior to the NDPA 2023, the NDPR 2019 served as the primary data protection regulation, supported by implementation guidelines and frameworks issued by NITDA, including guidance on personal data management in public institutions. While the NDPR has been largely superseded by the NDPA 2023, it remains relevant to the extent that it provided foundational principles such as lawful processing, data minimization, and accountability.

4.2    The Child Rights Act 2003 (Section 8) guarantees the privacy of children, including protection of their home, correspondence, telephone conversations, and other communications. This extends data protection safeguards to individuals under the age of 18, particularly in relation to personal and family data.

4.3    The National Health Act 2014 establishes a framework for the regulation of health services in Nigeria. It imposes strict confidentiality obligations on healthcare providers regarding patients’ medical records and health-related data, including treatment history, diagnosis, and other sensitive medical information. It also restricts disclosure except where permitted by law and requires safeguards against unauthorised access.

4.4    The Freedom of Information Act 2011 promotes public access to information while balancing the protection of personal data. Section 14 requires public institutions to deny access to personal information unless individual consent or disclosure is otherwise permitted. Section 16 protects information subject to legal professional privilege and other recognised forms of confidentiality. The Act also excludes certain categories of information from disclosure, including archived, publicly available, and reference-only materials.

4.5    The Nigerian Communications Commission (Registration of Telephone Subscribers) Regulations 2011, issued by the Nigerian Communications Commission (“NCC”), provides that the information of subscribers contained in the Central Database of the NCC is to be held on a strict confidentiality basis and no person or entity shall be allowed ac-cess to any subscriber’s information that is on the Central Database except as pre-scribed by the Regulation (Sections 9 and 10 of the Regulation). The Regulation further provides telephone subscribers with a right to view and update personal information held in the NCC’s central database. Under the regulations, there are penal sanctions for misuse of the database (Section 21 of the Regulation).

4.6    The National Identity Management Commission Act creates the National Identity Management Commission (NIMC) which was created to establish and manage a National Identity Management System (NIMS) in Nigeria. NIMC is responsible for enrolling citizens and legal residents, creating and operating a National Identity Database and issuing unique national identification numbers to qualified citizens and legal residents. Section 26 of the NIMC Act provides that no person or corporate body shall have access to data or information in the Database with respect to a registered individual without authorisation from the NIMC. The NIMC is empowered to provide a third party with information recorded in an individual’s database entry without the individual’s consent, provided it is in the interest of national security.

4.7    The Consumer Code of Practice Regulations 2007 (‘the NCC Regulations’) were issued by the regulator of the telecommunications industry in Nigeria, the Nigerian Communications Commission (‘NCC’). The NCC Regulations provide that all licensees must take reasonable steps to protect customer information against improper or accidental disclosure and must ensure that such information is securely stored and not kept longer than necessary. It also provides that customer information must not be transferred to any party except to the extent agreed with the customer, as permitted or required by the NCC or other applicable laws or regulations.

4.8   The Central Bank of Nigeria (CBN)‘s Consumer Protection Framework was enacted pursuant to the CBN Act 2007. CBN is the regulator of all banks and other financial institutions in Nigeria. The broad objective of this framework is to enhance consumer confidence in the financial services industry and promote financial stability, growth, and innovation. The Framework includes provisions that prohibit financial institutions from disclosing customers personal information and requires that financial institutions have appropriate data protection measures and staff training programs in place to prevent unauthorised access, alteration, disclosure, accidental loss, or destruction of customer data. Paragraph 2.6 of the Framework provides for protection of consumer assets and privacy and also instructs financial institutions to take appropriate measures to guarantee protection of consumer assets and privacy. It also directs that a consumer’s financial and personal information shall be protected at all times and shall not be released to a third party without the consent of the consumer, except as required by law.

4.9    The Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 provides an effective, unified, and comprehensive legal, regulatory, and institutional framework for the prohibition, prevention, detection, prosecution, and punishment of cybercrimes in Nigeria. This Act ensures the protection of critical national information infrastructure and promotes cybersecurity and the protection of computer systems and networks, electronic communications, data and computer programs, intellectual property, and privacy rights.

The Act directs that service providers shall keep all traffic data, sensitive information, and subscriber information with due regard to the individual’s constitutional right to privacy and shall take appropriate measures to safeguard the confidentiality of the data retained, processed, or retrieved. By the Act, any person who contravenes any of the provisions of the Act commits an offence and shall be liable on conviction to the sanctions prescribed by the Act for the offence committed (Part III of the Act).

4.10    The Credit Reporting Act 2017 was established to promote access to accurate, fair, and reliable credit information and to protect the privacy of such information and facilitate credit information sharing. Section 5 of the Act requires that credit bureaus maintain credit information for at least 6 years from the date that such information is provided to them or, if later, from the date on which it last provided such information to a credit in-formation user, after which such credit information shall be archived for a further period of 10 years and may thereafter be destroyed by the Credit Bureau. Section 9 of the Act provides the confidentiality rights of data subjects (i.e. persons whose credit data are held by a credit bureau) to privacy, confidentiality, and protection of their credit information. Section 9 further prescribes instances in which the credit information of the data subject may be disclosed.

Contributor: Ariteshoma Etete, Associate
CLG (Nigeria)
168 Awolowo Road
Ikoyi, Lagos
Nigeria

The material in this Guide is for general information only and does not constitute legal advice.  The content of this page is accurate as at June 2026.