When a Lagos court ordered Google to pay Nollywood actress Adunni Ade ₦30 million and wipe two false stories from its platforms, most Nigerians read it as a celebrity headline. Data protection lawyers read it as something else entirely a warning shot.
Because the case did not turn only on defamation. It turned on the Nigeria Data Protection Act, 2023 (NDPA) the same law that governs what happens to the personal information of every Nigerian who has ever filled a form, opened a bank app, or scrolled a feed. And that law says something most citizens have never been told: your data is not supposed to leave the country without rules being followed.
The line most Nigerians have never heard
“Under data privacy law, they are not supposed to transfer our data across borders without the NDPC’s say-so,” says lawyer and data protection consultant Sandra Onyia, referring to the Nigeria Data Protection Commission, the regulator created to police exactly this.
She is describing one of the least understood but most consequential parts of Nigeria’s privacy regime. Under Sections 41 to 43 of the NDPA, a company cannot simply ship the personal data of Nigerians to servers in the United States, Europe or anywhere else at will. The transfer is only lawful if the destination country offers an adequate level of protection as determined by the NDPC, or the organisation puts approved safeguards in place such as Standard Contractual Clauses binding the foreign recipient or one of a narrow set of exceptions applies, chief among them the informed, revocable consent of the data subject.
The uncomfortable reality for the technology industry is this: as of 2026, the NDPC has formally recognised very few countries as “adequate,” and the United States where most of the world’s data ultimately lives is not among them. In plain terms, the Gmail account, the cloud backup, the AI chatbot query and the social media upload are all, in the eyes of Nigerian law, cross-border transfers that must be justified. Most companies operating in Nigeria have never signed the paperwork to justify them.
Why the Adunni Ade cases matter to everyone else
Onyia points to the Adunni Ade litigation as the proof that these rights are no longer theoretical. The actress did not merely complain online. She went to the High Court of Lagos State and won, repeatedly.
In Adunni Adewale v Polance Media, delivered in June 2025, Justice I.O. Harrison awarded her ₦20 million, holding that publishing her name and photograph in a false romantic storyline breached both her constitutional right to privacy and the NDPA’s requirement that personal data be processed fairly, accurately and transparently. The ruling went further than most Nigerian courts had gone before, recognising “false light” being portrayed misleadingly as a privacy wrong in its own right, separate from defamation.
Months later, in the same fight, the court ordered Google to pay her ₦30 million and delete the offending stories from Google Search and YouTube. Google, served electronically, did not appear or defend the case. Meta, initially named, was struck out in April 2025 after a preliminary objection. In a third matter, she secured ₦3 million against Vanguard and a journalist over an article the court found had unfairly processed her marital information.
The significance for the ordinary Nigerian is the principle underneath the celebrity: a court accepted that mishandling a person’s name, image and personal data including by keeping it online in a false or inaccurate context is a legal wrong that carries a price tag. And crucially, courts have discretion to fix what that reputational harm is worth.
“The courts have the discretion to determine reputational damages,” Onyia notes a discretion the Adunni Ade judgments show can run into tens of millions of naira per case.
From ₦100m claimed to ₦30m awarded and the message to platforms
It is worth noting what the numbers reveal. Adunni Ade asked for ₦100 million and was awarded ₦30 million. The gap is the discretion Onyia describes: Nigerian judges are not bound to a fixed tariff for dignity and reputation; they weigh the harm and decide. For global platforms accustomed to ignoring takedown requests from individual users in emerging markets, the lesson is that a Nigerian citizen can now convert a privacy grievance into an enforceable money judgment and an order compelling deletion.
That combination, the removal order plus damages, is what makes the NDPA more than a paper right. It hands individuals a remedy that reaches into the operations of the largest companies on earth.
What it means for you
Legal analysts caution that the framework is still maturing, and some scholars have questioned whether courts are blurring the line between data protection and traditional defamation, potentially lowering the bar litigants must clear. Those debates will play out in appeals to come. This story reports the state of the law as it stands and is not legal advice.
But the practical takeaway for Nigerians is already clear. Every citizen is a “data subject” with enforceable rights. Companies that collect your information owe you fair, accurate and transparent treatment of it. And when they move it beyond Nigeria’s borders, they are meant to do so only under the conditions the NDPC sets not whenever it suits their servers.
For years, that was a rule on paper that few could enforce. The Adunni Ade judgments suggest the paper has grown teeth. The question now is how many ordinary Nigerians will realise that the same courtroom door that opened for an actress is open to them too.





