By Dr. Olumide Babalola
![](https://thenigerialawyer.com/wp-content/uploads/2025/05/idrinstitute.png")
In March 2025, as part of their desire to extra-judicially simplify the Nigeria Data Protection Act 2023 (NDPA), the Nigerian Data Protection Commission (NDPC) issued a document titled the General Application and Implementation Directive (GAID – pronounced as “Guide”) containing explanatory guidance on the provisions of the NDPA. For the budding field of data protection, especially in Nigeria, the GAID ought to come in handy whenever the intention of the draftsmen or the regulator is interrogated. Still, when the provision of article 17(8) of GAID is considered, it is seen that the document does more than a mere explanation of the NDPA – it makes a ‘creation’ of some sort. In the succeeding paragraphs, I analyse my brief opinion on the concept of implied consent under article 17(8) of GAID
Inelegant drafting and logical impossibility
Although a commendable regulatory effort, rather than resolving the ambiguities in the NDPA, some provisions of GAID have created new problems owing to inelegant drafting. For context, article 17(8) provides that: “Nothing in this GAID shall prevent a data subject from giving a constructive or an implied consent to data processing in the following circumstances” (Emphasis mine) Interestingly, the provision above seeks to empower a data subject to “give” implied consent, but the idea is blatantly illogical and contradictory. The word ‘implied’ refers to something that arises by inference or operation of law, even though it is not expressly written or stated, hence, it cannot be ‘given’ by the data subject but inferred from certain facts.
“Giving” consent implies a positive, intentional act i.e something actively done by the person, but in this case, consent is inferred from a passive conduct without expressly stating the specifics. In other words, implied consent is not actively given, it is inferred from behaviour, circumstances, or failure to object. Providing that someone can “give” implied consent mixes two logically inconsistent ideas: one is active (i.e “gave”) and one passive (i.e “implied”). It gives a paradoxical impossibility, like suggesting someone “shouts silently.” The other problem with this provision is the suggestion that, once one attends a public event, the organisers have implied consent that images taken at the event may be used for a report of that event. This provision creates at least two potential problems. First, there is no definition of public event, hence everything is left to conjecture on what nature or type of event constitutes a public event. Secondly, what does a ‘report’ of the event mean? Internal report or publication of the event?
Implied consent is unknown to NDPA
Consent is defined under section 65 of the NDPA as “any freely given, specific, informed, and unambiguous indication, whether by a written or oral statement or an affirmative action, of an individual’s agreement to the processing of personal data relating to him or to another individual on whose behalf he has the permission to provide such consent”
The definition above clearly signifies that consent must be “specific” “unambiguous” and by statement or ‘clear’ affirmation, whereas to imply means to suggest or indicate something without saying it directly and this is where the problem lies. While the NDPA prescribes consent to be specific and unambiguous, the GAID subjects the concept to inference, which now makes such consent debatable. In other words, the concept of informed consent is grounded in an assumption based on certain facts and circumstances but it is my respectful opinion that the draftsmen intended consent to be free from conjecture, especially by the use of “specific” and “unambiguous”.
Once parties begin to argue on the validity of consent, then its existence becomes doubtful and problematic, especially since NDPA provides that silence or inactivity does not constitute consent. The activity contemplated here must be such that it indicates the specific processing consented to but not an assumption that the data subject consents to all kinds of processing activities without spelling them out. For example, if a person attends an event where a notice is displayed that the event would be recorded and pictures taken would be used for promotional purposes, do this necessarily cover the subsequent (indefinite) storage and sharing with third-party vendors? This answer is not that straightforward, and that vitiates consent ordinarily.
Contemporary best practice
It is common knowledge that, from a data protection perspective, consent is inherently tricky, slippery and problematic, especially since it must be informed. Hence, once a controller cannot demonstrate that the data subject is duly informed of the specific processing activities they were consenting to, then consent is vitiated. Regardless of the position the NDPC wants to take on implied consent, it is important to consider the contemporary approach to this hydra-headed conundrum.
In 2020, the European Data Protection Board released their Guidelines 05/2020 on consent under Regulation 2016/679. Paragraph 168 of the document states that: “…the GDPR requires that a controller must be able to demonstrate that valid consent was obtained, all presumed consents of which no references are kept will automatically be below the consent standard of the GDPR and will need to be renewed. Likewise as the GDPR requires a “statement or a clear affirmative action”, all presumed consents that were based on a more implied form of action by the data subject (e.g. a pre-ticked opt-in box) will also not be apt to the GDPR standard of consent.” From the provision above, implied consent is not considered valid, especially where the controller is unable to demonstrate such informed consent
On what constitutes valid consent, the UK Information Commissioner’s Office clarifies that: “The idea of an affirmative act does still leave room for implied methods of consent in some circumstances, particularly in more informal offline situations. The key issue is that there must still be a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose. However, this type of implied method of indicating consent would not extend beyond what was obvious and necessary.” (see https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/consent/what-is-valid-consent/) Here, the English regulator sounds a note of warning against reliance on implied consent, which does not usually make it clear to data subjects what specific purpose or processing activity they are consenting to.
Towing this line, the Organisation for Economic Co-operation and Development (OECD) also frowns at implied consent which they considered ‘imposed’ as thus: “The knowledge or consent of the data subject is as a rule essential, knowledge being the minimum requirement. On the other hand, consent cannot always be imposed, for practical reasons. In addition, Paragraph 7 contains a reminder (“where appropriate”) that there are situations where for practical or policy reasons the data subject’s knowledge or consent cannot be considered necessary. (see OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data). Even across Africa, no country has notably adopted implied consent as part of its data protection framework; hence the global sentiment is to view the strange concept as an unreliable substitute for explicit, affirmative consent under modern data-protection laws.
Recommendations for improvement
To address the potential problems of implied consent, it is advised that article 17(8) of GAID is reviewed to either remove or qualify implied consent. It could be replaced with a more rights-respecting clause that recognises the validity of consent only when obtained through a clear, affirmative act by the data subject indicating agreement to the processing of personal data for specified purposes. If we must stick with implied consent, then it may be confined to extreme cases like emergencies or circumstances where a data subject is physically or mentally incapable of giving consent. For clarity, a demonstrable consent framework may be adopted by the NDPC to mandate controllers to keep verifiable records (logs, timestamps, digital signatures) of consent; enable simple withdrawal mechanisms; and periodically review consent validity for ongoing processing. Ultimately, to provide further guidance, the NDPC ought to issue standard consent templates and model privacy-notice clauses aligned with section 27 NDPA.
The publishing firm has produced an impressive catalogue of authoritative legal texts authored by its proprietor, Basil Momodu, Esq.,
For inquiries, contact:
📧 momodulawpublishing@yahoo.com
📞 07051822705
______________________________________________________________________
“Timely And Groundbreaking” — Babalola, Nnawuchi Release Casebook On Privacy & Data Protection In Nigeria
A timely new publication, Casebook on Privacy & Data Protection in Nigeria, co-authored by Olumide Babalola and Uchenna Nnawuchi,📘Casebook on Privacy & Data Protection in Nigeria is now available on Amazon:https://a.co/d/8TmFZrd
______________________________________________________________________
Alexander Payne Co. Law Reports
Contact & Orders 📞 0704 444 4777 | 0704 444 4999 | 0818 199 9888 🌐 www.alexandernigeria.com
______________________________________________________________________ Groundbreaking Guide For Lawyers: Adigwe Publishes ‘Artificial Intelligence For Lawyers’ With Free Research eBook
Authored by Ben Ijeoma Adigwe Esq., ACiarb (UK), LL.M, Dip. in Artificial Intelligence, Director at the Delta State Ministry of Justice, Asaba, Nigeria.
How to Order:
📞 Call, Text, or WhatsApp: 08034917063 | 07055285878
📧 Email: benadigwe1@gmail.com
🌎 Website: www.benadigwe.com
Ebook Version: Access it directly online at https://selar.com/prv626
______________________________________________________________________
[A MUST HAVE] Evidence Act Demystified With Recent And Contemporary Cases And Materials
Edited by Dr. Akin Olawale Oluwadayisi, Ph.D; ACIArb, FIPDM, Notary Public, Awi Boluwaji, and Olumide Awoyemi, LL.M, Price: ₦20,000 or $20 per copy
Order Your Copy Now:📧 Email: benakollegalclassics@gmail.com,📱 WhatsApp: 07038211889, 📞 Voice Call: 07065830466 | +2347038211889
______________________________________________________________________
