When Access Now convened African press-freedom defenders in April 2026 for its workshop on Advancing Rights-Centered Reporting on Nigeria's Cybercrimes Act, the framing was deliberately narrow: how can newsrooms cover, and survive, a statute that has been weaponised against more than two dozen journalists, whistleblowers, and human-rights defenders since 2015? The framing was narrow; the policy problem is not. Nigeria's Cybercrimes (Prohibition, Prevention, etc.) Act 2015 does not sit alone. It interlocks with the National Information Technology Development Agency's 2019 data-localisation guidelines and the Nigeria Data Protection Act 2023 to form a regulatory stack that — whatever each instrument's individual merits — collectively pushes platforms to retain more user data, store it on Nigerian soil, and disclose it more readily to authorities who have repeatedly used that disclosure power against critics.
That is the chilling effect Access Now is asking journalists to cover. It is also a policy problem that demands a pro-innovation, proportionate response — not the abolition of cybercrime law, but the surgical reform of its most abused provisions and a re-think of how localisation mandates intersect with criminal procedure.
Section 24: a known abusive provision, narrowed but not fixed
The Cybercrimes Act's now-notorious Section 24, which criminalised messages deemed "grossly offensive" or sent to cause "annoyance," has been the workhorse of journalist prosecutions for nearly a decade. In 2022, the ECOWAS Court of Justice ruled in Incorporated Trustees of Laws and Rights Awareness Initiatives v. Federal Republic of Nigeria that Section 24 was vague, overbroad, and incompatible with Nigeria's regional human-rights obligations, ordering the provision repealed or amended.
Abuja partially complied with a 2024 amendment that tightened the language and removed "annoyance" as a triggering harm. But documentation by Access Now, the Committee to Protect Journalists, and the Media Rights Agenda shows the amended provision continues to be used as a tool of pre-trial detention against reporters covering corruption, security force misconduct, and gubernatorial spending. The problem was never only the wording. It is the discretionary arrest power the statute confers on police units who treat investigative journalism as an offence to be prevented rather than speech to be protected.
The data-localisation overlay
Where Section 24 supplies the charge, NITDA's localisation framework supplies the evidence. The 2019 Nigeria Data Protection Regulation and its 2020 Data Protection Implementation Framework introduced sectoral data-residency expectations, particularly for government, financial, and "sensitive personal data" categories. The Nigeria Data Protection Act 2023 — a substantive upgrade in many respects, and a welcome one — preserved and formalised those localisation hooks through cross-border transfer restrictions and an adequacy regime administered by the new Nigeria Data Protection Commission.
Layered on top, the Cybercrimes Act itself requires service providers to retain traffic data for at least two years and to hand over subscriber and content data to law-enforcement on request. Combine the three and the operational picture becomes coercive: platforms with Nigerian customers face mounting pressure to keep data inside Nigeria, retain it longer, and produce it faster — into a criminal procedure environment that, as Access Now's own casework demonstrates, has not built the safeguards (independent judicial authorisation, narrow targeting, notification to data subjects) that would make such powers proportionate.
Why localisation does not deliver the sovereignty it promises
Lagos is not alone in believing that storing data on national soil increases citizens' control over it. That intuition is shared from Brasília to Jakarta to New Delhi, and it animated parts of India's now-superseded 2018 Srikrishna draft and the residency rules in its Digital Personal Data Protection Act 2023. But the evidence from a decade of localisation experiments is that mandates rarely produce the sovereignty their advocates promise. They do, however, reliably:
- raise compliance costs for small Nigerian and pan-African startups, which cannot easily replicate hyperscaler footprints in-country;
- concentrate market power in the few global platforms that can afford a Lagos region, narrowing rather than widening Nigeria's digital ecosystem;
- make domestic users more exposed to domestic legal process — including process under abusive statutes — by removing the friction of mutual legal assistance treaties; and
- increase systemic resilience risk, as Rest of World's recent reporting on hyperscalers re-routing Gulf data through Iraqi fiber after a drone strike on regional data centres vividly illustrates.
The Gulf episode is not a Nigerian story, but its lesson is universal: concentrating data in a single jurisdiction is a fragility, not a strength. The same hyperscalers Lagos hopes to compel onshore have spent the last year diversifying away from single-country dependencies.
A proportionate path forward
People of Internet has long argued that cybercrime law is a legitimate, indeed necessary, area of state action. Nigerian businesses lose real money to BEC fraud, romance scams, and ransomware; victims deserve a functioning criminal-justice response. The question is not whether to have a Cybercrimes Act but how to align it with Nigeria's constitutional speech protections and the ECOWAS Court's binding rulings. We would suggest four reforms:
- Repeal, do not merely amend, Section 24. Existing provisions on defamation, harassment, and incitement — properly applied with judicial oversight — already cover the legitimate harms. Section 24's residual ambiguity is what enables its abuse.
- Introduce statutory journalist and whistleblower carve-outs. Public-interest reporting on officials should attract a heightened evidentiary threshold and pre-charge judicial review.
- Decouple data-retention duties from broad-discretion access powers. Two-year retention is defensible only if access requires a particularised warrant, independent oversight, and post-hoc notification.
- Pause expansion of mandatory localisation under the NDPA. The Nigeria Data Protection Commission should issue guidance clarifying that adequacy-based transfers, not residency mandates, are the default — preserving Nigerian businesses' access to the global cloud and reducing the surface area for forced domestic disclosure.
Nigeria has the legal infrastructure, an active civil society, and an ECOWAS judgment in hand. The pieces for a credible reform are in place. What is missing is the political decision to treat journalists as the public-interest infrastructure they are — and to recognise that a cybercrime regime that jails reporters is one that has stopped fighting cybercrime.