On 5 May 2026, the spokesperson of Nigeria's House of Representatives, Hon. Akintunde Rotimi, formally moved a bill to amend the Cybercrimes (Prohibition, Prevention, etc.) Act 2015. The bill — HB 2740, which passed first reading on 22 April 2026 according to the House's own plenary record — targets the three provisions that have done the most damage to press freedom: Sections 24, 27, and 38. Its most consequential change is the quietest one. Before law enforcement can access or intercept a journalist's traffic data and subscriber information, it would first have to convince a judge.
That is a small procedural hinge with large consequences, and it is exactly the kind of targeted, rights-protective reform that Nigeria's digital economy and its democracy both need.
The machine the state built, and why
It is worth stating the government's case at full strength before criticising how the tools have been used. Nigeria runs one of the world's most data-rich telecoms surveillance architectures, and it did not build it by accident. Section 38 of the 2015 Act requires every service provider to retain all traffic data and subscriber information for two years and to release it to law enforcement on request. Layered on top is the NIN-to-SIM linkage mandate enforced by the Nigerian Communications Commission, which ties every active line to a verified national identity.
The rationale is real. Nigeria contends with industrial-scale online fraud, kidnapping-for-ransom negotiated over mobile networks, and terrorist financing that moves through SIM-linked wallets. Retained subscriber records and call-detail logs are genuinely useful for tracing a fraud ring or locating a kidnap victim, and a warrant requirement that is too rigid can cost investigators time they do not have. Any honest reform has to preserve the legitimate investigative value of this data.
The gap the law left open
The problem is not that the data exists. It is that Section 38, as drafted, lets law enforcement reach into it on a bare administrative request — no judge, no showing of necessity, no record the target can later challenge. That design turns a fraud-fighting tool into a general-purpose unmasking machine, and journalists have been on the receiving end.
The Committee to Protect Journalists records at least 25 journalists prosecuted under the Cybercrimes Act since it was enacted in 2015. The 2024 amendment, passed to comply with a 2022 ECOWAS Court of Justice judgment that found Section 24 "arbitrary, vague and repressive," was supposed to end this. It did not. CPJ documented at least three journalists detained on cybercrime allegations since August 2025 alone — including investigative publisher Fejiro Oliver, flown across state lines after his arrest, and reporters whose phones were seized and held for days. The Centre for Journalism Innovation and Development counts at least 18 cases of journalists arrested, detained, or charged under the Act since the 2024 reform took effect.
The phone seizures are the tell. When the investigative target is a reporter rather than a fraudster, the value of warrantless data access is not solving a crime — it is identifying the source. Subscriber lookups and traffic data let an aggrieved official trace which number contacted a leaker, where the journalist travelled, and who they called. That is source protection collapsing in real time, and it happens long before any case reaches a courtroom that might throw it out.
Proportionality as a design principle
What makes HB 2740 the right instrument is that it does not dismantle the data-retention regime. It disciplines access to it. The bill writes the principles of legality, necessity, and proportionality directly into Section 38, requires judicial approval before retained data on a journalist or other protected person is accessed, and adds notice to the affected party "where practicable." The Section 24 changes push reputational and "false information" disputes toward civil remedies and make a court — not a police officer — the body that decides whether speech is unlawful. Section 27 carves out journalists and whistleblowers handling information in the public interest.
This is proportionate regulation done correctly. A warrant requirement is not a shield for criminals; serious investigations clear that bar every day, and the bill preserves access on a proper showing. What it removes is the frictionless path that made the data attractive for harassment rather than detection. Independent oversight tends to raise the quality of the requests it filters, not just the quantity it blocks.
The stakes extend past the newsroom. A telecoms surveillance system that the public believes can be turned on anyone, for any reason, is a drag on the digital trust Nigeria's fintech and creator economy run on. Putting a judge in the loop is how a state signals that retained data is held for investigation, not for intimidation.
What still needs work
The bill is not the finish line. It has only cleared first reading; committee stage, the Senate, and presidential assent remain, and enforcement — not statutory text — has been the recurring failure. The notice provision's "where practicable" qualifier needs tight definition so it cannot be read as a permanent waiver. And the protections should not be limited to a defined class of "journalists"; in an era where citizens break news on social platforms, narrow definitions invite the next round of arbitrary line-drawing.
Still, the direction is right. HB 2740 treats the Cybercrimes Act's surveillance powers not as something to abolish but as something to govern — with a judge, a standard, and a record. That is the proportionate path, and Nigeria's lawmakers should walk it to assent.