Introduction
Recently, the Presidential Fiscal Policy and Tax Reforms Committee, during conversations about the recent tax reforms, confirmed that Nigeria receives significant financial information on Nigerian residents through international information-sharing arrangements, particularly the Common Reporting Standard (CRS). Under these arrangements, over 100 partner countries exchange data on offshore bank accounts and assets, and the Federal Government employs the data received to track the income of remote workers and foreign-income earners.
In a related development, on December 10, 2025, the Federal Inland Revenue Service (now Nigeria Revenue Service) signed a Memorandum of Understanding (“MoU”) with Direction Générale des Finances Publiques (DGFiP) of France, on the promotion of efficient tax administration. DGFiP is an agency of the French government that plays a key role in public finance management, including taxes. Although the content of the MoU has not been disclosed, it attracted wide public concerns on the possibility of abuse of the data privacy rights of Nigerian taxpayers by a foreign entity/government, including loss of economic control, mass data surveillance, digital exploitation, espionage and geopolitical manipulation.
The Nigeria Tax Act 2025 (the “NTA” or the “Act”) has harmonized all previously existing tax statutes with the broad objective of modernizing and streamlining tax administration, and the ultimate goals of enhancing voluntary compliance and broadening the tax base. This reform, however, occurs alongside the maturation of the Nigerian data protection ecosystem, as governed by the Nigeria Data Protection Act of 2023 (“NDPA”) and the General Application and Implementation Directive, 2025 (the “GAID”). Both the NDPA and the GAID impose strict duties of care on data processors and data controllers, such as the Nigeria Revenue Service (“NRS”).
This article interrogates the legality of the transaction tracking powers of the NRS and other tax authorities under the new tax laws in the light of the constitutional guarantee of privacy in a democratic society and the provisions of the NDPA, and highlights the practical implications for businesses.
Income tracking in the new tax ecosystem
The NTA represents a paradigm shift in tax administration, moving away from passive self-reporting toward a model of active, real-time oversight. Central to this new regime is the expansion of the tax base to encompass the modern digital worker. Under Section 12 of the NTA, residency serves as the primary trigger for tax liability on worldwide income of a Nigerian resident, stipulating that such earnings are deemed to accrue in Nigeria (and therefore chargeable to tax in Nigeria) “wherever they arise,” regardless of whether those funds are ever repatriated to Nigeria.
Furthermore, the Act explicitly targets the frontiers of the digital economy by categorizing “profits or gains from transactions in digital or virtual assets” as chargeable income under Section 4(1)(j) of the Act. Digital assets under the Act include cryptocurrencies, utility tokens, security tokens, non-fungible tokens (NFTs), and any other similar digital representation or their derivatives. To ensure these assets do not escape the tax net, Section 46(n) of the Act deems digital assets to be situated in Nigeria if the beneficial owner or the person who has control over the assets is resident in Nigeria. The state’s reach also extends to non-residents who provide digital content services, online gaming, supply of user-data, application store, electronic data storage, e-commerce, and other similar electronic or digital based activities, where such digital service providers are deemed under the NTA to have a significant economic presence (SEP) in Nigeria.
The tax regime vis-à-vis data protection framework
While the NTA vests the state with expansive income tracking powers, the NDPA provides a robust statutory framework grounded in section 36 of the 1999 Constitution, which guarantees the right to privacy. Specifically, section 24 of the NDPA outlines the principles by which a data processor or data controller must be guided while processing the personal data of data subjects. Accordingly, data processing must be fair, lawful, and transparent. It must also be for specified and legitimate purposes, and the amount of data to be collected must be limited to the minimum necessary for the purpose of processing, among other conditions.
The NDPA is applicable where the data controller or data processor is domiciled, resident, or operating in Nigeria, or the processing of personal data occurs within Nigeria; or although the data controller or the data processor is not domiciled, resident, or operating in Nigeria, but is processing personal data of a data subject in Nigeria. Thus, disclosure of information banks and other financial institutions to third parties, such as the Nigeria Revenue Service, in furtherance of their statutory obligation of banks and other financial institutions under tax laws is subject to the provisions of the NDPA. Consequently, in view of the above data protection safeguards, it is important to examine the statutory obligation of banks and other financial institutions under tax laws to disclose information to the NRS against the data protection framework provided by the NDPA.
Legal exceptions to data privacy rights are recognized in the NDPA as lawful basis for personal data processing. In this regard, section 25(1)(b)(ii) of the NDPA deems the processing of personal data as lawful where it is necessary for compliance with a legal obligation to which the data controller or data processor is subject. Section 65 of the NDPA defines “processing” broadly to include any operation performed on personal data, whether automated or otherwise, including disclosure by transmission, dissemination, or otherwise making data available to another party. In line with the foregoing, a bank that transmits customer information to the NRS pursuant to a statutory mandate under the NTA (or any other applicable tax statute) is theoretically engaged in data processing permitted by the NDPA. Accordingly, disclosures made by banks to third parties such as the NRS, strictly within the scope of statutory requirements, do not amount to unlawful interference with data protection rights. Instead, they fall squarely within a recognized lawful basis for processing under the NDPA. However, such permitted processing of personal data must still comply with the conditions of necessity, proportionality, and compliance with the underlying legal obligation, as well as adherence to the broader data protection principles under the NDPA.
Additionally, Article 22(4) of the GAID explicitly prohibits the use of legal obligations as a justification for a “voyage of discovery” into a citizen’s privacy or for establishing speculative claims. It mandates that any such processing must be “reasonably justifiable in a democratic society” and limited to the absolute minimum requirement necessary to achieve the statutory purpose7. While the GAID is a subsidiary legislation, it is a data protection specific regulation made pursuant to the NDPA. This means the NRS, in its exercise of the power to collect data on taxpayers from financial institutions, cannot engage in wholesale surveillance but must target its data collection to specific, tax-relevant activities.
While the NTA provides the charging powers, the Nigeria Tax Administration Act 2025 (“NTAA”) provides the administrative conduits for data collection. Section 29 of the NTAA mandates banks, insurance companies, stock-broking firms, and other financial institutions to deliver periodic information to the NRS. This includes annual returns of new and existing customers whose cumulative transactions in a month exceed specified thresholds, as well as reports of transactions involving specified sums and details of customers connected with those transactions. This mandate, in a way, effectively turns every financial institution into a reporting agent for tax authorities. This mechanism has also enabled the NRS to move from generalised surveillance to specific, targeted income profiling of remote workers by monitoring high-value inflows.
Consequently, the processing of taxpayer identification data, income information, and related financial record by the NRS would ordinarily be justified under section 25(1)(b)(ii) of the NDPA, as it is necessary for the performance of a statutory function relating to tax administration. However, such processing remains subject to strict confidentiality obligations as mandated under section 142 of the NTAA.
When read alongside Section 25(1)(b)(ii) of the NDPA, the disclosure obligations under Section 29 of the NTAA constitute processing that is necessary for compliance with a legal obligation. However, such processing must also comply with the core data protection principles of purpose limitation, integrity and confidentiality, and accountability as provided in Section 24(1) – (3) of the NDPA.
Proportionality, transparency, data minimisation, and purpose limitation test
Having regard to the aforementioned data protection safeguards in the NDPA, particularly the provisions of section 24(1)(c) and section 24(1)(b), there is no gainsaying the obligation on data controllers and data processors to ensure that personal data is processed in line with statutorily laid down principles, and that where a lawful basis exists to derogate from data privacy rights, such derogation must be kept within the bounds of the law.
In the context of tax administration, the referenced provisions of the NDPA impose clear constraints on the scope of permissible data collection. Consequently, any income-tracking exercise must be strictly confined to tax assessment, verification, and enforcement functions under the NTA and the NTAA. Indiscriminate or bulk collection of financial, transactional, or behavioural data beyond what is reasonably required to establish tax liability would likely be disproportionate and inconsistent with the NDPA. Similarly, any secondary use of taxpayers’ data outside the aforementioned context would, prima facie, violate the purpose limitation principle unless expressly authorised by law. Accordingly, the NRS would bear the burden, if challenged, of demonstrating that any income-tracking mechanism is narrowly tailored to legitimate fiscal objectives and does not exceed what is necessary for effective tax administration.
A further issue arising in public discourse is the perceived opacity surrounding the nature and extent of data to be collected. From a constitutional perspective, lack of clarity in data processing practices heightens the risk of infringing section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as amended), which guards against arbitrary interference with privacy. The NDPA addresses this risk by entrenching transparency as a core principle. For instance, under section 24(1)(a), data subjects are entitled to be informed of the categories of data collected, the purpose and legal basis for processing, and their rights in relation to such data. For the purpose of income-tracking, transparency is required both as a statutory requirement and as a constitutional safeguard. The issuance of public notices and operational guidance on the part of the tax authorities is therefore essential to ensuring that income-tracking measures remain within constitutionally permissible limits and do not amount to arbitrary intrusion.
International tax enforcement and data protection regimes
The perceived tension between effective tax administration and data protection is not unique to Nigeria. Comparable jurisdictions have confronted similar issues and resolved them through a combination of statutory mandates and privacy safeguards. For instance, under the OECD Common Reporting Standard, participating jurisdictions automatically exchange financial account information to combat offshore tax evasion. However, CRS data collection is bound by strict purpose limitations and confidentiality rules. Nigeria’s proposed approach mirrors this global standard, suggesting that income tracking, ordinarily, is not inconsistent with international norms. In the European Union, tax authorities rely on Article 6(1)(c) and (e) of the General Data Protection Regulation (“GDPR”), which permits processing necessary for legal obligations and public tasks. European courts have consistently held that tax enforcement constitutes a legitimate public interest, provided that data collection remains proportionate. The NDPA’s structure and principles closely resemble the GDPR model, reinforcing the view that Nigeria’s framework is aligned with international best practices.
Conclusion
Comparative practice shows that democratic systems routinely reconcile tax enforcement with privacy through proportionality, transparency and oversight. Nigeria’s framework is conceptually aligned with this model. The concern therefore does not lie in income tracking per se, but in its implementation, where implementation exceeds statutory purpose, lacks transparency, or entails excessive data collection, or whether statutory limitations are adequate and detailed enough to prevent abuse.
On the concern of potential cross-border breach of taxpayers’ data privacy rights arising from the collaboration between Nigeria and DGFiP, we note that the NRS had assured Nigerians in a Public Notice issued on December 23, 2025, that the MoU signed with the French entity is only a standard, globally recognised cooperation framework focused solely on technical assistance and capacity building. In other words, the MoU does not grant France access to Nigerian taxpayers’ data, digital systems, or any element of NRS’ operational infrastructure. In our opinion, implementation of the MoU can only pass the test of legality and constitutionality where strict adherence to all existing Nigerian laws on data protection, cybersecurity, and sovereignty is fully maintained and strictly enforced, as the NRS had promised.
In any case, it is important to consider what the implications of the new income-tracking system will be for businesses, particularly those dealing in digital assets and other activities likely to be brought under the tax authorities’ radar for generating incomes considered to be derived from and taxable in Nigeria. In the first instance, affected persons and entities face potential risks arising from tax liabilities that were not previously applicable. The new tax regime places basic obligations on taxable resident and non-resident persons, including the mandatory requirement to register with the relevant tax authority and obtain a taxpayer identification (Tax ID); provide relevant information as may be prescribed by the NRS where such taxpayers are not under strict obligation to register; file required returns with the relevant tax authorities; and pay applicable taxes promptly. Tax offenses in the new regime and the applicable regulatory enforcement and penalties pose potential reputational risks and financial loss to non-compliant entities. Non-resident businesses with interest in Nigeria should therefore seek immediate and appropriate legal and professional advice on compliance to be on the right side of the law.
Overall, the constitutional validity of the NRS’ new powers depends on how such powers are exercised. Where income-tracking is grounded in clear legislation, confined to tax-relevant data, and subject to oversight by the Nigeria Data Protection Commission (NDPC), it will likely withstand judicial scrutiny. To ensure public trust, tax authorities must move beyond mere collection and prioritize transparency through clear operational guidelines, ensuring that the quest for revenue does not come at the expense of taxpayers’ right to privacy. We look forward to seeing collaboration between the NDPC and tax authorities in developing guidelines to guide the implementation of these information gathering powers.
DISCLAIMER: This article is only intended to provide general information on the subject matter and does not by itself create a client/attorney relationship between readers and our Law Firm or serve as legal advice. We are available to provide specialist legal advice on the readers’ specific circumstances when they arise.
