- in Nigeria
- with readers working within the Law Firm industries
- within Litigation, Mediation & Arbitration, Technology and Environment topic(s)
1. INTRODUCTION
The age of automated decision-making ("ADM") has arrived in Nigeria. Banks and fintech platforms deploy credit-scoring models to determine lending outcomes, and public institutions increasingly rely on data-driven systems in the exercise of statutory functions. In each context, an algorithm has made or materially influenced a decision that bears directly on the legal rights of a natural person. This paper addresses a pressing and increasingly significant issue: who bears the burden of proof when someone is wronged by an automated judgment and files a complaint in a Nigerian court? The answer is clear within the traditional paradigm, which is based on Sections 131 to 133 of the Evidence Act 2011 (as amended 2023) and supported by consistent Supreme Court precedent. The person making the claim has to provide evidence.1 This rule was created for a legal setting where both parties have roughly equal access to the relevant information. That premise is profoundly disrupted by automated decision-making.
This article presents four interrelated arguments: that ADM creates an evidential asymmetry so severe that the traditional framework is structurally inadequate without judicial modification; that the Nigeria Data Protection Act 2023 (NDPA) has created a nascent but judicially under-exploited reversal of that burden, which courts must now develop purposively; that common law tools already in place, such as res ipsa loquitur and the adverse inference principle under Section 167(d) of the Evidence Act.2
2. THE CLASSICAL BURDEN OF PROOF FRAMEWORK UNDER NIGERIAN LAW
Before examining how ADM disrupts the classical framework, it is necessary to establish precisely what that framework provides and why, in the analogue world for which it was designed, it was both sound and sufficient.
2.1 The Foundational Rule
The starting point is Section 131(1) of the Evidence Act 2011 (As Amended 2023), which provides that whoever desires any court to give judgment as to any legal right or liability dependent on the existence of facts which he asserts must prove that those facts exist. This is the onus probandi. It rests, at the commencement of proceedings, on the party who would fail if no evidence were adduced on either side.
However, this burden is not set in stone and may change during the course of the proceedings. Nnaemeka-Agu JSC (of blessed memory) noted with great accuracy in Adegoke v. Adibi that although the plaintiff bears the overall burden throughout, it is not static.3 As the case develops, it may become the defendant's responsibility to present evidence to support or refute a particular issue; failing to do so might result in a negative conclusion. This dynamic is codified in Section 132 of the Evidence Act 2011 (As Amended 2023). As will be seen, the burden shifts with the evidence, and it is precisely this mobility that ADM disputes stretches to the breaking point. Regarding Igiriogu v. Sharon Properties Ltd.,4 the Supreme Court, per Kekere-Ekun, JSC (as he then was) on the burden of proof, held as follows:
By virtue of sections 131, 132, 133 and 134 of the Evidence Act 2011, as amended, being a civil suit, the burden of proof lay on the appellant to prove his entitlement to the reliefs sought on the balance of probabilities, as he is the party who would fail if no evidence were given on either side. By section 133(1) and thereof, the burden of first proving the existence or non-existence of a particular fact in a civil matter lies on the party against whom the judgment of the court would be given if no evidence were produced on either side, regard being had to any presumption that may arise on the pleadings. Where the party referred to adduces evidence which ought reasonably to satisfy the court that the fact sought to be proved is established, the burden would then shift to the party against whom judgment would be given if no further evidence were adduced. The effect of the provision is that while the claimant has the overall burden of proof, the burden of proof of particular facts may shift from side to side throughout the proceedings.
2.2 Documentary Evidence and the Reliability Principle
Oral testimony has traditionally been subordinated to recorded evidence under Nigerian law. The Supreme Court upheld the idea that a document speaks for itself in Egharevba v. Osaige.5 It is neither ephemeral nor prone to distortion, making it more trustworthy than any spoken recount of its contents. Also see The State v. Felicia Akinbisade.6
Its significance for ADM disputes is acute and double-edged. The output of an automated system, such as a credit denial, a fraud alert, or a tax assessment, is in the form of a document. But a document that records only a conclusion whilst entirely concealing the reasoning process that produced it cannot, in any meaningful forensic sense, be said to speak for itself. It speaks a result. It does not speak a reason. And it is the reason, namely the logic of the algorithm, that is in dispute. The reliability principle, applied uncritically to ADM outputs, risks laundering opacity as evidence.
Furthermore, while providing created documents, the world of evidence has always needed an additional proof buffer. The party presenting electronically created evidence is required under Section 84 of the Evidence Act 2011 (As Amended 2023) to attest to the generating process, the computer's functionality, the regularity of creation, and the correctness of the output data. This emphasises that document production from an ADM process cannot be demonstrated only by its existence, even when it is not an ADM output. What constitutes sufficient evidence of the inventiveness of such a paper is called into question by the prospect of manipulating an algorithmic hallucination.
2.3 Expert Evidence
Section 68 of the Evidence Act 2011 (As Amended 2023) allows the opinion of a certified expert to be included as evidence where a fact in question necessitates specialist expertise. The law's method for converting technical intricacy into forensic comprehensibility is this clause. It is necessary for courts to fairly evaluate specialist or scientific subjects, which is why they exist. An expert who can explain algorithmic reasoning to a court is needed in ADM disputes. This expert, sometimes known as an algorithmic auditor, is a type of witness rarely encountered in Nigerian forensic practice today. In the absence of such an expert, a court that is asked to determine whether an automated judgment is legitimate is being asked to analyse evidence for which it lacks the necessary tools. This absence is not a minor annoyance. Purposive judicial development must immediately address this structural situation, which makes the traditional burden of proof impractical in the setting of ADM.
3. HOW AUTOMATED DECISION-MAKING DISRUPTS THE CLASSICAL FRAMEWORK
The traditional structure discussed in Section 2 was intended for a situation where the parties involved in a dispute had nearly equal access to the relevant facts. Since the claiming party may theoretically get the evidence required to discharge it, the burden of proof was put on them. ADM completely undermines that presumption. One party, the algorithm's deployer, has exclusive control over all the information that would decide if the decision was legal in any ADM dispute. None of them is held by the claimant. The burden-of-proof paradigm is insufficient in the ADM setting because of this structural imbalance, rather than just the novelty of the technology.
3.1 The Opacity Problem
Opacity is the most obvious aspect of the imbalance. Through layers of statistical calculation, a machine-learning model generates outputs from inputs whose basic logic is not visible to the outside world and, frequently, is not even understandable by its creators after training. The deploying institution's proprietary code and parameter matrices include variable weighting, interaction effects between data sets, and handling edge cases. The people affected by the decisions they make are not informed of them. Imagine a bank customer whose loan application was rejected by a mobile banking app in under 30 seconds. She is unaware of the data that was entered into the model. She is unaware of the weight given to her profile. She is unaware whether the training data was representative of people in her situation or whether the output was reviewed by a human before use. However, in the traditional paradigm, it is her responsibility to demonstrate why the choice was incorrect. She must refute a conclusion whose grounds are completely concealed from her. The same would hold true for a worker who is let go due to an automatic evaluation. Although their job production and time logs may have been recorded as statistics, a number of other factors, such as high-performance standards, soft skills, workplace culture, and effect on colleagues, are not taken into account. Therefore, knowing that data is input is not enough; you also need to know what kind of data it is and how it interacts with other factors to contribute to the conclusion.
In the Nigerian context, this is not a theoretical issue. Only four (4) of the twenty-two (22) Nigerian commercial banks examined in an empirical study conducted in 2021 revealed the use of ADM in their privacy notifications; the other institutions either denied its usage or made no disclosure at all. In many instances, the opacity is intentional. A burden-of-proof framework is not a neutral procedural norm if it does not take intentional concealment into consideration. In actuality, it is a guideline that safeguards the concealer.
3.2 The Asymmetry of Knowledge and Its Legal Consequence
A basic information mismatch between the parties to an ADM dispute is the underlying issue that opacity presents. The model is known to the deploying institution. The training data is known to it. It is aware of the mistake rate. In other instances, it is aware of whether the system has generated discriminating or unusual results. It is aware of whether the output was examined by a person or just rubber-stamped. None of these items is known to the claimant. Only the result is known to her.
This asymmetry is not accidental. It is structural. ADM systems are typically procured from third-party vendors under licence agreements containing broad intellectual property protections.7 Deploying institutions frequently use these safeguards to prevent any disclosure of algorithmic technique, training data, or model architecture in the absence of a court order. Before the claimant ever enters the courts, she will typically run into this wall of contractual secrecy while trying to grasp the reasoning behind an unfavourable automatic judgment. The practical result is that by the time she has access to the legal system, the claimant is already unable to pinpoint the exact basis of her challenge, plead with the level of specificity required by Nigerian courts, and satisfy a burden of proof over facts that were purposefully kept out of her reach prior to the start of the litigation. As a result, the claimant faces not only one institutional defendant but also a legal and economic framework created especially to shield the algorithm from examination. This disparity has clear and significant legal repercussions. The asserting party bears the risk of evidentiary ambiguity under the traditional burden of evidence. That distribution is justifiable in regular litigation, as evidence ambiguity typically results from causes that impact both parties, such as the passage of time, witnesses' unavailability, or the loss of records. Evidentiary uncertainty is not neutral in ADM conflicts. The person who also gains from it manufactures and maintains it. In that situation, applying the traditional burden would be rewarding the creation of doubt.
3.3 The Absence of a Competent Decision-Maker to Examine
Accountability is the third aspect of the disruption. An unfavourable human decision may be the subject of forensic analysis in traditional litigation. It is possible to cross-examine the decision-maker. His recordings and notes are available. The court has the authority to examine, question, and assess his thinking process. This is how the adversarial system evaluates the legality of rulings that impact legal rights. ADM completely eliminates that mechanism. Cross-examination of the model is not possible. There are no notes on it. It is unable to express its logic in the same way that a person can. Additionally, the organisation that implemented it would usually argue in court that the model's results speak for themselves and that the organisation is not liable for a decision made by a system that operated as intended. A procedure that is by definition forensically unexaminable under the traditional standards of evidence has taken the place of the human decision-maker. Therefore, there must be a thorough development of jurisprudence to determine who will be held accountable or, more accurately, who should be properly joined as a defendant in the event that the claimant attempts to contest an ADM outcome. This raises the question of whether a machine model may be legally held accountable for its output or its creator.
At this juncture, the weight of ADM conflicts causes more than just strain on the classical framework. It shatters. There are insufficient tools to submit algorithmic thinking to the same adversarial examination as human reasoning in a proof system. Every claimant who disputes an automated judgment faces an insurmountable barrier unless those technologies are developed or put into effect. This paper now turns to the new legislative and common law solutions to that challenge.
4. THE NDPA 2023: A NASCENT REVERSAL OF BURDEN
Two things have been established in the previous sections. First, because the deployer has exclusive control over all information pertinent to the decision's legality, the traditional burden-of-proof paradigm is inherently insufficient in ADM conflicts. Second, this section contends that the Nigeria Data Protection Act 2023 has started, subtly but significantly, to change this status. This insufficiency is not unintentional, but is maintained on purpose through opacity and contractual secrecy. The change is still in its early stages. It is underutilised by the judiciary. However, it exists, and Nigerian courts have a duty to develop it in a purposeful manner.
4.1 Section 37 and the Right to Contest
The Nigeria Data Protection Act 2023 ("the Act" or "NDPA")8 It is the most consequential legislative development in Nigerian data protection law and is the statutory centrepiece of this article's argument. The Act restricts the exclusive use of automated processing for decisions that will have legal or similarly significant effects on a data subject.9 Such processing is permitted only where one of three conditions is satisfied: the data subject's consent has been obtained; the processing is necessary for the performance of a contract involving the data subject; or the processing is expressly authorised by law.
Where processing falls within this framework, the data controller must implement appropriate safeguards. Those safeguards include, and this is the provision of immediate forensic significance, the right of the data subject to obtain human intervention, to express a point of view, and to contest the decision.10
The forensic significance of this provision goes further. Section 26 of the NDPA places the burden of establishing that consent was freely given, specific, informed, and unambiguous squarely upon the data controller.11 This is a legislatively enacted reversal of the classical common-law position as applied to consent-based ADM. It is not merely a shifting burden that arises upon proof of a prima facie case. It is a statutory allocation of the burden of proving the lawfulness of the processing to the institution that processed the data. The legislature has, in express terms, decided that, in matters of consent, the controller proves or fails.
4.2 The GAID 2025 and the Documentation Imperative
With effect from September 2025, the General Application and Implementation Directive (GAID) was issued by the Nigeria Data Protection Commission in March 2025 as part of its regulatory duties under the NDPA. When establishing ADM systems in high-risk environments, data controllers are subject to certain requirements under GAID.12 These responsibilities include carrying out required Data Protection Impact Assessments (DPIAs) prior to deployment, keeping thorough records of training data and model architecture, and putting in place systems that allow data subjects to contest automated judgements.
The forensic significance of these requirements is considerable and directly relates to the burden-of-proof argument. There is a presumption under the Evidence Act that evidence which could be and is not produced would, if produced, be unfavourable to the person who withholds it.13 Where a data controller is required by law to have generated and preserved DPIA documentation before the decision being challenged in litigation was made, and it fails to produce that documentation in proceedings, it is arguable that the adverse inference principle is engaged. A court may, on that basis, presume that the withheld documentation would, if produced, have been unfavourable to the controller.14 It can further be argued that a controller that was legally obliged to create and preserve such records should not be permitted to benefit from their absence in proceedings where the lawfulness of its conduct is directly in issue.
As a result, the GAID documentation requirements serve as preventative evidence requirements. It is argued that the regulator has effectively transferred the evidentiary burden of showing model legitimacy to the controller before any controversy occurs by requiring documentation as a condition of authorised deployment. There is no objective justification for a controller to deploy without a DPIA or to perform one but conceal it in court. That conclusion would be reasonable for a court.
4.3 The Purposive Interpretation Imperative
The statutory and regulatory framework described above is powerful, but it will remain inert unless Nigerian courts are willing to apply the NDPA purposively rather than literally. The obligation to interpret the NDPA purposively is not novel. In Nafiu Rabiu v. The State,15 Udo Udoma, JSC (of blessed memory) observed that, "I do not conceive it to be the duty of this Court to construe any of the provisions of the Constitution as to defeat the obvious ends the Constitution was designed to serve." Although that statement was made in the context of constitutional interpretation, the purposive approach it embodies has since been consistently applied by Nigerian courts in interpreting statutes generally. It is submitted that the same principle should govern the construction of the NDPA. A court that interprets Section 37 in a manner that formally grants data subjects the right to contest automated decisions whilst denying them the evidential tools to do so would be doing precisely what Udo Udoma JSC cautioned against, which is construing a provision to defeat the obvious ends it was designed to serve.
According to its preamble, the NDPA's goals are to preserve natural people's basic right to privacy and to control how personal data is processed in a way that safeguards data subjects. A system that technically grants data subjects the ability to challenge automated choices but does not offer the evidence required to make that right enforceable fulfils the letter of the law while totally undermining its intent. If the claimant lacks access to the information required to launch the dispute, their right to contest is useless.
Courts should thus be prepared to interpret Section 37 as suggesting a reversal of the evidentiary burden. It is argued that the evidentiary burden should shift to the data controller to prove the system's legality, accuracy, and nondiscriminatory nature, as well as the decision it generated in the event that a claimant proves an unfavourable automated outcome and the controller failed to provide sufficient disclosure. Judicial legislation is not what this is. It is a purposeful interpretation of an Act whose explicit provisions already clearly indicate in that way.
4.4 The Statutory Obligations of Data Controllers Deploying ADM: A Consolidated Framework and the Impact of Consent
The purposive interpretation of the NDPA, the documentation requirement under the GAID, and the reversal of burden under Section 37 have all been covered in the previous subsections. It is vital to accurately and thoroughly list every statutory and regulatory requirement placed on a data controller who implements an ADM system in Nigeria before those arguments can be properly understood. That catalogue is not only scholarly. Every duty is a potential burden of proof. In litigation, the adverse inference principle is prepared to fill any void left by the controller's failure to fulfil obligations.
4.4.1 The Obligations Under the NDPA 2023
The NDPA imposes a framework of obligations across four dimensions. First, transparency. The NDPA requires a data controller, before collecting personal data directly from a data subject, to inform that data subject of the existence of automated decision-making, including profiling, its significance, the envisaged consequences of such processing for the data subject, and the data subject's right to object to and challenge such processing.16 This obligation is not discharged by burying a reference to ADM in a lengthy privacy policy. Schedule 1, paragraph 1(iii) of the GAID amplifies this, providing that transparency entails due disclosure of all material facts that may help a data subject and the Commission to make informed decisions. A data controller that discloses the existence of ADM without disclosing its logic, its error rate, or its known limitations, is presumed not to have discharged the transparency obligation.
The lawful basis is second. Every data controller is required to develop and rely on a lawful basis for processing in accordance with Section 25 of the NDPA. Only automated processing that has legal or comparable substantial implications is permitted under Section 37 of the Act; permission, contractual need, or specific legal approval are the only justifications. The controller is required to do more than just establish a lawful basis in general. Before beginning processing, the controller must carefully consider, choose, and record the proper lawful basis, according to Article 16 of the GAID. According to GAID Article 48(2), adhering to registration and DPIA filing criteria shows a dedication to responsibility and exhibits prima facie good faith. The opposite inevitably follows: the lack of such cooperation is, at the very least, proof of a lack of good faith.
Third, consent. Where consent is the lawful basis relied upon for ADM, the obligations intensify. The NDPA places the burden of proving that consent was freely given, specific, informed, and unambiguous squarely upon the data controller.17 Article 18(1)(f) of the GAID explicitly provides that consent is required before the data controller makes a decision based solely on automated processing which produces legal effects concerning or significantly affecting the data subject. Article 17(6) of the GAID further requires the controller to keep a proper record to ensure accountability with respect to consent. Where the controller cannot produce that record, it cannot, by force of Section 26 of the NDPA, establish the lawfulness of the processing.
Impact assessment and documentation come in fourth. Article 28(3)(b) of the GAID and Section 28 of the NDPA require a DPIA if automated decision-making with legal or comparable consequences is used. A DPIA must be carried out and submitted to the Commission prior to the start of data processing, in accordance with Article 28(9). The GAID's Article 43(4)(a), which especially addresses developing technologies like artificial intelligence, also mandates that the controller conduct a DPIA while accounting for the Data Subjects Vulnerability Indexes in Schedule 6 and an evaluation of differential data processing results. The technical and organisational aspects of the Emerging Technologies (ET) deployment must be recorded and submitted to the Commission as part of the yearly Compliance Audit Return, in accordance with Article 43(3).
4.4.2 The Impact of Consent on the Burden of Proof
The question of what happens to the burden of proof when a data controller has given the notice required by Section 27(1)(g) of the NDPA and the data subject has consented to ADM processing deserves careful and honest examination, because the partner's reservation goes to the heart of it. The article does not need to give an affirmative answer. It needs to reason through the question with forensic rigour.
It makes sense to have three observations. Descriptive is the first. By consenting to ADM under Article 18(1)(f) of the GAID after receiving the notice required by Section 27(1)(g), a data subject has acknowledged the existence of the ADM system and partially waived the element of surprise that is a component of the opacity argument. It would be illogical to say that the claimant had no knowledge of ADM while simultaneously relying on a consent that requires such knowledge. When properly obtained, consent reduces the evidence asymmetry but does not completely eliminate it.
The second observation is more significant. According to the NDPA, the existence of valid permission does not preclude the data subject from challenging the decision. Even where permission is the lawful basis, Section 37 protects the right to seek human intervention, voice a viewpoint, and challenge the judgment. According to GAID Article 17(7)(b), the controller must make withdrawing consent as simple as providing consent. Together, these clauses show that the legislature did not intend for consent to serve as a total barrier to responsibility. In accordance with Section 26 of the NDPA, a controller who uses consent as its lawful basis is nevertheless required to demonstrate the validity of the consent. The controller's allegation that consent was provided does not transfer the burden of proving the lawful basis to the claimant.
The third and most significant observation is this. Consent given to an opaque process is not, in any meaningful sense, informed consent. Article 42(2)(b) of the GAID specifies that demonstrable transparency requires the disclosure of all information upon which a data subject may make an informed decision, including the capabilities of the technology used for processing, particularly the use of algorithms for profiling, the risks involved, and the mitigation of risks. A data subject who was told that an ADM system would be used but was not told how it works, what data it uses, or what its known error rate is, has not been given the information required to make the informed decision that valid consent presupposes.
Therefore, it is argued that a court would be justified in ruling that the purported consent is not informed consent under Section 26 of the NDPA when a data controller uses consent as the lawful basis for ADM and the notice provided under Section 27(1)(g) did not include the complete disclosure of algorithmic methodology required by Article 42(2)(b)(ii) of the GAID. It cannot be relied upon by the controller to fulfil its obligation to establish legitimate processing. In certain situations, the consent does not return the burden to the claimant. It just shows that the controller's own duty to be transparent was not met.
5. EXISTING COMMON LAW TOOLS FOR MITIGATING EVIDENTIAL ASYMMETRY
As was shown in the previous sections, the NDPA 2023 has started to address the structural shortcomings of the traditional burden-of-proof system in ADM disputes by reversing the duty through a new statute. The third point presented in the introduction, that courts do not have to wait for more legislative action, is furthered in this section. The common law and court procedures already provide the means to lessen evidentiary imbalance. The willingness of the judiciary to use them is necessary.
5.1 Res Ipsa Loquitur
Res ipsa loquitur, which means "the thing speaks for itself," allows one to infer carelessness from the sheer fact of an unfavourable event without the claimant having to prove the precise mechanism by which the negligence occurred. This theory has been consistently implemented by Nigerian courts. The Supreme Court upheld the doctrine's applicability in Nigerian law in Ngilari v. Mothercat Limited.18
The incident must be of a type that would not normally occur in the absence of negligence; the defendant must have had exclusive management and control over the object that caused the harm; and the defendant must not have offered an explanation consistent with the absence of negligence in order for it to be applied.
In Moses G. Jwan v. Ecobank Nigeria Plc & United Bank for Africa Plc,19 the Court of Appeal examined a case in which a bank customer's account was debited by an ATM without cash being dispensed to him. A Nigerian court has already applied the doctrine in a dispute that resulted directly from the failure of an automated banking system. Because he was unable to provide an explanation for how the debit could have happened without the banks' negligence, the banks had sole authority over the ATM and its records, the appellant entered a res ipsa loquitur plea. The Court of Appeal maintained the plea, ruling that the burden of proof shifted to the banks to explain how the failure could have happened without their fault after the appellant established a prima facie inference of wrongdoing by demonstrating the unfavourable automated conclusion. The documents the banks provided merely verified that the transaction was marked as successful; they did not explain the procedure that led to that result. According to the Court, this was not enough to satisfy the shifted burden. Crucially, the bank's own witness acknowledged that ATM dispensing failure without cash payout was a known and common event in the system's operation. The appellant was successful and received compensation.
That ruling leads to three claims that are directly related to ADM conflicts. First, if a claimant is unable to demonstrate how an unfavourable result from an automated system could have happened in the absence of carelessness on the part of the organization in charge of the system, they may assert res ipsa loquitur. Second, the shifting evidentiary burden cannot be satisfied by presenting records that just validate the system's output without providing an explanation of the process that generated it. Third, the claimant's case is strengthened rather than weakened when the institution's own witness acknowledges that the complained-of sort of failure is a known occurrence in the system's operation.
It is submitted that each of the three conditions for the doctrine's application is satisfied with unusual clarity in the broader ADM context. An algorithmic outcome that is discriminatory, statistically anomalous, or inconsistent with the applicable legal standard is not the kind of result produced by a properly designed and operated system. The ADM system is entirely within the exclusive management and control of the deploying institution. And where the institution refuses to disclose the model's logic, it has, in any meaningful sense, not explained at all.
Hence, the doctrine ought to be applied to ADM disputes in the following manner:
- Upon proof by a claimant that an ADM system was used to make or materially influence a decision, that the outcome was adverse to the claimant's legal rights; and
- that the institution has declined to disclose the reasoning of the system.
A court would be justified in holding that a rebuttable presumption of unlawfulness arises. That presumption would place the evidential burden on the defendant to demonstrate that the system was designed, trained, and applied in a lawful and non-discriminatory manner. This is not judicial creativity. It is the existing doctrine, applied honestly to new facts. The decision in Jwan's case confirms that Nigerian courts are already on this path. What remains is for the courts to take the next logical step and extend the same reasoning to the full range of ADM disputes that the NDPA 2023 now brings within the scope of regulated activity.
5.2 The Adverse Inference and Pre-Trial Discovery
The adverse inference principle under Section 167(d) of the Evidence Act, engaged above in relation to DPIA documentation, applies with equal force as a standalone common law tool wherever a party withholds evidence it was obliged to produce. A controller that possesses model documentation, audit trails, training data specifications, or algorithmic impact assessments, and declines to produce them in proceedings, places itself in precisely the position that Section 167(d) contemplates. A court would be justified in presuming that what was withheld would, if produced, have been unfavourable to the controller.
That principle, however, operates most powerfully when it is engaged after a claimant has first exhausted the procedural tools the rules of court make available to her before trial. It is at this point that an observation made by practitioners in this area deserves careful attention: the evidential asymmetry identified in Section 3 is not, in procedural terms, absolute. The rules of court already provide mechanisms through which a claimant can compel production of evidence that is exclusively within the opposing party's possession, even before the hearing of the substantive claim.
5.2.1 Discovery and Interrogatories Under the Lagos High Court Civil Procedure Rules 2019
The High Court of Lagos State (Civil Procedure) Rules, 2019, provides for the discovery and inspection of documents. A party may serve a notice requiring the opposing party to disclose all documents in its possession, custody, or control that relate to any matter in question in the proceedings.20 In an ADM dispute, this provision is directly applicable. A claimant may serve a discovery notice requiring the data controller to produce the DPIA, the model architecture documentation, the training data specifications, the system's output logs, and any audit trails generated before and after the decision in issue was made. These are documents that the NDPA and GAID require the controller to generate and maintain. They are, in the language of Order 29, documents relating to the matter in question. There is no principled basis on which a controller could resist their disclosure on grounds of relevance.
Order 29 Rule 1 of the same Rules provides for interrogatories. A party may serve written questions on the opposing party, who is required to answer them on oath. This is a particularly powerful tool in ADM disputes because it allows the claimant to put specific factual questions directly to the controller before trial. Questions such as: Was an automated decision-making system used to produce the decision in issue? What data was used as inputs to that system? Was a Data Protection Impact Assessment conducted before the system was deployed? Was a human being involved in the review of the system's output before it was communicated to the claimant? The controller's answers on oath become evidence in the proceedings. Its refusal to answer, or an evasive answer, is itself a fact from which the court may draw an adverse inference under Section 167(d) of the Evidence Act.
Orders 29 Rule 1 and 29 Rule 6 together constitute a procedural method that, when implemented correctly, can pierce the algorithmic opacity that Section 3 indicated as the cause of the claimant's evidentiary difficulties. When a claimant is granted pre-trial disclosure of model architectural specifications, DPIA documents, and interrogatory replies under oath, she has access to evidence that she would not have otherwise been able to gather. In the context of ADM, pre-trial discovery and interrogations are more than just formalities. They serve as a means of correcting the evidence imbalance before the claim is completely refuted.
5.2.2 The Limitations of the Procedural Mechanism
It would, however, be intellectually incomplete to present the procedural tools as a sufficient answer to the problem this article identifies. Three limitations constrain their practical utility in ADM disputes and explain why the recalibration of the burden of proof that this article advocates remains necessary even when procedural tools are available.
Financial accessibility is the first barrier. The Lagos High Court charges fees for both discovery and questioning. A claimant sometimes lacks the funds to bring pre-trial motions against a well-resourced institutional defendant after being turned down for a loan, insurance, or mistakenly detected by a government AI system. There are procedural tools available. Not every claimant has equal access to them. The specificity issue is the second restriction. A claimant must be able to explain the documents she wants with adequate specificity in order to submit an appropriate discovery application under Order 29. However, because ADM systems are opaque, the claimant is by definition unaware of the documentation created in relation to the judgment that impacted her. Because she is unsure whether a DPIA has been performed, she is unable to request one. For model architectural documentation that she has never been informed exists, she is unable to structure a discovery notification. The same opacity that the procedural method is intended to solve expressly denies her the level of prior information that it requires.
The enforcement gap is the third restriction. An application for contempt is the claimant's recourse when a controller violates a discovery order by withholding documentation. These applications increase uncertainty, expense, and delay. Additionally, the court must take the purposive step this article has argued for throughout in order to turn an unfavourable inference drawn from the controller's non-compliance into a substantive ruling in the claimant's favour.
Therefore, the recalibration of burden and the procedural instruments are not substitutes. They work well together. The greatest chance for the claimant to gather the evidence required to transfer or discharge the burden is provided via the discovery method. By recalibrating the burden through purposive interpretation of Section 37 NDPA, the claimant is guaranteed a remedy in cases where the procedural process fails due to expense, opacity, or opposition. Both are essential. Neither is adequate on its own.
6. LESSONS FROM THE EU, AUSTRALIA, AND THE 2023 NIGERIAN ELECTIONS
6.1 The SCHUFA Decision and the EU Framework
The European Union has maintained the most advanced regulatory framework for ADM rights worldwide since the General Data Protection Regulation was adopted in 2016. Every data subject is guaranteed by Article 22 GDPR the right to human involvement, the ability to voice their opinions, and the ability to challenge decisions that are purely automated and have legal or comparable substantial consequences. The Court of Justice of the European Union first interpreted Article 22 GDPR in a dispute concerning credit scoring by a German credit agency, SCHUFA, in Case C-634/21, OQ v. Land Hessen, which was resolved on December 7, 2023.21 OQ had been denied a loan by a bank based on a credit score generated by SCHUFA through an automated process. SCHUFA refused to disclose the specific data used in calculating the score, citing trade secrets. The Court held that the automated generation of a credit probability score by a credit agency constitutes a decision under Article 22 GDPR, in which a third party draws heavily on that score, and an insufficient score, in almost all cases, leads to the refusal of credit. The obligation to comply with Article 22 GDPR therefore fell on the credit agency, not merely on the bank that ultimately refused the loan.
The significance of the SCHUFA decision for Nigerian law is twofold. First, it establishes the proposition, now authoritatively decided at the highest judicial level in a major comparable jurisdiction, that the threshold for triggering the right to challenge an automated decision should not be restricted to cases where the final decision is made by the algorithm alone. Where an algorithmic output plays a determinative role in the outcome, it is submitted that Section 37 of the NDPA ought to be interpreted to apply with equal force, regardless of whether a human being formally signed off on the final decision. Second, and equally important, the SCHUFA facts are strikingly familiar in the Nigerian context. A claimant denied access to financial services based on an automated score, confronting an institution that invokes proprietary confidentiality to resist disclosure of its methodology, is not hypothetical in Nigeria. It is a daily reality for thousands of bank customers and fintech platform users. Nigerian courts, though not bound by CJEU authority, regularly draw on analogous foreign jurisprudence to develop the common law and to interpret broadly analogous statutory provisions. The SCHUFA reasoning provides persuasive authority that ought to inform the purposive interpretation of the NDPA that this article has argued for throughout.
6.2 The Robodebt Catastrophe
The Australian Robodebt debacle is the most potent warning example in the comparative literature. The Australian government's Department of Human Services implemented an automated system between 2016 and 2019 that generated debt notes for repayment by comparing welfare claimants' income with tax data. The approach was essentially flawed. It calculated entitlements every two weeks using an annualised average income approach mandated by the government social security framework. The rate of errors was disastrous.22 Commissioner Catherine Holmes led the Royal Commission investigating the Robodebt system, which concluded on July 7, 2023, that the system was illegal from the start. The description of Robodebt is worthy of direct quotation: "a crude and cruel mechanism, neither fair nor legal." Over A$720 million in reimbursements for unlawfully collected debts was paid to about 381,000 affected persons. The human cost was immeasurable. The Commission recorded instances of people who received automated debt demands they were unable to refute, experiencing significant psychological suffering, financial ruin, and suicide deaths.
The burden dimension of Robodebt is what makes it directly relevant to this article. The burden of disproving each alleged debt was placed on the individual welfare recipient, typically a person of limited education and no legal representation, who was required to produce payslips and bank statements from years past to rebut a debt calculated by a government algorithm they had never seen and could not access. As one legal commentator accurately observed, the system effectively shifted the onus of proving whether the debt existed from the government onto the social security recipient. The government, which designed the algorithm, controlled the methodology, and held all the relevant records, bore none of the burden. The individual, who had access to none of these things, bore all of it.
The lesson is clear. Procedural neutrality is not achieved when the victim of an automated judgment bears the responsibility of contesting it and the deploying institution maintains sole control over the logic of the system. Impunity is assured. Robodebt does not exist in Nigeria. Not quite yet. However, Nigeria still has the structural factors that led to Robodebt, such as the institutional use of ADM against individuals, a traditional burden of proof that is applied without modification, and a regulatory framework that has not adjusted to the evidential asymmetry of algorithmic disputes.
6.3 The 2023 Presidential Election Petition
The lawsuit surrounding the 2023 presidential election sheds more light on the burden issue than any domestic case study. The Bimodal Voter Accreditation System and the IReV site, which INEC presented to the public as assurances of election integrity, were implemented as the technical cornerstones of the electoral process.
Where petitioners alleged manipulation of digital records in the proceedings before the Presidential Election Petition Court, they faced the unenviable task of proving a fact, namely the alteration of BVAS accreditation logs or IReV transmission data, that was entirely within the technical custody of INEC, the respondent. The burden of demonstrating election malpractice is entirely on the petitioner under the Supreme Court's established norm, which was upheld in Buhari v. INEC.23 If that criterion is applied unaltered to a digitally mediated election process, the petitioner must show that documents held only by the alleged manipulating institution were altered. The servers were within INEC's authority. The communication logs were within INEC's supervision. The BVAS accreditation data audit trails were within INEC's authority. None of these was available to the petitioner.
The forensic illogic of this position is, it is respectfully submitted, self-evident. It is a structural incarnation of the very asymmetry this article has argued against from its opening paragraph. A burden of proof rule that requires the victim of alleged digital manipulation to prove the manipulation using records exclusively held by the alleged manipulator is not a rule designed to find the truth. It is a rule designed to protect the record-holder.
The election petition context is not peripheral to this article's argument. It is a microcosm of it, visible at the highest constitutional level, before the most senior judicial forum in Nigeria, in a dispute of the greatest possible public significance. If the structural burden-of-proof failure identified in this article can manifest at that level, in that context, with those stakes, it can manifest anywhere. The proposals that follow are addressed to precisely that reality.
7. CONCLUSION
This article makes four concrete proposals. Firstly, Nigerian courts should adopt a purposive interpretation of Section 37 NDPA, which reads the provision as establishing, by necessary implication, a reverse evidential burden: the burden of proof shifts to the data controller to show that the system operates lawfully, accurately, and without discrimination upon proof of an adverse automated outcome and the lack of sufficient explanation. Secondly, rather than waiting for legislative action, courts should use the res ipsa loquitur doctrine and the adverse inference principle under Section 167(d) of the Evidence Act as quick, accessible instruments to remedy evidence imbalance in ADM conflicts. Thirdly, the NDPA does not specifically assign the legal or evidentiary burden of demonstrating the overall legality of ADM to the controller, even though it begins to address evidential asymmetry by giving data subjects the ability to challenge automated decisions and placing the burden of proving valid consent on the controller. The National Assembly should specifically state in the NDPA that this responsibility falls on the data controller in all civil cases where ADM has substantially affected the decision, to eliminate uncertainty and ensure enforcement.
Finally, the evidential burden of proving the integrity of electronically generated evidence under Section 84 of the Evidence Act rests with the presenter of the document. The same reasoning should apply to automated decisions. ADMs could be viewed as quasi-judicial bodies; hence, any challenge to their decisions can be treated as judicial review or an appeal. The evidential burden should be on the defendant to prove that the ADM has met the conditions for the veracity and integrity of the model, the data entry point, and the output.
This paper examines the suitability of the traditional evidence framework for disagreements arising from automated decision-making in Nigeria. Starting with the fundamental standards established by the Evidence Act 2011 (As Amended 2023) and the Supreme Court's consistent jurisprudence, it demonstrated that the classical framework was created for a world in which both parties to a dispute had almost equal access to the facts in question. Then, it showed how ADM challenges that premise in three ways: by eliminating the human decision-maker whose reasoning the adversarial system was meant to scrutinise; by the opacity of algorithmic systems that conceal their reasoning from those they impact; and by the asymmetry of knowledge that denies the claimant the opportunity to make her case.
The rising reactions to such structural breakdown were then covered in the paper. It claimed that a purposive interpretation of the Nigeria Data Protection Act 2023 has resulted in a fledgling inversion of the evidentiary burden in ADM disputes, placing the onus on the data controller who implemented it to prove the system's legitimacy. It also showed that the adverse inference principle under Section 167(d) of the Evidence Act and the common law doctrine of res ipsa loquitur are already tools available to Nigerian courts, validated in the domestic context by the Court of Appeal's ruling in Jwan v. Ecobank,24 and capable of immediate application without legislative intervention. The Court of Justice of the European Union's SCHUFA ruling, the Australian Robodebt tragedy, and the 2023 Presidential Election Petition served as comparative examples that supported the same fundamental idea from various perspectives and institutional settings: that the burden of proof in ADM disputes, when assigned to the individual claimant without modification, does not result in justice. It results in impunity.
The burden of proof is not a point of contention. It is the structural manifestation of a society's assessment of who should assume the risk of ambiguity in legal disputes. Because both parties had about equal access to the relevant information, it was acceptable to assign that risk to the party claiming a wrong when the classical rules were being developed. That allocation is no longer sensible in the era of computerised decision-making.
The controller who uses an algorithm has sole authority over the information that would establish the legality of the choice. The rights established by the NDPA would be reduced to procedural ornamentation if the person had to demonstrate the illegality of a procedure carried out in opacity, by a system she was unable to scrutinise, utilising data she might not be aware was acquired. We identified that the doctrine of res ipsa loquitur has been applied in the automated banking context; Section 37 of the NDPA has not yet been purposively deployed to shift the evidential burden in litigation; and no Practice Direction yet exists to govern the disclosure of algorithmic documentation before trial. It is therefore submitted, with respect, that the time for judicial and legislative action on these questions is not when the first catastrophic ADM failure occurs at scale in Nigeria. It is now, before that failure happens, while the regulatory architecture is still being built and while Nigerian courts retain the opportunity to shape the development of the law rather than merely react to its consequences.
Footnotes
1. Evidence Act 2011, ss 131, 132, 133.
2. Evidence Act 2011, s 167(d). See also s 167(e))
3. (1992) 5 NWLR (Pt. 242) 410.
4. (2025) 5 NWLR (Pt. 1984) 615 at 639D-G.
5. (2009) 18 NWLR (Pt. 1173) 299 (SC).
6. (2006) 17 NWLR (Pt. 1007) 184.
7. See generally the licensing frameworks governing algorithmic systems deployed by financial institutions in Nigeria, discussed in the context of the NDPA 2023 compliance obligations.
8. Nigeria's primary legislation for the protection of personal information.
9. Nigeria Data Protection Act 2023, S. 37.
10. Nigeria Data Protection Act 2023, S. 37.
11. Nigeria Data Protection Act 2023, S. 26.
12. General Application and Implementation Directive (GAID) 2025, Articles 43 and 44
13. Evidence Act 2011, (As Amended 2023), S. 167(d).
14. Oguonzee v. State (1998) 4 SC 110 at 131-132; and NAF v. James (2002) 12 SC (Pt. I) 1 at 11.
15. (1981) 2 NCLR 293 at page 326
16. Nigeria Data Protection Act 2023, S. 27(1)(g).
17. Nigeria Data Protection Act 2023, S. 26.
18. Ngilari v. Mothercat Limited (1999) 13 NWLR (Pt. 636) 626
19. Moses G. Jwan v. Ecobank Nigeria Plc and United Bank for Africa Plc (2020) LPELR-55243(CA); (2021) 10 NWLR (Pt. 1785) 449
20. Order 29 Rule 6(1)-(5).
21. Case C-634/21, OQ v. Land Hessen, Judgment of the Court (First Chamber) of 7 December 2023, ECLI:EU:C:2023:957
22. Report of the Royal Commission into the Robodebt Scheme (Commissioner Catherine Holmes AC SC, 7 July 2023)
23. Buhari v. INEC (2008) 19 NWLR (Pt. 1120) 246 (SC)
24. [2021] 10 NWLR (Pt. 1785) 449
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
