FIRS–France Tax Agreement Sparks Fresh Data Sovereignty Debate
When the Federal Inland Revenue Service (Federal Inland Revenue Service) signed a Memorandum of Understanding with France’s tax authority on December 10, 2025, officials assured Nigerians that national data sovereignty would not be compromised.
However, according to legal expert Oladipupo Ige, that reassurance may be technically accurate yet substantively misleading.
“The statement may be formally correct but might be substantively inaccurate,” Ige said, noting that the MoU itself has not been made public. “Without access to the agreement, any assessment remains subject to further analysis.”
Formal Control vs Functional Data Exposure
Ige’s concerns centre on a critical distinction often overlooked in public discourse: the difference between legal custody of data and functional exposure during technical assistance.
Drawing from experience with international cooperation agreements, he explained that even where foreign partners are not granted operational control over national systems, access to sensitive data can still occur through:
- System demonstrations
- Dataset sampling and testing
- Joint audit simulations
- Advisory roles requiring deep system visibility
France’s tax authority, the Direction Générale des Finances Publiques, is expected to support Nigeria with AI-powered audits, compliance analytics, and system optimisation, activities that typically require extensive interaction with live or near-live datasets.
Why the Data at Stake Is High Risk
According to Ige, the sensitivity of FIRS-held data amplifies the risks.
“From the angle of personal data, data in their custody are at high risk. From the angle of economic data, financial data of companies is high risk,” he said.
He noted that implementing advanced tax technologies would require:
- Understanding system architecture
- Training AI models on Nigerian datasets
- Testing enforcement thresholds on real financial data
- Analysing compliance behaviour across sectors
Even if France’s role remains advisory, Ige warned that “the advisory label alone does not sufficiently safeguard sovereignty.”
Legal Obligations Under Nigeria’s Data Protection Law
Under the Nigeria Data Protection Act 2023, all personal data processing must meet strict requirements, including lawful basis, purpose limitation, data minimisation, and adequate security safeguards.
While the law allows data processing in the public interest, Ige highlighted a major transparency gap.
“We do not know the level of exposure, the actual details about the processing, the risks involved, or the type of security systems in place to protect data subjects,” he said.
He stressed that FIRS should conduct a full Data Protection Impact Assessment (DPIA) before implementing the MoU and formally notify affected taxpayers of how their data may be processed.
Economic Intelligence and Re-Identification Risks
Beyond personal privacy, Ige raised concerns about economic intelligence leakage. Even aggregated or anonymised tax data can pose risks when combined with external datasets.
“Such aggregate data can reveal our strategic economic vulnerabilities, industry-specific compliance gaps, revenue dependencies, and enforcement weaknesses,” he explained.
This, he warned, could expose Nigeria’s fiscal structure and strategic sectors to foreign analysis beyond the intended scope of technical cooperation.
Concerns Over Unequal Data Protection Standards
Ige also pointed to what he described as an asymmetry in global data governance. France enforces strict digital protectionism through policies such as SecNumCloud and strong data localisation rules that limit foreign access to French public-sector data.
“France protects its data as a matter of sovereignty, yet engages in agreements that expose developing partners’ digital governance structures,” he observed.
Potential Gains From the Partnership
Despite the risks, the agreement could deliver tangible benefits for Nigeria. These include access to advanced tax enforcement expertise, exposure to mature AI-driven compliance systems, and stronger credibility with international donors and investors.
FIRS has maintained that Nigerian data protection laws remain fully applicable and that the partnership is strictly advisory.
Role of Regulators and the Way Forward
Ige said the Nigeria Data Protection Commission should play a central oversight role by:
- Reviewing the MoU for legal compliance
- Approving or rejecting proposed data exposure frameworks
- Monitoring implementation and safeguards
“The issue is not whether France will own Nigerian tax data,” Ige concluded, “but whether Nigeria is ceding strategic informational advantage without adequate safeguards, transparency, or long-term capacity gains.”
