Subscribe to our Newsletter to receive the latest updates on our content. By tapping the “Subscribe” button you will be redirected to subscription page. Subscription is free.
Cross-border transfer of personal data simply means the sharing of personal data from one national jurisdiction to another. The expansion of the internet in the 21st century means that a number of international organisations can share all sorts of information including personal data seamlessly across various countries. The protection of personal data that will be transferred and processed in another country is often a key issue. This article offers useful insights into key considerations for the cross-border transfer of personal data under Nigerian privacy laws.
Cross Border Transfers in Nigeria
Under the Nigeria Data Protection Regulation 2019 (NDPR), there were two permissible means of cross-border transfers of personal data (i) an adequacy decision by the National Information and Technology Development Agency (NITDA) with the supervision of the Honourable Attorney General of the Federation (HAGF). The HAGF was required to review the foreign country’s data protection framework, as well as general and sector-specific legislation in respect of public security, defence, national security, and criminal law amongst others, before making its adequacy decision.
However, in the absence of an adequacy decision (ii) the following conditions:
However, the new Nigeria Data Protection Act 2023 (NDPA) has opted for a slightly different approach. The NDPA, has removed the cumbersome requirement for an adequacy decision by the NITDA or the HAGF as discussed above, instead it provides that cross border transfers can be done where the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection with respect to the personal data in accordance with the NDPA.
The responsibility for determining the adequate level of protection is now solely vested in the Nigeria Data Protection Commission (the Commission) rather than the HAGF which means that the Commission will now be responsible for issuing an adequacy decision.
However, where there is no adequate level of protection, cross-border transfers can only be done when one of the conditions set out in section 43 of the NDPA is met. The conditions are largely similar to the provisions in the NDPR discussed earlier, save for a new addition which allows for cross border transfers where it is for the sole benefit of a data subject and it is not reasonably practicable to obtain the consent of the data subject to that transfer, or if it were reasonably practicable to obtain such consent, the data subject would likely give it.
Key Considerations for Business
The coming into effect of the NDPA, means businesses should consider the requirements for cross border transfer of personal data, some of the critical considerations are:
Businesses will need to pay close attention to the Commission and the regulations that it will likely formulate with respect to cross-border transfers.
Cross-border data exchanges are essential in the age of globalisation and digital interconnection for promoting innovation and economic prosperity. However, it is equally crucial to find a balance between the preservation of individual privacy rights and the open flow of data. Businesses will need to comply with the foregoing requirements of the Act when transferring data out of Nigeria would avoid incurring substantial financial penalties as prescribed by the Act.
Should you have any questions regarding this legal alert do not hesitate to contact Sumbo Akintola.
Olawale Adedipe – Associate