The rapid advancements in information and communication technologies have revolutionized the way personal data is collected, processed, and transferred globally. In an increasingly interconnected world, the cross-border transfer of personal data has become a vital aspect of modern business operations, enabling seamless international transactions, communication, and collaboration. However, this transfer of personal data across borders raises significant concerns about privacy, security, and legal compliance.
Nigeria, as a prominent player in the digital economy, faces the challenges and opportunities associated with the cross-border transfer of personal data. With a growing number of businesses and individuals engaging in international data flow, it has become imperative to examine the legal and regulatory framework governing this practice. This article provides an overview of the cross-border transfer of personal data in Nigeria, aiming to highlight key considerations, regulatory mechanisms, and emerging trends in this domain.
CROSS-BORDER TRANSFER OF PERSONAL DATA
Where personal data is to be transferred or shared with a country outside Nigeria, the law has made ample provisions for the procedure to legally do so.
Cross-border transfer of personal data is subject to the supervision of the Honourable Attorney General of the Federation (AGF) and confirmation by the Nigeria Data Protection Bureau (NDPB).[i]
Based on the provision of Paragraph 2.11 of the NDPR, the supervisory role of the AGF includes taking into consideration the legal system of the foreign country particularly in the areas of rule of law, respect for human rights, and fundamental freedom, relevant legislation, both general and sectoral, including public security, defense, national security and criminal law and the access of public authorities to Personal Data.
The essence of this and the confirmation by the NDPB is to determine whether the foreign country affords an adequate level of protection of personal data in its data privacy and protection regime. It is imperative to also point out that the Nigeria Data Protection Regulation Implementation Framework, 2020 also contains a whitelist of countries deemed to have adequate data protection laws for which an Adequacy Decision has been made.[ii]
However, where data is to be transferred to a country not listed in the whitelist or in cases where the AGF is unable to or cannot make a decision as to the adequacy of data protection safeguards in the foreign country, cross-border transfer of personal data will only happen where one of these conditions are met:
- The data subject consents to the proposed transfer after having been advised of the risks involved;[iii]
- The transfer is necessary for the performance of a contract between the Data Subject and the Controller or the implementation of pre-contractual measures taken at the Data Subject’s request;[iv]
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Controller and another natural or legal person;[v]
- The transfer is necessary for important reasons of public interest;[vi]
- The transfer is necessary for the establishment, exercise, or defense of legal claims;[vii]
- The transfer is necessary in order to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of giving consent.[viii]
The Nigeria Data Protection Act of 2023, however, does not require the AGF to make decisions as to whether the foreign country affords an adequate level of protection for personal data. Rather, this task is now embedded in the Nigeria Data Protection Commission[ix]. In assessing whether a country obtains an adequate level of protection for personal data, the commission will take into consideration:
- The availability of enforceable data subject rights;
- The existence of any legal instrument between the Data Protection Commission and a competent authority in the recipient country addressing elements of adequate protection of personal data similar to that provided under the Act;
- The access of a public authority to personal data;
- The existence of effective data protection laws and supervisory authority with adequate enforcement powers;
- International commitments and conventions binding on the relevant country and its membership of multilateral or regional organizations.[x]
In the era of globalization and digital interconnectedness, cross-border data transfers play a crucial role in facilitating economic growth and innovation. However, it is equally important to strike a balance between the free flow of data and the protection of individual privacy rights. There is therefore the need for continuity to adapt and evolve the Nigerian data protection framework to keep pace with technological advancements and evolving global standards.
Ultimately, by fostering a robust and transparent environment for cross-border data transfers, Nigeria can not only safeguard the privacy of its citizens but also create an enabling environment for data-driven innovation, economic development, and international cooperation.
[i] See Regulation 2.11 of the NDPR. It is important to note that the provision of Paragraph 2.11 of the NDPR mentioned “agency” which refers to NITDA. However, since the creation of the NDPB, it is the sole agency tasked with carrying out the said functions.
[ii] See Annexure C of the NDPR Implementation Framework, 2020
[iii] See Paragraph 2.12 (a) of the NDPR
[iv] See Paragraph 2.12 (b) of the NDPR
[v] See Paragraph 2.12 (c) of the NDPR
[vi] See Paragraph 2.12 (d) of the NDPR
[vii] See Paragraph 2.12 (e) of the NDPR
[viii] See paragraph 2.12 (f) of the NDPR
[ix] See Section 41 of the Nigeria Data Protection Act, 2023
[x] See generally Section 42(2) of the Nigeria Data Protection Act, 2023
Email us: [email protected]