Cross-Border Data Transfers: An Overview of Legal Requirements and Compliance Mechanisms in Nigeria

13

May

Trusted

Cross-Border Data Transfers: An Overview of Legal Requirements and Compliance Mechanisms in Nigeria

In an increasingly digitized and globalized economy, the transfer of personal data across national borders has become an operational necessity for businesses. Nigerian companies and businesses are not left out, as they routinely rely on offshore cloud infrastructure, foreign service providers, and multinational data ecosystems to deliver services efficiently. However, these data flows raise significant legal and regulatory concerns, particularly regarding the protection of the privacy rights of Nigerian data subjects.

The enactment of the Nigeria Data Protection Act, 2023 (NDPA) and the subsequent NDPA General Application and Implementation Directive, 2025 (GAID) marked a decisive shift from a fragmented regulatory approach to a comprehensive statutory regime governing cross-border data processing and transfers. The NDPA and GAID, enforced by the Nigeria Data Protection Commission (NDPC), establish a restrictive framework for cross-border data transfers, premised on the principle that personal data should not leave Nigeria without adequate safeguards. Cross-border data transfers are therefore no longer routine technical operations; they are regulated legal activities requiring demonstrable compliance with statutory conditions.

It is against this background that this piece aims to examine the legal requirements governing cross-border data transfers and the practical compliance challenges faced by organizations operating in Nigeria.

LEGAL REQUIREMENTS FOR CROSS-BORDER DATA TRANSFER IN NIGERIA

Cross-border data transfer in Nigeria is governed by the combined provisions of the NDPA and GAID[1]. Under the NDPA, cross-border data transfer is allowed provided[2]:

a. The recipient affords an adequate level of protection

b. There is an Adequacy Decision by the Commission.

c. There exists a Cross-Border Data Transfer Instrument (CBDTI) approved by the Commission; and

d. Other lawful bases as provided under section 43 of the NDPA apply[3]

In light of the above, the recipient must provide an adequate level of protection to safeguard personal data for cross-border transfers to Nigeria. Where this is not in place, it must fall under the exceptions set out in section 43 of the NDPA.

Where a data controller lacks the adequacy of protection requirement, it must ensure:

i. The data subject has provided and not withdrawn consent to such transfer after having been informed of the possible risks of such transfers due to the absence of adequate protections:

ii. The transfer is necessary for the performance of a contract to which a data subject is a party or in order to take steps at the request of a data subject, prior to entering into a contract.

iii. The transfer is for the sole benefit of a data subject and —

(i) it is not reasonably practicable to obtain the consent of the data subject to that transfer, and

(ii) if it were reasonably practicable to obtain such consent, the data subject would likely give it

iv. The transfer is necessary for important reasons of public interest.

v. The transfer is necessary for the establishment, exercise, or defence of legal claims; or

vi. The transfer is necessary to protect the vital interests of a data subject or of other persons, where a data subject is physically or legally incapable of giving consent.

The GAID, in its own case, reiterates the overarching nature of Part VIII of the NDPA on cross-border transfer of personal data[4]. However, given that the NDPC has yet to issue any regulatory CBDTI, the provisions of Schedule 5[5] of the GAID shall be used to evaluate countries for the purposes of determining their level of adequacy and for other grounds of cross-border data transfer recognized under the NDPA.[6]

By virtue of the Guidance on Cross-Border data transfer as contained under Schedule 5 of the GAID, the NDPC may adjudge a country as affording adequate data protection based on the following conditions:

a) Availability of enforceable data subject rights, the ability of a data subject to enforce such rights through administrative or judicial redress, and the rule of law;

b) Existence of any appropriate instrument between the NDPC and a competent authority in the recipient jurisdiction that ensures adequate data protection[7];

c) Access of a public authority to personal data;

d) Existence of an effective data protection law;

e) Existence and functioning of an independent, competent data protection, or similar supervisory authority with adequate enforcement powers;

f) International commitments and conventions binding on the relevant country and its membership of any multilateral or regional organizations

Despite the provisions of the NDPA and GAID on cross-border transfer of personal data, there are still gaps that require clarity from the NDPC, such as the issuance of CBDTI. Some of these gaps often pose challenges for businesses navigating cross-border transfers in Nigeria.

CONCLUSION

It is not in dispute that cross-border data transfers are indispensable to modern business operations. Nevertheless, they are among the most heavily regulated aspects of data protection law in Nigeria. The NDPA’s approach is restrictive and accountability-driven, thereby requiring organizations to justify and safeguard every transfer of personal data outside Nigeria.

While the legal requirements are conceptually clear, practical compliance remains challenging due to technological dependence, regulatory uncertainty, and operational constraints.

Ultimately, organizations must treat cross-border data transfer compliance not as a technical afterthought but as a core legal and risk management function. Businesses that embed robust governance structures and proactive compliance strategies will be better positioned to navigate Nigeria’s evolving data protection landscape while maintaining operational efficiency in a global digital economy.

[1] See Sections 41 – 43 of the Nigeria Data Protection Act, 2023 (NDPA) and Article 45 of the GAID, 2025

[2] See Sections41 – 43 of the NDPA

[3] These lawful bases would only apply for cross-border data transfer where the data controller lacks the adequacy of protection requirement

[4] Article 45 (1) of the GAID

[5] Schedule 5 contains the Guidance on Cross-Border Data Transfer

[6] See Article 45(2) of GAID

[7] This means the Commission may enter into an agreement with the Data Protection Authority of the jurisdiction for the purposes of Mutual Legal Assistance on (i) Investigation of data breaches, (ii) Enforcement of cross-border decisions, and (iii) Intergovernmental information sharing

Written by Muhiz Adisa for The Trusted Advisors

Email us: info@trustedadvisorslaw.com

Telephone Number: +234 810 159 9159

Tags:

Insights,Nigeria,Nigerian Law,Startup,Technology