News
Cross-Border Data Transfer: Navigating Compliance under the Nigerian Data Protection Act 2023
The recently enacted Nigeria Data Protection Act (“the Act”) 2023 is now the principal data privacy and protection legislation in Nigeria, and it establishes the Nigeria Data Protection Commission (the Commission) to oversee the implementation of the Act. The Act provides data protection principles that are similar to many international data protection frameworks. Due to the significance and inevitable cross-border flow of personal data in the current era, and its likely impact on the data protection rights of data subjects, the Act has provisions that guide the transfer of personal data outside Nigeria by data controllers and data processors, with the privacy of data subjects at the fore.
Cross-Border Personal Data Transfer
The Act did not define the term ‘Cross Border Data Transfer’, however taking a cue from Article 1.3 (xvii) of the Nigeria Data Protection Regulation (NDPR) 2019 which defined“ foreign country“ in the context of cross border personal data transfer, it means the transfer of personal data outside Nigeria to another sovereign state, or autonomous or semi-autonomous territories within the international community for various purposes. The NDPR was retained by Section 64(2)(f) of the new Act, but the Act maintains priority status by virtue of Section 63 of the Act.
Section 41(1) of the Act prohibits the transfer of personal data outside Nigeria by default. However, it also creates exceptions to this rule, which when applicable are grounds for the transfer of personal data outside Nigeria. The Act stipulates that personal data should not be transferred outside of Nigeria but permits two exceptions - ‘adequacy of protection and derogations.
Adequacy of Protection
Under the adequacy of protection rule set out in Section 41(1)(a) of the Act, personal data can be transferred from Nigeria to another country when the recipient of the personal data (the data importer) is subject either to (1) a law, (2) Binding Corporate Rules (‘BCRs’), (3) contractual clauses, (4) a Code of Conduct, or (5) a certification mechanism that “affords an adequate level of protection” in accordance with the Act. The Commission may also issue an adequacy decision on country or a sector within a country, a region, or standard contractual clauses (SCC).
Under the Nigeria Data Protection Regulations (NDPR) 2019, a list of countries was published by the National Information Technology Development Agency (NITDA) as deemed to have adequate data protection laws for the purposes of cross border personal data transfer. The new Act by Section 64(2)(f) retained this list issued by NITDA. The said list was challenged in court for not meeting the standards of the NDPR before issuance.
To evaluate the adequacy of protection afforded by any of the mechanisms adopted for cross-border data transfer above, several criteria are established by the Act. These criteria include the availability of enforceable data subject rights; existence of binding instruments between the Commission and a relevant public commission in the recipient country; access of a public authority to the personal data; existence of effective data protection laws and a data protection regulator with adequate enforcement powers; and international commitments.
In determining the adequacy of protection afforded by a country, region, or SCC under the new Act, the Commission can take into consideration any adequacy decision made by a competent data protection authority in other jurisdictions where the factors considered by those authorities, are similar to those stipulated in the Act. The National Assembly by virtue of Section 43(2) of the Act must also approve the adoption of any specific international or multinational cross border codes, standards or mechanisms before such instrument can be used as a Nigerian standard.
The Commission is empowered to issue regulations that will require data controllers or entities to notify the Commission of the transfer mechanisms utilized and explain the adequacy of protection offered by those mechanisms. The Commission by virtue of Section 42(5) is also empowered to approve BCR’s, codes or other instruments for data transfer proposed to it where it is satisfied that such instrument meets standards approved by the Act. The permissible transfer mechanisms and the adequacy of protection offered must be documented by the data controller or data processor utilizing the same.
Derogations
The Act does not refer to the second set of exemptions to the prohibition of cross-border data transfer under Section 43(1) as “derogations” However the phrase “derogations” in reference to Section 43(1) of the Act is adopted from the General Data Protection Rules (GDPR) 2018, as they have similar content. In the absence of an adequacy decision, personal data can also be transferred outside of Nigeria in on the basis listed in Section 43. The basis include: informed consent which has not been withdrawn; necessity for the performance of contracts involving the data subject; data subject's sole benefit and it is not practicable to obtain consent ; public interest; where it is necessary for a legal claim; or the vital interest of the data subject, and they cannot give consent.
Compliance Obligations for Controllers and Processors
A combined reading of Section 41(1)(a) and Section 42(2) of the Act places on the Data Controller and Processor the obligation of making adequacy protection assessments of the permitted transfer mechanisms. As such, when a would-be recipient of personal data is subject to a data privacy law, the Controller or Processor seeking to transfer personal data to such recipient outside Nigeria will also determine the level of adequacy of protection afforded by that law prior to transfer.
For context, before the Act was enacted, the Nigeria Data Protection Regulation (NDPR) 2019 which now co-exists with the Act, made adequacy decisions the prerogative of the regulatory authority in conjunction with the Attorney General under Article 2.11 of the NDPR. The obligation to make adequacy decisions now appears transferred to data controllers and processors under the Act. Incidentally, Sec. 42(4) of the Act also allows the Commission to make adequacy decisions about countries and regions. In making such decisions, the Commission is to use the same criteria set out in Section 42(2) to reach such decisions. As such, data controllers, data processors and the Commission can all reach adequacy decisions.
Overlap of Section 2(c) of the Act and Cross-Border Transfer Rules
Section 2(c) of the Act provides that “the Act shall apply where the data controller or data processor is not domiciled in, or operating in Nigeria, but is processing personal data of a data subject.” An example will be where a cloud storage service provider is contracted by a company operating in Nigeria to store the personal data of Nigerian citizens. Typically, the service provider is not domiciled or resident in Nigeria, or operating in Nigeria. However, by this section, once the service provider commences processing of the personal data of Nigeria data subjects, they shall abide by the Act. For context, by Section 65 of the Act, processing of personal data under the Act means any set of operations performed on personal data which includes collection or storage of personal data.
The above provision makes the Cross-border data transfer rules in the Act somewhat redundant, even though the cross-border data transfer obligations are to be performed by the entity that seeks to transfer the data outside the country prior to the transfer. The question for the entity seeking to transfer the personal data outside Nigeria becomes “why do I have to deploy resources to comply with cross border data transfer rules where the receiving entity automatically becomes obligated to comply with the Act?”
One could argue that due to the difficult nature of extra-territorial enforcement of the NDPA, this provision aids in ensuring that the processing of personal data outside Nigeria resulting from cross-border transfer is done within the confines of the NDPA, as entities seeking to transfer personal data outside Nigeria comply with these provisions.
It is hopeful that the Commission shall issue regulations and directives to ease the operationalization of cross border data transfer rules under the Act.
Other Powers of the Commission
Besides the powers of the Commission mentioned earlier, the Commission is also empowered by Sec.42(3) of the Act to issue guidelines regarding the assessment of adequacy of protection.
Conclusion
The Act has modified a few aspects of the cross-border personal data transfer regime from its previous state, albeit not radically even though some uncertainties may exist. Data controllers and data processors who intend to transfer personal data outside Nigeria are mandated to comply with the provisions by adopting a transfer mechanism that shall guarantee the rights of data subjects are protected in the manner prescribed by the Act. Data controllers and Data Processors are also advised to be mindful of regulations that may be issued by the Commission to ensure they remain compliant with the Act at all times and adjust their practices when necessary.
Article provided by INPLP member: Uche Val Obi SAN (Alliance Law Firm, Nigeria)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010