Cross-Border Data Transfer: Navigating Compliance under the Nigerian Data Protection Act 2023
Cross-Border Personal Data Transfer
The Act did not define the term ‘Cross Border Data Transfer’, however taking a cue from Article 1.3 (xvii) of the Nigeria Data Protection Regulation (NDPR) 2019 which defined“ foreign country“ in the context of cross border personal data transfer, it means the transfer of personal data outside Nigeria to another sovereign state, or autonomous or semi-autonomous territories within the international community for various purposes. The NDPR was retained by Section 64(2)(f) of the new Act, but the Act maintains priority status by virtue of Section 63 of the Act.
Section 41(1) of the Act prohibits the transfer of personal data outside Nigeria by default. However, it also creates exceptions to this rule, which when applicable are grounds for the transfer of personal data outside Nigeria. The Act stipulates that personal data should not be transferred outside of Nigeria but permits two exceptions - ‘adequacy of protection and derogations.
Adequacy of Protection
Under the adequacy of protection rule set out in Section 41(1)(a) of the Act, personal data can be transferred from Nigeria to another country when the recipient of the personal data (the data importer) is subject either to (1) a law, (2) Binding Corporate Rules (‘BCRs’), (3) contractual clauses, (4) a Code of Conduct, or (5) a certification mechanism that “affords an adequate level of protection” in accordance with the Act. The Commission may also issue an adequacy decision on country or a sector within a country, a region, or standard contractual clauses (SCC).
Under the Nigeria Data Protection Regulations (NDPR) 2019, a list of countries was published by the National Information Technology Development Agency (NITDA) as deemed to have adequate data protection laws for the purposes of cross border personal data transfer. The new Act by Section 64(2)(f) retained this list issued by NITDA. The said list was challenged in court for not meeting the standards of the NDPR before issuance.
To evaluate the adequacy of protection afforded by any of the mechanisms adopted for cross-border data transfer above, several criteria are established by the Act. These criteria include the availability of enforceable data subject rights; existence of binding instruments between the Commission and a relevant public commission in the recipient country; access of a public authority to the personal data; existence of effective data protection laws and a data protection regulator with adequate enforcement powers; and international commitments.
In determining the adequacy of protection afforded by a country, region, or SCC under the new Act, the Commission can take into consideration any adequacy decision made by a competent data protection authority in other jurisdictions where the factors considered by those authorities, are similar to those stipulated in the Act. The National Assembly by virtue of Section 43(2) of the Act must also approve the adoption of any specific international or multinational cross border codes, standards or mechanisms before such instrument can be used as a Nigerian standard.
The Commission is empowered to issue regulations that will require data controllers or entities to notify the Commission of the transfer mechanisms utilized and explain the adequacy of protection offered by those mechanisms. The Commission by virtue of Section 42(5) is also empowered to approve BCR’s, codes or other instruments for data transfer proposed to it where it is satisfied that such instrument meets standards approved by the Act. The permissible transfer mechanisms and the adequacy of protection offered must be documented by the data controller or data processor utilizing the same.
The Act does not refer to the second set of exemptions to the prohibition of cross-border data transfer under Section 43(1) as “derogations” However the phrase “derogations” in reference to Section 43(1) of the Act is adopted from the General Data Protection Rules (GDPR) 2018, as they have similar content. In the absence of an adequacy decision, personal data can also be transferred outside of Nigeria in on the basis listed in Section 43. The basis include: informed consent which has not been withdrawn; necessity for the performance of contracts involving the data subject; data subject's sole benefit and it is not practicable to obtain consent ; public interest; where it is necessary for a legal claim; or the vital interest of the data subject, and they cannot give consent.
Compliance Obligations for Controllers and Processors
A combined reading of Section 41(1)(a) and Section 42(2) of the Act places on the Data Controller and Processor the obligation of making adequacy protection assessments of the permitted transfer mechanisms. As such, when a would-be recipient of personal data is subject to a data privacy law, the Controller or Processor seeking to transfer personal data to such recipient outside Nigeria will also determine the level of adequacy of protection afforded by that law prior to transfer.
For context, before the Act was enacted, the Nigeria Data Protection Regulation (NDPR) 2019 which now co-exists with the Act, made adequacy decisions the prerogative of the regulatory authority in conjunction with the Attorney General under Article 2.11 of the NDPR. The obligation to make adequacy decisions now appears transferred to data controllers and processors under the Act. Incidentally, Sec. 42(4) of the Act also allows the Commission to make adequacy decisions about countries and regions. In making such decisions, the Commission is to use the same criteria set out in Section 42(2) to reach such decisions. As such, data controllers, data processors and the Commission can all reach adequacy decisions.
Overlap of Section 2(c) of the Act and Cross-Border Transfer Rules
Section 2(c) of the Act provides that “the Act shall apply where the data controller or data processor is not domiciled in, or operating in Nigeria, but is processing personal data of a data subject.” An example will be where a cloud storage service provider is contracted by a company operating in Nigeria to store the personal data of Nigerian citizens. Typically, the service provider is not domiciled or resident in Nigeria, or operating in Nigeria. However, by this section, once the service provider commences processing of the personal data of Nigeria data subjects, they shall abide by the Act. For context, by Section 65 of the Act, processing of personal data under the Act means any set of operations performed on personal data which includes collection or storage of personal data.
The above provision makes the Cross-border data transfer rules in the Act somewhat redundant, even though the cross-border data transfer obligations are to be performed by the entity that seeks to transfer the data outside the country prior to the transfer. The question for the entity seeking to transfer the personal data outside Nigeria becomes “why do I have to deploy resources to comply with cross border data transfer rules where the receiving entity automatically becomes obligated to comply with the Act?”
One could argue that due to the difficult nature of extra-territorial enforcement of the NDPA, this provision aids in ensuring that the processing of personal data outside Nigeria resulting from cross-border transfer is done within the confines of the NDPA, as entities seeking to transfer personal data outside Nigeria comply with these provisions.
It is hopeful that the Commission shall issue regulations and directives to ease the operationalization of cross border data transfer rules under the Act.
Other Powers of the Commission
Besides the powers of the Commission mentioned earlier, the Commission is also empowered by Sec.42(3) of the Act to issue guidelines regarding the assessment of adequacy of protection.
The Act has modified a few aspects of the cross-border personal data transfer regime from its previous state, albeit not radically even though some uncertainties may exist. Data controllers and data processors who intend to transfer personal data outside Nigeria are mandated to comply with the provisions by adopting a transfer mechanism that shall guarantee the rights of data subjects are protected in the manner prescribed by the Act. Data controllers and Data Processors are also advised to be mindful of regulations that may be issued by the Commission to ensure they remain compliant with the Act at all times and adjust their practices when necessary.
Article provided by INPLP member: Uche Val Obi SAN (Alliance Law Firm, Nigeria)
Dr. Tobias Höllwarth (Managing Director INPLP)