In today's world, the commonly used phrase "the world is your oyster" can now be taken literally by businesses. With the use of technology and data analytics, companies can now reach customers across borders with products/ services tailored to meet the peculiar needs of customers in various countries.
As data analytics has become a pivotal part of most businesses, understanding the regulatory framework for proper data usage is imperative. More specifically for local and multinational companies playing in the Nigerian market, understanding the requirements of Nigerian data protection laws for cross border transactions is key.
In this article we have set out in a simplified manner the requirements of the Nigerian data protection laws for cross border transactions.
1. WHAT ARE THE APPLICABLE REGULATIONS?
The primary regulations are the Nigeria Data Protection Regulation (NDPR) and the NDPR Implementation Framework.
2. WHAT TYPE OF DATA IS SUBJECT TO REGULATIONS ON CROSS-BORDER TRANSFER?
Any personal information that can be used to identify a Nigerian citizen (Personal Data) is regulated under the NDPR and subject to the restrictions on cross-border transfer. Please note that anonymised data is excluded from the restrictions on data transfer in Nigeria.
3. WHEN IS A CROSS-BORDER TRANSFER CONSIDERED TO HAVE OCCURRED?
A company will be considered to have transferred data outside Nigeria where the company:
i. hosts or transfers data to a database maintained by a company located outside Nigeria (Foreign Company);
ii. grants staff and/or other third parties of a Foreign Company access to Personal Data; or
iii. relies on a Foreign Company for technical support and in the process grants that company access to the personal data of Nigerians.
4. ARE THERE COUNTRIES DEEMED AS HAVING ADEQUATE DATA PROTECTION LAWS UNDER NIGERIAN LAW?
Yes, countries deemed to have adequate data protection laws are included on a white list contained in the NDPR framework. These include, all African countries who are signatories to the Malabo Convention 2014; all EU and European Economic Area Countries; United States of America; Japan and many more.
5. ARE COMPANIES IN NIGERIA FREE TO TRANSFER DATA TO COUNTRIES ON THE WHITE LIST?
Yes, but prior to such a transfer, the companies are expected to enter into data transfer agreements with the Foreign Company detailing the terms of the transfer and the measures to be adopted by the Foreign Company to protect the Personal Data received.
6. CAN A COMPANY IN NIGERIA TRANSFER TO COUNTRIES NOT LISTED ON THE WHITE LIST?
Yes, they will however be required to: (i) notify the individual whose data is being transferred of the risk involved in transferring data to a country without adequate level of protection; (ii) obtain the individual's consent; and (iii) enter into a data transfer agreement with the Foreign Company prior to any such transfer.
7. DOES THE REQUIREMENT FOR CROSS-BORDER TRANSFER OF DATA DIFFER WHEN THE TRANSFER IS BETWEEN COMPANIES WITHIN THE SAME GROUP/SUBSIDIARIES?
Yes, to share personal data with companies within the same group, the transferring company is required to execute a Binding Corporate Rule (BCR) or include Standard Contracting Clauses (SCC) in data transfer agreements. These documents can be provided by licensed Data Protection Compliance Organisations in Nigeria.
A company that complies with the foregoing requirements of Nigerian law when transferring data out of Nigeria would avoid incurring substantial financial penalties from the National Information Technology Development Agency (NITDA).
It is pertinent to note that companies (both local and foreign) handling data of over 1000 Nigerian citizens are required to engage the services of a licensed Data Protection Compliance Organisation to review their activities and make recommendations geared towards ensuring compliance.
For clarity on the foregoing article, you may contact Pavestones Legal via email@example.com. Pavestones Legal is one of the few licensed Data Protection Compliance Organisations in Nigeria and is also a full-service law practice providing support to both local and foreign clients.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.