With globalization and information sharing comes the need to protect personal data from fraudulent activities such as identity theft and hacking. Among other issues in data protection, the cross-border transfer of personal data has been a trending topic among privacy practitioners worldwide1.
Regulatory overview of data protection in Nigeria
Under Nigerian law, the protection of personal data is a fundamental human right and as such is generally protected under the Constitution of the Federal Republic of Nigeria, 1999 (as amended), which provides that "the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected." As with most human rights, this right is restricted where it is reasonably justifiable in a democratic society, in the interest of national security, public safety, public order, public morality or public health or for the purpose of protecting the rights and freedom of other persons.
In addition to the protection availed under the Nigerian Constitution, there are regulations/guidelines which provide for the protection of personal data. The Nigeria Data Protection Regulation, 2019 (NDPR)2 and the Nigeria Data Protection, 2019: Implementation Framework, 2020 were issued by the National Information Technology Development Agency (the Agency). Although the NDPR is subsidiary legislation, it mirrors the GDPR in language, objectives, scope, compliance obligations, and enforcement framework. The main purpose of the NDPR is to safeguard the rights of natural persons to data privacy, foster the safe conduct of transactions involving the exchange of personal data, prevent manipulation of personal data, and ensure that Nigerian businesses remain competitive in international trade. The NDPR applies to all transactions intended for the processing of personal data of natural persons residing in Nigeria or Nigerian citizens residing outside of Nigeria. The aim of the NDPR is to prescribe lawful means by which personal data is collected and processed by the persons or organizations that process data.
The Agency also issued the Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020, which provides guidance to public institutions such as ministries, departments, agencies, institutions, public corporations, publicly funded ventures and incorporated entities with government shareholding, either at the federal, state or local levels, as it relates to the processing of personal data.
Prior to 2022, the Agency was the regulatory body in charge of implementing the data protection laws in Nigeria; however, the Federal Government of Nigeria created the Nigeria Data Protection Bureau in February 2022. The establishment of the Data Protection Bureau is also in line with the provisions of the Economic Community of West African States (ECOWAS) Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS, which provides in Article 14 (1) and (2) that "(1) within the ECOWAS space, each Member State shall establish its own Data Protection Authority and any State that does not have shall be encouraged to establish one. (2) the data protection Authority shall be an independent administrative authority responsible for ensuring that personal data is processed in accordance with the provision of this supplementary Act"3.
Cross-border transfers of personal data
Transfers of personal data outside of Nigeria is subject to the supervision of the Honorable Attorney General of the Federation of Nigeria and confirmation by the Data Protection Bureau in respect of whether the foreign country has an adequate level of protection for the data which is to be transferred (Adequacy Decision). The confirmation by the Data Protection Bureau is subject to the attorney general's consideration of the foreign country's legal system, rule of law, respect for human rights and fundamental freedoms as well as relevant general and sector-specific legislation in public security, defense, national security, and criminal law. Countries deemed to have adequate data protection laws and for which an Adequacy Decision has been made are included in the "Whitelist," as stated in the abovementioned Implementation Framework.
In the absence of an Adequacy Decision, the cross-border transfer of personal data is subject to the following conditions:
- The data subject expressly consents to the transfer.
- The transfer is necessary for the performance of a contract.
- The transfer is necessary for reasons of public interest.
- The transfer is necessary for the establishment, exercise, or defense of legal claims.
- The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
It is pertinent to note that the Data Protection Bill eliminates the requirement to obtain an Adequacy Decision from the attorney general; this decision will now be at the sole discretion of the Nigeria Data Protection Commission4 upon enactment of the bill. Under the bill, the commission is expected to determine the adequacy of protection by considering:
- The availability of enforceable data subject rights;
- The existence of any legally binding instrument between the Data Protection Commission and a relevant public commission in the recipient country addressing elements of adequate protection;
- The access of a public authority to the personal data;
- The existence of effective data protection laws and a data protection regulator with adequate enforcement powers;
- International commitments and conventions binding on the relevant country.
Challenges in cross-border transfers of personal data
The main challenges with respect to the foreign transfer of personal data, especially as it relates to Nigeria, include:
- Bureaucracy when obtaining an Adequacy Decision with respect to countries not on the Whitelist: In reaching an Adequacy Decision, the attorney general is expected to review whether the foreign country has adequate provision for the protection of personal data and whether it respects human rights, rule of law and fundamental freedoms. The timeline for obtaining an Adequacy Decision may be longer than for obtaining other information from the attorney general as an Adequacy Decision may not be prioritized, as a primary duty, by the attorney general.
- Inadequacy of the Whitelist: Currently, 42 countries, as well as all countries in the European Union, European Economic Area, and all countries in the African Union that are also signatories to the Malabo Convention 2014, are on the Whitelist. Since its issuance in 2020, there has been no update to the Whitelist. However, the delay in updating the Whitelist may be the result of the insufficiency of data protection regulations in various countries.
The transfer of personal data/data sharing is important to globalization; however, the insufficiency of data protection laws is a major setback to the safe transfer/sharing of personal data. Regulatory fragmentation, lack of a substantive data protection law and the lack of an independent regulator solely dedicated to the implementation of the NDPR are some of the challenges in data protection in Nigeria. However, it is expected that with the passage of the draft Data Protection Bill, the regulatory framework for data protection will be strengthened.
2 Given that the NDPR is a subsidiary legislation, plans are underway to provide a more robust regulatory framework for data protection with the introduction of the Data Protection Bill 2022 by the Data Protection Bureau on 4 October 2022.
3 Please note that while the supplementary Act has not been domesticated by statute, it is considered a part of the Nigerian data protection framework.
4 The Commission is an independent regulator which will be established to take over the functions of the Data Protection Bureau upon the enactment of the Data Protection Bill.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.