Analysis Of Policy Developments On Cross-Border Data Transfers (CBDT) And Digital Trade In Nigeria

ABSTRACT

The relationship between data and digital trade is inextricable, necessitating governance frameworks that effectively regulate cross-border data flows. This research provides a concise analysis of Nigeria's evolving regulatory landscape for Cross-Border Data Transfers (CBDT), positioning the country as an emerging leader in shaping Africa's digital trade environment. It examines the pivotal recent developments under the Nigeria Data Protection Act (NDPA) 2023 and its detailed General Application and Implementation Directive (GAID) 2025, which collectively establish a comprehensive legal architecture for CBDT. The analysis delves into the GAID's specific operational mechanisms, including its tiered adequacy assessment model for recipient countries and its provision for approved transfer instruments like Standard Contractual Clauses, which offer immediate, actionable pathways for e-commerce and other digital enterprises. By synthesizing these policy developments, this study elucidates how Nigeria's strategic balancing of robust data protection with economic facilitation through instruments like the GAID is shaping domestic compliance requirements and influencing regional digital trade dynamics.

INTRODUCTION

The world has become a simpler and less costly marketplace, as goods and services can now be ordered or delivered digitally. This is the opportunity digital trade presents, and states are increasingly embracing it to drive economic growth and innovation. Whilst economies are built around this, it continues to form a great chunk of many countries' GDP.¹ Nigeria has joined the melody to strategically embrace a trade revolution that will position it as a leader in digital trade across the African continent.² With the African Continental Free Trade Area's (AfCFTA) creation of a single market across the African continent, this ambition is mostly central to the Digital Trade Protocol of the AfCFTA.³ It is safe to say that domestic policies, regional, and international cooperation intersect to sustain digital trade. Nigeria is favoured by population and mobile market to take on the opportunities of digital trade, leading to its advancements in e-commerce and digital banking in recent times.⁴ Nigeria is leveraging multiple policy and regulatory tools⁵ in its efforts to strengthen its digital economy. Beyond Nigeria, this nudge is vastly global – as the fastest growing aspect of international trade is attributed to digitally deliverable services.⁶

DATA-CENTERED TRADE, DATA LOCALIZATION AND CBDT GOVERNANCE

Central to the formation, dynamics, and sustenance of digital trade is the exchange of data. Hence, brooding dynamic nests for issues pertaining to "data protection, online consumer protection, cybercrimes, and the regulation of cross-border data transfer (CBDT)."⁷ With data becoming the lifeline with which this form of global trading runs and for all these implicated issues, detailed and measurable policy framework become apposite for both domestic governance and providing a robust internationalist coverage to balance trade and these sensitive issues. To further highlight the importance of policy in this sphere, regulatory issues created by CBDT can go beyond threat to data protection, to national security of states.⁸

The issue of CBDT primarily becomes topical when regulations prohibit the transmission of certain data beyond the shores of its territory. This is known as "data localization," which furthers some legitimate protectionist goals in favour of data subjects, the economy, and national security.⁹ Recent developments in the Nigeria's data protection legal architecture via the Nigeria Data Protection Act (NDPA) 2023, provide significant framework on such transfer of data. To capture what constitutes CBDT, article 1.3(xvii) of the Nigeria Data Protection Regulation (NDPR) 2019¹⁰ defines a "foreign country" as "other sovereign states, autonomous or semiautonomous territories within the international community."¹¹ Hence, data localization under the NDPA portends a restriction of personal data transfer/flow to territories qualifying as the foregoing, except under certain circumstances.¹²

Being critical of the foregoing policy pattern, some analysts argue that the intentions behind data localization are not as legitimate as they seem, asserting that States only pursue such policies to have surveillance access to the personal data of its citizens.¹³ Hence, maintaining a critical position that the policies around data localization cause more harm than good; as they are counterproductive, potentially harming privacy, failing to enhance security, complicating regulation, and causing economic damage.¹⁴ The opinion illegitimizing the goals of state policies on localization of data further states that they hamper investment and trade, causing restrictions to the global market.¹⁵ While it is agreeable that data localization curtails digital trade by restricting the free flow of data across borders and acting as a barrier to market access, we opine that such realities can only be as dire as argued if the localization policies are absolute, which they are not under the current regime in Nigeria. We further posit that the protection of data subjects should not be discouraged from remaining at the fore of state policies, hence, the regulations on CBDT. More fundamentally, the aim is to avoid a porous landscape that will inter alia, endanger data subjects' interests.

Furthermore, the NDPA General Application and Implementation Directive (GAID) 2025 strengthens governance of CBDT. This is significant for digital trade and e-commerce. Article 45 of the GAID also addresses the "adequacy decision" by the Nigeria Data Protection Commission (NDPC), confirming that a recipient country's data protection standards match Nigeria's. While adequacy may take time, GAID permits immediate use of Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and certifications. This enables e-commerce firms using global cloud services or payment gateways to lawfully transfer data and maintain operations without undue delays.

Article 45 of the General Application and Implementation Directive (GAID) 2025 stipulates as follows:

Cross-Border Data Transfer

Further, Schedule 5 of the GAID outlines NDPC's adequacy criteria, including enforceable rights, independent oversight, and international commitments. Businesses can use this framework to assess their own data flows. Notably, transfers without these formal mechanisms are allowed in limited cases, such as fulfilling a contract or with explicit, informed consent. However, GAID warns that commercial interests alone do not justify transfer. E-commerce operators must document the legal basis for each transfer, conduct Data Privacy Impact Assessments, and clearly disclose international data practices in their privacy policies to build trust and comply with the new standard.

THE BALANCE OF EXTREMES: RECONCILING ECONOMIC INTEREST AND PERSONAL DATA PROTECTION

On the premise that balance is unavoidably necessary between digital trade promotion and data protection in Nigeria, sections 41 to 43 of NDPA provide stringent oversight in its localization and CBDT governance. Section 41 of NDPA provides that a data controller or processor is prohibited from transferring personal data outside Nigeria unless specific conditions are met. These include ensuring that the recipient of the data in the foreign country is "subject to laws, corporate rules, contractual clauses, or certification mechanisms" that offer an "adequate level of protection" as defined by the Act. For ease of reference, we refer to the provisions of Section 41 of the NDPA which states as follows:

In cases where these protections are not established, the transfer can only proceed if one of the exceptions listed in section 43(1) applies.¹⁶ The circumstances which constitute an exception under Section 43(1) of NDPA, 2023 are as follows:

Additionally, Data Controllers and Processors are required to document the legal basis for such transfers and assess the adequacy of protections in the recipient country.

Further, section 42 of NDPA provides the outline of what constitutes "adequate protection" for CBDTs. This adequacy is determined by various factors, including the existence of enforceable rights for data subjects, the availability of legal remedies, the rule of law, and the presence of an independent and competent data protection authority in the recipient country. The Nigerian Data Protection Commission (NDPC)¹⁷ is, inter alia, tasked with assessing these factors and issuing guidelines on adequacy. It also has the authority to determine whether a specific country, region, or sector meets the adequacy standard, and can approve binding corporate rules, codes of conduct, or certification mechanisms for CBDTs. However, under this section, the absence of such a determination does not imply that a transfer is automatically permitted, reinforcing the need for explicit regulatory oversight.¹⁸

Again, section 43 addresses situations where there is no adequacy determination under section 42. These have been termed "derogations" by analysts.¹⁹ In such cases, data controllers or processors can transfer data only under certain exceptions, such as when the data subject provides informed consent or when the transfer is necessary for contractual purposes, the public interest, legal claims, or the vital interests of the data subject. This section ensures that even in the absence of adequate protection, CBDTs are governed by strict conditions to protect the rights and interests of Nigerian citizens (especially) engaging digitally in trade, etc. Furthermore, it prohibits the adoption of international data transfer standards or certification mechanisms as national standards without the approval of the National Assembly, reinforcing the need for legislative oversight. Essentially, it does not amount to wholesome practice to resort to the derogations in the first instance (as a go-to method),²⁰ hence, data processors and controllers must use exceptions only where adequate protections are absent.

Arriving at these regulatory standards, there used to be a whitelist – developed under the NDPR 2019, and allowing data transfers to the enlisted countries without further safeguards.²¹ The legal validity of this was successfully contested.²² The criteria under the current regime is such countries recognized by the NDPC as having adequate data protection laws in accordance with section 42 of NDPA.²³ Further, Nigerian officials are engaging internationally to align Nigeria's data protection framework with global standards.²⁴

Outside the scope of these central framework (the NDPA and the NDPR), other domestic policy steps that implies governance in respect of digital trade which may concern CBDT are worth mentioning. The National Digital Economy and E-Governance Bill (the Bill), 2024;²⁵ is a potential step in facilitating a competitive digital economy for Nigeria. When the Bill becomes law, it will complement the Nigeria's existing Data Protection Act 2023, with specific provisions in Part VII concerning consumer data handling by service providers and Part XI addressing data management in digital government services, including the creation of a national data exchange. We also envisage that it outlines of obligations for digital traders and reference to online consumer protection implicates the conjunctive functionality with section 15 of the Federal Competition and Consumer Protection Act (FCCPA) when it becomes law – as the latter envisions choice and information as consumer rights.²⁶ Notably, the Bill's push for digital transformation may conflict with the NDPA and GAID's strict privacy standards if pursued without caution. Hence, the Bill mandates compliance with the NDPA.²⁷

Beyond national policy efforts in this regard, its continental and global links are crucial considerations in CBDT governance and practice. On the global and regional scales, there are efforts towards liberalizing the flow of data to enhance digital trade development.²⁸ The pivotal role of personal and other data in the global digital economy intensifies the tension between trade liberalization commitments and the individual rights to privacy and personal data protection.²⁹ This may create a dilemma for Nigeria in choosing between adhering to its own CBDT framework and fulfilling its trade obligations.

CONCLUSION

Nigeria has moved beyond abstract policy ambitions to establish a concrete and operational regulatory framework for Cross-Border Data Transfers (CBDT), directly addressing its critical role in digital trade. The Nigeria Data Protection Act (NDPA) 2023, as operationalized by its detailed General Application and Implementation Directive (GAID) 2025, provides the necessary clarity to navigate this complex area. The framework, articulated in Articles 41-43 of NDPA and 45 and Schedule 5 of the GAID, strategically avoids blanket data localization by creating clear legal gateways for data flows. These include adequacy of decisions and, crucially for immediate business needs, approved transfer instruments like Standard Contractual Clauses. This approach demonstrates a deliberate balance, facilitating the data flows essential for e-commerce and international digital services while mandating robust safeguards for data privacy and security. The path forward for a thriving digital economy now hinges on the effective harmonization between the NDPC and data controllers/processors. This collaboration is essential to ensure that the practical application of these rules mitigates compliance uncertainties and solidifies Nigeria's position as a leader in enabling trusted and seamless digital trade within Africa.

Footnotes

* John Ibe is a Senior Associate at Alliance Law Firm, Lagos, Nigeria, while Faith Omole and Joshua Olewu are both Associates at the same firm.

[1] Staff of IMF and Others, 'Digital Trade for Development' (WTO, 2023) < https://www.wto.org/english/res_e/booksp_e/dtd2023_e.pdf> accessed 15 September 2024; Ye Liu, 'China's Law and Policy on Cross-Border Data Flow: A Review of Digital Silk Road' (2024) 17 Journal of East Asia and International Law 109.

2. Stanley Nkwocha, 'FG Unveils Roadmap for Africa's Digital Trade Revolution Under AfCFTA' (Statehouse, 19 July 2024) < https://statehouse.gov.ng/news/fg-unveils-roadmap-for-africas-digital-trade-revolution-under-afcfta/> accessed 15 September 2024; A Agarwal, 'The Digital Ecosystem in Nigeria and the AfCFTA Digital Trade Protocol: Raising Awareness and Strategising Implementation' (2024) ODI Policy Brief, 9 < https://odi.org/en/publications/advancing-implementation-of-theafcfta-protocol-on-digital-trade-in-nigeria> accessed 15 September 2024.

3. A Agarwal, 'The Digital Ecosystem in Nigeria and the AfCFTA Digital Trade Protocol: Raising Awareness and Strategising Implementation' (2024) ODI Policy Brief < https://odi.org/en/publications/advancing-implementation-of-theafcfta-protocol-on-digital-trade-in-nigeria> accessed 15 September 2024.

4. B Narayanan, C Dawani and L Oyelami, 'Impact of Cross-Border Digital Transmissions on MSMEs in Nigeria' (World Trade Organization, 2022) < https://www.wto.org/english/thewto_e/minist_e/mc13_e/ngo_position_papers_e/msmes_nigeria.pdfaccessed> 15 September 2024.

5. Digital Economy Policy Commission (DEPC); National Broadband Plan; National Digital Economy Policy and Strategy (2020-2030), amongst other instrumentalities.

6. Staff of IMF and Others (n 1).

7. Binit Agrawal and Neha Mishra, 'Addressing the Global Data Divide through Digital Trade Law' (2022) 14 Trade, Law and Development 238, 244.

8. F Marengo, 'Regulating Data Transfers through the International Trade Regime' (2020) 17 Manchester J Int'l Econ L 266.

9. NDPA, section 41 to 43; Joshua Meltzer, 'The United States-Mexico-Canada Agreement: Developing Trade Policy for Digital Trade' (2019) 11 Trade L & Dev 239, 250.

10. In addition to the priority status of the NDPPA 2023 as in section 63, section 64(2)(f) retains the NDPR 2019.

11. Section 2(c) of the Nigerian Data Protection Act (NDPA) extends the law's jurisdiction to data controllers or processors outside Nigeria, provided they are handling the personal data of Nigerian subjects.

12. NDPA, section 41(1).

13. CIPESA, 'Which Way for Data Localisation in Africa?' (CIPESA, November 2022) < https://cipesa.org/wp-content/files/briefs/Which_Way_for_Data_Localisation_in_Africa___Brief.pdf> accessed 16 September.

14. ibid.

15. ibid.

16. Such as explicit consent from the data subject or the necessity of the transfer for contractual reasons.

17. Established under section 4 of the NDPA.

18. Importantly, enforceability is one of the benchmarks under section 42 of NDPA to determining adequate protection and as such, worthy of mention. The provisions of the NDPA are to be effectively enforced by critical state organs such as; NDPC and the Judiciary.

19. D Uzor and B Adesokan, 'Operationalising the NDPA: Bridging Digital Boundaries with Cross-Border Data Rules' (Tech Hive Advisory, 11 September 2023) < https://www.techhiveadvisory.africa/insights/operationalising-the-ndpa-bridging-digital-boundaries-with-cross-border-data-rules> accessed 15 September 2024.

20. ibid.

21. ibid.

22. Ikigai v NITDA FHC/ABJ/CS/1246/2022.

23. NDPA, section 43(4).

24. Engagement of Nigerian Officials with the Cross Border Privacy Rules (CBPR) forum in London, United Kingdom. See, V Olatunji and B Bamigboye, 'Nigeria Data Protection Annual Report 2023' (NDPC, 2023) < https://ndpc.gov.ng/Files/AnnualReport2023.pdf > accessed 15 September 2024; Uzor and Adesokan (n 18).

25. Available here: https://nass.gov.ng/documents/billdownload/11219.pdf .

26. Information and choice are central to data protection.

27. In proposed sections, 9, 21(2), 41(1), 46(2)(b), 54(7), and 63(1)(g).

28. An analysis of the continental policy landscape regarding CBDT (like the African Union Convention on Cyber Security and Personal Data Protection) mentions that the Continent intends a free flow of data within the continental borders for the realization of its trade goals as well as protection of data rights. See, Agarwal (n3); CIPESA (n 13).

29. With the World Trade Organization's (WTO) e-commerce transmission moratorium in mind, WTO Trade Facilitation Agreement, and General Agreement on Trade in Services (GATS); may at in international forum, be other factors that must not be disregarded. See, Staff of IMF and Others (n1).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.