Moving Personal Data Across Borders? What Your Startup Needs To Know

For many Nigerian tech startups, the use of offshore cloud infrastructure and foreign service providers is unavoidable. From hosting customer databases on overseas servers to using global SaaS tools for analytics, payments, and customer relationship management, cross-border data transfers are embedded in everyday operations.

What is often overlooked, however, is that under Nigerian law, transferring personal data outside Nigeria is not automatically lawful. The Nigeria Data Protection Act 2023 ("NDPA") and its General Application and Implementation Directive 2025 ("GAID") impose strict conditions that must be satisfied before such transfers can legally occur.

Historically, many startups transferred data offshore with limited scrutiny and little visible enforcement. That position has now changed. In 2024, the Nigeria Data Protection Commission ("NDPC") imposed an administrative fine of N766,242,500 on MultiChoice Nigeria for, among other violations, unlawful cross-border data transfers. In 2025, the NDPC imposed a USD 32.8 million remedial fee on Meta for similar infractions. These enforcement actions mark a clear shift toward active regulatory oversight.

With this renewed enforcement posture, Nigerian startups can no longer treat cross-border data transfers as a compliance afterthought. This edition of TechBrief by TALP unpacks the key requirements under Nigerian law.

The Three Lawful Gateways for Cross-Border Data Transfer

As a general rule, the NDPA prohibits the transfer of personal data from Nigeria to another country unless the transfer falls within one of three legally recognised gateways. Startups relying on foreign servers or international service providers must be able to clearly justify their data flows using at least one of the following bases:

• An Adequacy Decision by the NDPC;
• A Cross-Border Data Transfer Instrument (CBDTI) approved by the NDPC; or
• Execution of a Jural or Fiduciary obligation.

1. Adequacy Decision by NDPC

A cross-border transfer is lawful where the NDPC has formally determined that the recipient country provides an adequate level of data protection. In making this determination, the Commission assesses factors including:

• Whether data subject rights are recognized and enforceable in the recipient jurisdiction
• The existence of comprehensive data protection legislation
• The presence of an effective and independent supervisory authority
• Regulatory cooperation mechanisms between Nigeria and the recipient jurisdiction

Under the now repealed Nigeria Data Protection Regulation 2019 Implementation Framework, startups often relied on a published "Whitelist" of countries deemed adequate. With the coming into force of the GAID in 2025, that framework has been repealed, and the Whitelist no longer has legal effect. It is expected that in due time, the NDPC will issue formal Adequacy Decisions in respect of jurisdictions that meet data protection standards under the NDPA and GAID.

2. Cross-Border Data Transfer Instrument ("CBDTI") approved by the NDPC

Where no adequacy decision exists, Nigerian law permits cross-border transfers based on approved contractual or organisational safeguards, collectively referred to as CBDTIs. These include:

• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs)
• Codes of Conduct (CoC)

SCCs are standardised contractual provisions that impose minimum data protection obligations on the foreign recipient of personal data. They may be used as standalone agreements or incorporated into existing contracts. A good example is the EU's SCC adopted by EU-based data controllers exporting personal data abroad.

BCRs are internal policies adopted by multinational groups to regulate how personal data is shared among affiliated entities across jurisdictions. CoC, on the other hand, are sector-specific or industry-wide rules developed by associations or groups of businesses, governing cross-border data transfer within that sector or industry. They reflect the unique risks and operational realities of data processing within that particular sector.

Under Nigerian law, CBDTIs are intended to promote accountability in data processing, protect data sovereignty, and ensure that data subjects retain access to effective remedies.

Importantly, a CBDTI can only be relied upon as a lawful basis for cross-border data transfer where it has been approved by the NDPC.

3. Jural or Fiduciary Obligations

Nigerian law also recognizes special circumstances where personal data can be lawfully transferred outside Nigeria without an adequacy decision or an approved CBDTI. These circumstances are narrowly construed and apply where the transfer is driven by compelling legal or fiduciary obligations, rather than commercial or profit-making purposes. The following includes where the transfer is necessary:

• to establish or defend a legal claim;
• to protect the vital interests of a data subject who is incapable of giving consent;
• for reasons of public interest;
• where the data subject has given informed consent after being made aware of the risks associated with the transfer and has not withdrawn that consent;
• to perform or conclude a contract to which the data subject is a party. Where such contract is still under negotiation, consent may be inferred from the data subject's clear affirmative actions; or
• where the transfer is solely for the benefit of the data subject, and it is not reasonably practicable to obtain consent, but it is reasonable to conclude that consent would have been given if practicable.

Other Key Considerations for Cross-Border Data Transfer

In addition to ensuring that a legal basis for cross-border transfer of personal data exists, the GAID introduces two critical requirements that every Data Protection Officer, Chief Technical Officer, and Founder must note:

1. Mandatory Data Protection Impact Assessment (DPIA): Cross-border data transfer is now classified as a "high-risk" activity. Companies are required to conduct a Data Protection Impact Assessment and file same with the NDPC.
2. Record of Processing Activities (ROPA): Controllers and processors are legally required to maintain a record of every foreign entity that receives personal data from a Nigerian entity, the legal basis for that transfer, and the security measures in place.

Sector-Specific Restrictions

Even where the NDPA requirements are satisfied, additional sectoral regulations may apply. For example, the Central Bank of Nigeria's Regulatory Framework for Bank Verification Number Operations prohibits the transfer of BVN data outside Nigeria without the CBN's express approval.

Conclusion

Cross-border data transfers are no longer a low-risk compliance issue for Nigerian startups. With heightened enforcement and clearer regulatory expectations, organisations must proactively map their data flows, document their legal bases, and align operational practices with the NDPA and GAID.

To view original Tope Adebayo article, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.