Cross border transfer of personal data simply means the sharing of personal data from one national jurisdiction to another. The expansion of the internet in the 21st century means that a number of international organizations can share all sorts of information including personal data seamlessly across various countries. The protection of personal data that will be transferred and processed in another country is often a key issue. This article therefore offers useful insights into key considerations for cross border transfer of personal data under Nigerian privacy laws.
Cross Border Transfers in Nigeria
Under the Nigeria Data Protection Regulation 2019 (NDPR), there were two permissible means of cross border transfers of personal data (i) an adequacy decision by the National Information and Technology Development Agency (NITDA) with the supervision of the Honourable Attorney General of the Federation (HAGF). The HAGF was required to review the foreign country’s data protection framework, as well as general and sector-specific legislation in respect of public security, defence, national security, and criminal law amongst others, before making its adequacy decision. However, in the absence of an adequacy decision (ii) the following conditions:
- Where the Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers, after having been informed of the possible risks of such transfers;
- The transfer is necessary for the performance of a contract or the implementation of precontractual measures taken at the data subjects request;
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Controller and another natural or legal person;
- The transfer is necessary for important reasons of public interest;
- The transfer is necessary for the establishment, exercise or defence of legal claims; and
- The transfer is necessary in order to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of giving consent; Provided, in all circumstances, that the Data Subject has been manifestly made to understand through clear warnings of the specific principle(s) of data protection that are likely to be violated in the event of transfer to a third country.
However, the new Nigeria Data Protection Act 2023 (NDPA) has opted for a slightly different approach. The NDPA, has removed the cumbersome requirement for an adequacy decision by the NITDA or the HAGF as discussed above, instead it provides that cross border transfers can be done where the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection with respect to the personal data in accordance with the NDPA.
The responsibility for determining the adequate level of protection is now solely vested in the Nigeria Data Protection Commission (the Commission) rather than the HAGF which means that the Commission will now be responsible for issuing an adequacy decision.
However, where there is no adequate level of protection, cross-border transfers can only be done when one of the conditions set out in section 43 of the NDPA is met. The conditions are largely similar to the provisions in the NDPR discussed earlier, save for a new addition which allows for cross border transfers where it is for the sole benefit of a data subject and it is not reasonably practicable to obtain the consent of the data subject to that transfer, or if it were reasonably practicable to obtain such consent, the data subject would likely give it.
Key Considerations for Business
The coming into effect of the NDPA, means businesses should consider the requirements for cross border transfer of personal data, some of the critical considerations are:
- Internal Policies: One of the requirements of the NDPA is that data controllers and processors record the basis for transfer of personal data to another country. Businesses and corporate organizations that intend to engage in cross-border transfers will need to formulate or review their existing internal policies to provide for the provisions of the NDPA.
- Terms and Conditions: Make sure contracts specify the terms and conditions under which personal data will be transferred, including but not limited to (i) any other regulation that safeguards the security and confidentiality of a personal data (ii) notification prior to transfer.
- Possible Regulations: The NDPA authorizes the Commission to make regulations on certain provisions such as
- (i) requiring data controllers and data processors to notify it of the measures in place to ensure the protection of personal data in cross-border transfers, as well as to explain the adequacy of such measures;
- (ii) designating categories of personal data that are subject to additional specified restrictions on transfer to another country based on the nature of such data.
Businesses will need to pay close attention to the Commission and the regulations that it will likely formulate with respect to cross-border transfers.
Cross-border data exchanges are essential in the age of globalisation and digital interconnection for promoting innovation and economic prosperity. However, it is equally crucial to find a balance between the preservation of individual privacy rights and the open flow of data. Businesses will need to comply with the foregoing requirements of the Act when transferring data out of Nigeria would avoid incurring substantial financial penalties as prescribed by the Act.
Aluko & Oyebode is a registered Data Protection Compliance Organisation (DCPO) and we are able to assist organisations facilitate their data protection compliance plans in line with the prevailing practices.