An Analysis of Cross-Border Data Transfer Under the Nigerian Law

In today’s digital economy, information travels faster than ever, raising crucial questions about privacy, security, and compliance. Nigerian law has developed frameworks to address concerns about privacy, security, and compliance, ensuring that cross-border data transfers are conducted responsibly and in line with international standards.

In this article, we analyse the legislation of cross-border data, and its limitation to other countries under the Nigeria Data Protection Act (NDPA).

What is Cross-Border Data Transfer?

Cross-border data transfer is simply the transmission of personal data from one jurisdiction to another. This typically occurs through cloud servers or digital networks and may be crucial for facilitating business operations, enhancing customer experiences, and enabling global digital trade. However, because privacy and data protection standards vary across jurisdictions, such transfers raise important compliance and security concerns. Under Nigerian law, the NDPA sets the framework for lawful cross-border transfers. These rules emphasize safeguards such as obtaining valid user consent, ensuring the receiving country offers adequate data protection, or implementing contractual mechanisms that guarantee privacy.

Cross-Border Data Transfer Under the NDPA

The NDPA outlines certain conditions that a data controller or data processor must meet before engaging in cross-border data transfers. The conditions are stated and explained below:

1. Adequate Protection by the Recipient: The Data Controller or Data Processor (DC/DP) must ensure that the recipient of the personal data is governed by a law or subject to contractual clauses or binding corporate rules that afford an adequate level of protection with respect to personal data
2. Compliance with Section 43 and the GAID: The DC/DP must ensure that any of the conditions set out in Section 43 of the Act or in the General Application and Implementation Directive 2025 (GAID) are met. The conditions are stated below:

• The data subject has provided consent, which has not been withdrawn, after being informed of the possible risks of the transfer due to the absence of adequate protections.
• The transfer is necessary for the performance of a contract to which the data subject is a party.
• The transfer is solely for the benefit of the data subject, and it was either impracticable to obtain consent or the data subject would not reasonably object if consent had been sought.
• The transfer is required for reasons of public interest.
• The transfer is necessary for the establishment, exercise, or defence of legal claims.
• The transfer is required to protect the vital interests of the data subject or another person, particularly where obtaining consent was impracticable. Upon the satisfaction of the conditions stated above, the DC/DP will be able to engage in transferring the data of their customers to another jurisdiction.

Adequacy Requirement for Recipient Countries

A DC/DP may transfer personal data to a country, region, or sector that the Nigeria Data Protection Commission (NDPC) has determined to provide an adequate level of protection comparable to the NDPA. In making this determination, the NDPC evaluates whether the recipient jurisdiction upholds principles substantially similar to those governing the processing of personal data under the NDPA. In particular, the NDPC considers factors such as:

1. Availability of enforceable data subjects’ rights: In assessing adequacy, the NDPC considers whether data subjects in the recipient country can effectively enforce their rights. This includes evaluating the availability of administrative and judicial redress mechanisms, as well as the strength of the rule of law. Priority is given to jurisdictions where data subject rights are expressly guaranteed by statute or law, and where individuals have practical and accessible avenues for resolving disputes.
2. Cross-Border Agreement: In deciding whether a recipient country offers adequate protection, the NDPC may also look at the presence of a formal agreement between itself and the foreign data protection authority. Such arrangements are important for enabling joint oversight, facilitating cross-border enforcement actions, and ensuring effective exchange of information in cases involving personal data transfers.
3. Access to Personal Data: The NDPC will assess the extent to which public authorities in the recipient country can access personal data. This includes examining the legal basis for such access, the procedures followed, and the safeguards in place to prevent abuse.
4. Legal Framework: The NDPC will also review whether the recipient country has a functional data protection framework and evaluate the effectiveness of that system. This involves looking at how well the country’s laws safeguard privacy rights, regulate the handling of personal data, and provide remedies where breaches occur.
5. Supervisory Authority: Additionally, the NDPC will also take into account whether the recipient country has an independent and competent supervisory authority responsible for enforcing data protection laws. Such a body should have the mandate and resources to oversee compliance, investigate violations, and impose sanctions where necessary.
6. International Conventions: Finally, the NDPC will consider whether the recipient country is a party to any international conventions or agreements that affect data protection. This includes instruments that influence how personal data is processed, how data subjects’ rights are enforced, or how cooperation between Nigeria and the foreign country is structured.

Conclusion

Cross-border data transfers are essential for global business and digital innovation, but they must be approached with caution to protect the rights of Nigerian data subjects. The NDPA and the adequacy framework provide clear guidance to ensure such transfers are lawful, secure, and consistent with international best practices.

‍