About Us
FAQ
Global Advisory Experts Logo
Global Advisory Experts Logo

Find a Global Law Expert

Specialism
Country
Practice Area

Awards

Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.

THE REGULATION OF DATA IN NIGERIA: CROSS-BORDER TRANSFER OF DATA

posted 2 years ago

INTRODUCTION

In today’s world, the commonly used phrase “the world is your oyster” can now be taken literally by businesses. With the use of technology and data analytics, companies can now reach customers across borders with products/ services tailored to meet the peculiar needs of customers in various countries.

As data analytics has become a pivotal part of most businesses, understanding the regulatory framework for proper data usage is imperative. More specifically for local and multinational companies playing in the Nigerian market, understanding the requirements of Nigerian data protection laws for cross border transactions is key.

In this article we have set out in a simplified manner the requirements of the Nigerian data protection laws for cross border transactions.

 

  1. WHAT ARE THE APPLICABLE REGULATIONS?

The primary regulations are the Nigeria Data Protection Regulation (NDPR) and the NDPR Implementation Framework.

 

  1. WHAT TYPE OF DATA IS SUBJECT TO REGULATIONS ON CROSS-BORDER TRANSFER?

Any personal information that can be used to identify a Nigerian citizen (Personal Data) is regulated under the NDPR and subject to the restrictions on cross-border transfer. Please note that anonymised data is excluded from the restrictions on data transfer in Nigeria.

 

  1. WHEN IS A CROSS-BORDER TRANSFER CONSIDERED TO HAVE OCCURRED?

A company will be considered to have transferred data outside Nigeria where the company:

  1.  hosts or transfers data to a database maintained by a company located outside Nigeria (Foreign Company);
  2. grants staff and/or other third parties of a Foreign Company access to Personal Data; or

iii. relies on a Foreign Company for technical support and in the process grants that company access to the personal data of Nigerians.

 

  1. ARE THERE COUNTRIES DEEMED AS HAVING ADEQUATE DATA PROTECTION LAWS UNDER NIGERIAN LAW?

Yes,  countries deemed to have adequate data protection laws are included on a white list contained in the NDPR framework. These include, all African countries who are signatories to the Malabo Convention 2014; all EU and European Economic Area Countries; United States of America; Japan and many more.

 

  1. ARE COMPANIES IN NIGERIA FREE TO TRANSFER DATA TO COUNTRIES ON THE WHITE LIST?

Yes, but prior to such a transfer, the companies are expected to enter into data transfer agreements with the Foreign Company detailing the terms of the transfer and the measures to be adopted by the Foreign Company to protect the Personal Data received.

 

  1. CAN A COMPANY IN NIGERIA TRANSFER TO COUNTRIES NOT LISTED ON THE WHITE LIST?

Yes, they will however be required to: (i) notify the individual whose data is being transferred of the risk involved in transferring data to a country without adequate level of protection; (ii) obtain the individual’s consent; and (iii) enter into a data transfer agreement with the Foreign Company prior to any such transfer.

 

  1. DOES THE REQUIREMENT FOR CROSS-BORDER TRANSFER OF DATA DIFFER WHEN THE TRANSFER IS BETWEEN COMPANIES WITHIN THE SAME GROUP/SUBSIDIARIES?

Yes, to share personal data with companies within the same group, the transferring company is required to execute a Binding Corporate Rule (BCR) or  include Standard Contracting Clauses (SCC) in data transfer agreements. These documents can be provided by licensed Data Protection Compliance Organisations in Nigeria.

 

CONCLUSION

A company that complies with the foregoing requirements of Nigerian law when transferring data out of Nigeria would avoid incurring substantial financial penalties from the National Information Technology Development Agency (NITDA).

It is pertinent to note that companies (both local and foreign) handling data of over 1000 Nigerian citizens are required to engage the services of a licensed Data Protection Compliance Organisation to review their activities and make recommendations geared towards ensuring compliance.

For clarity on the foregoing article,  you may contact Pavestones Legal via [email protected]. Pavestones Legal is one of the few licensed Data Protection Compliance Organisations in Nigeria and is also a full-service law practice providing support to both local and foreign clients.

 

Author

Join

0
who are already getting the benefits

Sign up for the latest advisory briefings and news within Global Advisory Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

Newsletter Sign Up

About Us

Global Advisory Experts is dedicated to providing exceptional advisory services to clients around the world. With a vast network of highly skilled and experienced advisers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Contact Us

Stay Informed

Join Mailing List

GAE