Authors: Adedolapo Adegoroye, Dorcas Tsebee, and Rodiyyah Bashir

‍

Introduction

International data transfer has many implications for the global digital economy. However, operationalising it can prove quite complex, requiring astute navigation from the regulators. This has been illustrated in the recent court decision in Incorporated Trustees of Ikigai Innovation Initiative v. National Information Technology Development Agency (NITDA) on the “adequacy” of the whitelisted countries for international data transfer. 

In 2021, Ikigai lodged a complaint with Nigeria's then-data protection authority, the National Information Technology Development Agency (NITDA), about including countries without data protection laws or authority in its Whitelist and calling for a reassessment. Following NITDA's inaction despite repeated follow-ups, a lawsuit was filed in 2022 to challenge its non-compliance with its regulations, the Nigeria Data Protection Regulation (NDPR). In court, NITDA did not file any response to the suit. Consequently, the Federal High Court delivered its judgement in the case. The outcome of this decision will significantly influence the outlook and approach of regulators and businesses, requiring them to reassess and revise their mechanisms for international data transfer. 

This article examines the recent judgement and its relevance to the international data transfer framework. It highlights its impact on regulators and the broader ecosystem, despite some aspects being superseded by recent events.

Understanding the mechanisms for international data transfer in Nigeria

Like many countries, Nigeria’s framework for data protection does not provide a blank cheque for international data transfer. Rather, it allows for such transfers only upon fulfilling certain conditions. The NDPR outlines two major transfer mechanisms, which include the use of adequacy decisions and derogations upon which transfers may be carried out. Concerning its adequacy decisions, the NDPR states that international data transfer will be permitted if NITDA² determines that the foreign country or organisation ensures adequate protection³. The law further provided clear criteria for which an adequacy decision for a country or organisation may be given, including a sufficient level of protection demonstrated through its legal system, including respect for human rights and data protection laws, effective data protection implementation and enforcement, independent supervisory authorities for data protection, and international commitments to personal data protection.

However, in the absence of an adequacy decision, the transfer may occur under certain derogations, including explicit consent from the data subject, necessity for contractual performance in the data subject's interest, public interest, legal claims, or protection of vital interests⁴.

The NDPR Implementation Framework (NDPIF), aimed at clarifying NDPR provisions, introduced nuance to the international data transfer mechanism. The NDPIF included a “Whitelist” of countries⁵ considered adequate. However, this list controversially includes countries without data protection laws or authorities and those with laws but no designated data protection authority. This deviation from NDPR's criteria for such determinations raised questions about the effectiveness and consistency of the international data transfer process under the NDPIF. Unlike some other countries where the assessment and the rationale for considering a country adequate are published, the NDPIF does not include a country-by-country assessment.

Additionally, the NDPIF introduced Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR) as data transfer mechanisms⁶, despite lacking a basis under the NDPR. This suggests that the NDPIF and its regulator, NITDA, introduced new transfer methods that were neither authorised nor recognised under the existing law at the time of publication.

Progressively, enacting the Nigeria Data Protection Act (NDPA) brings a semblance of order to the transfer mechanisms as it formalises the use of BCRs and SCCs. However, it does not invalidate the Whitelist under the NDPIF and still allows the regulator to designate countries as adequate. Consequently, the Whitelist remains in force and is guaranteed under the transition provisions of the NDPA⁷.

‍

Summary of the judgement

In November 2023, the Federal High Court ruled that strict adherence to the NDPR's criteria is mandatory for a foreign country to qualify for international data transfer. The court declared that the whitelist in Annexure C of the DPIF, which included countries not meeting these NDPR criteria, is incorrect. Furthermore, the court addressed the issue of including countries on the whitelist as signatories to the African Union Convention on Cybersecurity Protection of Personal Data (Malabo Convention). Despite their commitment to the convention, some countries lack a law or an authority that should have rendered them ineligible. For example, Comoros and Mozambique signed the Convention but did not have a law.

Similarly, Togo has enacted a law but has not established an authority. The court emphasised that including such countries contradicted NDPR objectives. Further, the court scrutinised the introduction of data transfer mechanisms not originally stipulated in the NDPR, asserting that such additions were beyond NITDA's authority. Additionally, the court expressed reservations about the deficiencies in the whitelist, emphasising the need for rectification to ensure effective data protection. The regulator has been directed to provide a country-by-country assessment in the reassessment of the list. 

The court's ruling underscored the significance of regulators adhering to their laws. 

Post-judgement landscape and potential impact on the ecosystem

The court’s decision has overarching implications for stakeholders, including regulators, data controllers and processors. However, parts of the judgement have become irrelevant due to the change in the regulatory landscape with the enactment of the NDPA and the formal establishment of a new authority. For example, the BCR and SCC declared void under the judgement have been formally incorporated into the NDPA. Also, countries like Algeria and Mauritania, which had a law but had yet to establish its authority when filing the case, now have authorities. However, the regulator's omission in providing a country-by-country assessment and including countries without data protection mechanisms in the whitelist contradicts its rules. 

The decision may lead to uncertainty regarding selecting a suitable transfer mechanism and the future of international data transfer. This is particularly relevant as newer mechanisms introduced by the NDPA, such as SCC, BCR, Code of Conduct, and Certification Mechanism, still need clear guidance on their approval process. Consequently, this may impact the international data transfer landscape and require swift action from the regulator and businesses wishing to transfer data outside the country. 

Impact on the regulator

• The Nigerian Data Protection Commission (NDPC) must review and update the current adequacy list under the NDPIF to ensure that only countries with a data protection mechanism that adheres to its rules should be on the list. This includes publishing its criteria for assessment, a thorough analysis and the publication of the country-by-country assessment The list will need an update so that countries without authorities, like Congo and Togo, and other signatories to the Malabo Convention but without laws, including Cameroon, Comoros, Djibouti, Gambia, Guinea-Bissau, Mozambique, Sierra Leone, and Sudan, will be reassessed. It is interesting to note that Nigeria has yet to sign or ratify the Malabo Convention. 
• Also, to forestall regulatory uncertainty and panic in the ecosystem, the NDPC may consider accelerating the procedure for approval of newer transfer mechanisms like the BCR and publishing different modules of its approved SCC. This can be included in the upcoming Implementation Directive for the NDPA, scheduled for release in early 2024. 
• In addition, the NDPC may consider appealing the decision as an interested party and ask the appeal court for an injunction pending the appeal process. The intervention can prevent business panic and allow the regulator time to revise the list, potentially resolving the core issues before the substantive appeal is concluded. 
• Furthermore, a prompt official statement from the NDPC outlining the regulatory direction and timeline would assist businesses in planning their international data transfers and reduce uncertainty.
• Lastly, the Nigerian Data Protection Commission (NDPC) has introduced a Code of Conduct for Data Protection Compliance Organisations (DPCOs). This Code includes a proposal for establishing a system to support Cross-Border Privacy Rules (CBPR). Implementing CBPR could be a strategic move for the NDPC, especially in the interim period while the Whitelist of countries is under review. CBPR offers a framework for ensuring robust privacy standards during international data transfers. It benefits Nigeria as it seeks to bolster its data protection regime and facilitate global digital trade.

Impact on data controllers and data processors (businesses)

The impact of this judgement on businesses acting as controllers, processors, or both includes the following:

• Businesses transferring data outside Nigeria must now re-evaluate their data transfer practices, especially in countries on the Whitelist that lack data protection laws or authorities. This might necessitate seeking alternative data transfer mechanisms or countries with stronger data protection frameworks. For example, the derogations under the law are less restrictive than counterpart laws. These derogations could serve as interim solutions for data transfer until the NDPC releases a revised list, ensuring minimal disruption to commercial activities. Furthermore, it is important to document the basis for each transfer.
• Legal and compliance teams should keep abreast of changes to the Whitelist, particularly regarding countries lacking data protection laws or authorities, and adjust their data transfer strategies accordingly. Enhanced due diligence and risk assessments will be vital for international data transfers. For instance, while not legally required, conducting a transfer risk assessment is advisable for countries without data protection laws or authorities to reinforce the safeguards associated with the transfer.

Conclusion

The NDPR and its Implementation Framework contain the country’s adequacy list and have long-regulated international data transfers in Nigeria. While the NDPA created a new framework for international data transfers, the list remains a reference point for international data transfers. However, with the court’s recent judgement, reference to the list will no longer be accurate as the list’s validity is now in question. As businesses anticipate a review or update of the list by the new regulator (NDPC), they also need to assess their internal data transfer strategies and stay updated with recent developments to ensure continuous compliance. 

Copy of judgement

‍

...............................................................

References.

  1. FHC/ABJ /CS/1246/2022

 2. This decision is made under the supervision of the Attorney General of the Federation (AGF). See Article 2.11 of the Nigeria Data Protection Regulation. Contrary to the view that permission from the AGF is required before data transfer, NITDA published an FAQ clarifying that it is not required. See Nigeria Data Protection Regulation Performance Report 2020 - 2021. Pg. 29. <https://ndpc.gov.ng/Files/hhNITDA_Compiled%20NDPR%20Draft%202020-2021_0701.pdf>

3. Article 2.11 of the Nigerian Data Protection Regulation

 4. Article 2.12 of the Nigerian Data Protection Regulation

5. Annexure C of the Nigerian Data Protection Regulation Implementation Framework

6. Article 7.3 of the Nigerian Data Protection Regulation Implementation Framework

7. Section 64 NDPA.

‍