Articles

Operationalising the NDPA: Bridging digital boundaries with cross-border data rules

Written by Diana Uzor and Bukola Adesokan

A new data protection law has set sail in Nigeria, and you must be eager to know what lies ahead and how it impacts your cross border data transfer practices. Worry not, we have got a sturdy raft to keep you afloat. We have all the juicy details on how it works, what it entails, and how to stay on the right side of the law.

In this article, we explore the ways organisations can transfer data under the Nigerian Data Protection Act (NDPA). Two fundamental keys will guide us – the adequacy protection mechanism and derogations. 

We will also delve into the realm of preparation in cross-border data transfer. Guiding you step-by-step in achieving compliance with the NDPA.

Introduction

International data flow sits at the heart of modern business, driving innovation and enabling companies to participate in the global digital space. Yet, with different countries enacting data protection laws to safeguard personal data—even as it traverses borders—the complexities for organisations deepen. Indeed, comprehending these cross-border data flows and ensuring full compliance with existing regulations poses a challenge. The Nigerian Data Protection Act (NDPA) provides international data transfer obligations that businesses must navigate within this context. This article aims to demystify what constitutes international data transfer, using tangible examples, highlighting the mechanisms of data transfer, and offering actionable recommendations for organisations striving to align with the law.

What constitutes cross-border data transfer?

International data transfer refers to moving personal or sensitive data across countries. It encompasses any act of transmitting, sharing, or storing such data in countries outside its original country of collection, whether for business, regulatory, or technological purposes. International data transfer refers explicitly to sharing personal data across borders between distinct entities, with each entity acting as either a controller, joint controller, or processor. While the NDPA does not explicitly define cross-border data transfers, a great way to understand what it is, is by understanding what it is not. The EPDB created some scenarios in its guidelines, which we have slightly modified for context. 

Consider the following example of what constitutes a cross border transfer: 

Example 1: 

A Nigerian-based company, RT, is a subsidiary of its main company, DX, located in Laos, sends its employees data to the parent company, this is international data transfer. In this scenario, RT, as the employer, takes on the controller role by disclosing the data.

Example 2:

Company A is established in Nigeria and acts as the controller of personal data. This company processes the personal information of its employees. Whenever Company A needs to process this data for human resources (HR) purposes, it collaborates with Company B, which offers an HR management enterprise solution that manages payroll and other employee issues, a processor in Lativia. The transfer of this personal data from Company A in Nigeria to Company B in Canada is a  cross border data transfer. 

However, it is important to note that not all international flows of data will be classified as cross border transfer of data. 

The following examples illustrate what would not constitute a cross border transfer:

Example 3: 

Mike, an employee of Company A based in Nigeria, travels to the Maldives for a meeting. During his stay in the Maldives, Mike remotely accesses personal data from his company's work environment to complete a memo. The remote access of personal data from the Maldives does not constitute a transfer of personal data. The reason is that Mike is not a separate controller; rather, he is an employee and an integral part of Company A, which acts as the controller of the data.

In this scenario, the data access and processing activities are carried out within the same controller, Company A. Despite the fact that the data access occurs remotely from the Maldives, it does not involve the disclosure of personal data to another controller or a different party. Consequently, the situation does not meet the criteria for cross-border data transfer.

Example 4:

Janet resides in Nigeria and decides to shop on an e-commerce platform operated by a company in China. She enters her personal data on the e-commerce website to complete her order, including her residential address for item delivery. In this case, Janet provides her personal data to the company based in China. However, this does not qualify as an international transfer of personal data since the data is not transmitted by a controller or processor. Instead, it is shared directly and voluntarily by Janet herself.

Navigating data transfers under the new data protection law

Generally, the law restricts the transfer of data to other countries, but provides some exceptions. Unlike some other laws, the NDPA took a slightly different model by lumping the adequacy decision and apprporpiate safeguards mechanisms. When the former is inapplicable, the law provides a list of derogations. The aim is to ensure the secure transfer of personal data across borders. 

If your organisation already adheres to the Nigeria Data Protection Regulation (NDPR), you might find minimal adjustments needed concerning data transfer under the NDPA. The new law recognises existing data transfer mechanisms, and introduces new ones, allowing you to select from these various mechanisms:

  1. Adequate protection mechanism

Under the law, international data transfer is permissible when the receiving entity is subject to a law, binding corporate rules, contractual clauses, codes of conduct, or certification mechanism. The Commission can also issue an adequacy decision on a country, international organisation, or sector, which suggests the destination country must have data protection laws or measures in place that ensure the data will be kept safe, similar to the standard applicable in Nigeria. When evaluating the adoption of a transfer mechanism, the NDPA stipulates a set of criteria to be considered and documented alongside the selected data transfer mechanism. For international data transfers, the law assesses the enforceability of data subject rights, existing data protection agreements and laws, public authority's access to data, the presence of an independent supervisory body, and the receiving country's international commitments.

  1. Derogations

When it is impossible to use any of the adequate protection mechanisms, the controller or processor can leverage the derogations under the law. Though the Act does not label these as "derogations," they are typically seen as a last resort and unsuitable for frequent, repeated data transfers. They are best suited for occasional transfers and should not be the go-to method for regular data transfers. International data transfers are allowed when: the data subject gives informed consent; it is crucial for the performance of contracts; it is in the data subject's sole interest; the transfer is in the public interest; it is necessary for a legal claim; or it is in the vital interest of the data subject, especially if they cannot give consent.

To transfer or not to transfer, that is the question

The NDPA's provisions hint at a shared responsibility between data controllers or processors and the Nigeria Data Protection Commission (NDPC) concerning the adequacy assessment of data transfers. Historically, only the regulator, in consultation with the Attorney General, had the authority to conduct an adequacy assessment for a country or international organisation. The NDPA, however, seems to be shifting this paradigm by introducing obligations for controllers and processors. This new approach, while innovative, raises questions about the clear division of roles and could lead to uncertainties in the adequacy protection mechanism's operation. One particular area of uncertainty revolves around whether the criteria for the assessment are strictly for regulators to assess countries or a more comprehensive transfer impact/risk evaluation to be made by the controllers or processors. This ambiguity is compounded by the law also allowing the Commission to use same criteria available to controllers or processors when determining the 'adequacy' of countries. 

The whitelist of countries provided under the Data Protection Implementation Framework is currently under legal contention for failing to comply with or adhere to the conditions provided under the law. The prior regulation's adequacy list highlighted countries without established data protection laws, including Comoros, Mozambique, Sierra Leone, and Sudan. Furthermore, while countries such as Congo, Togo, and Zambia have data protection legislation, they have not yet established the respective authorities to enforce them.

It is worth noting the emerging trend in Nigeria's data protection landscape. The country seems to be gravitating towards the Global Cross Border Privacy Rules Forum (CBPR), as evidenced by its recent engagements with CBPR officials and participation in the CBPR global conference. This development hints at a potential alignment of the certification mechanism with global standards, which would undoubtedly impact how cross-border data transfers are managed.

Deciding on a transfer mechanism

Choosing a suitable transfer mechanism is pivotal for safeguarding data and ensuring compliance. Let us explore the nuances and considerations essential for making an informed decision.

  1. Understand your data flow

To effectively manage your organisation's data flow, evaluating and recording how data moves within and outside of your organisation is essential. Your data map should detail where each data category is stored and list all third parties with whom the data is shared. To streamline this process, identify service providers involved in data handling, tools used for data processing, and any third parties or vendors that process data on your behalf. Document the locations where data processing occurs and maintain a comprehensive inventory of these entities and tools. In your assessment, consider every participant in the data transfer, including controllers, processors, and sub-processors in the recipient country. The more parties involved, the more intricate your evaluation becomes.

  1. Take an inventory of tools

Often, the tools used to manage business operations process data outside of the home country. Compiling an inventory of these tools — including cloud providers, collaboration platforms, video conferencing systems, HR solutions, payroll software, and marketing tools, among others —is pivotal to a comprehensive understanding of your international data transfer activities.

  1. Identify the appropriate transfer mechanism

When choosing a data transfer mechanism, first familiarise yourself with the available options and their specific applicabilities. For instance, binding corporate rules are ideal for corporate group transfers but not external transfers. If relying on an adequacy decision, it is crucial to consult the list of approved countries. Additionally, assess the nature, frequency, and volume of your international data transfers; different mechanisms might be more suitable depending on the frequency and volume of transfers. Finally, just as with standard data processing, ensure that the data you transfer is adequate, relevant, appropriate, and limited to what is essential for its intended purpose.

  1. Consider your partners

Identifying the appropriate transfer mechanism is not merely a matter of compliance; it also goes a long way in safeguarding an organisation's reputation and ensuring trust with stakeholders. In choosing partners, service providers, or vendors, while the choice of country is a good metric, more is needed. Verifying their compliance and data handling practices is crucial. They should either be bound by similar obligations or offer guarantees of an equivalent level of protection. When mapping data transfers, ensure you account for subsequent transfers, such as when a processor you have shared personal data with forwards it to a sub-processor in another country or the same country.

  1. Conduct a Transfer Impact/Risk Assessment (TIA/TRA) 

While not explicitly mandated by the Act, conducting a transfer impact/risk assessment can significantly bolster your international data transfer strategy. This assessment examines the data protection implications of transferring data to countries without recognised adequate protections. Its aim is to determine any extra safeguards required to protect data in the recipient country. We recommend conducting a TIA/TRA for all transfers, even to countries labelled 'adequate' by regulatory bodies. While we understand this is not required for countries labelled as “adequate,” notably, the previous regulation's adequacy list featured countries like Comoros, Mozambique, Sierra Leone, and Sudan lacking data protection laws. It also listed countries like Congo, Togo, and Zambia, which, despite having laws, have yet to establish their authorities. The outcome of the TIA/TRA may require you to put in place additional technical and organisational measures to safeguard the data and ensure compliance. In the assessment, be mindful of the legal obligations in the receiving country that mandate the disclosure of personal data to public authorities or grant these authorities access rights to personal data. Prioritise caution in countries with expansive surveillance laws that lack adequate safeguards or where it may be difficult to enforce data subject rights. 

  1. Document your transfer mechanism

Now that you have identified your data transfer mechanism, ensure it is well-documented. This not only aids in compliance checks but also in demonstrating due diligence to regulatory authorities should the need arise. This step is crucial for fulfilling the accountability obligation. In addition, organisations are required to document the “adequacy of the protection” in accordance with the criteria set out after the assessment by the controller or processor.

  1. Continuous review

Data protection landscapes are constantly changing. Today's transfer mechanism may need to be updated or non-compliant tomorrow. Therefore, regular reviews and updates of transfer mechanisms are essential to align with new regulations and best practices.

  1. Get approval of the NDPC (where required)

Suppose you choose to use tools such as binding corporate rules, contractual clauses, codes of conduct, or certification mechanisms for data transfer. In that case, approval of these tools from the NDPC is required before implementation. Currently, the specifics of the approval process remain undefined, and further details from the NDPC are needed for a clearer understanding. 

Conclusion

Now that we have attempted to demystify cross-border transfer of data, to align with the NDPA, organisations must prioritise compliance and use the appropriate mechanism. The NDPC needs to clarify how cross-border data transfers will function under the new adequacy protection mechanism. This includes elucidating the requirements for approving binding corporate rules, codes of conduct, and certification mechanisms. Furthermore, the Commission should detail its plans concerning the publication of contractual clauses and the potential for varied modules. While there is a need for the regulators to issue further guidance on the operability of the mechanisms, the show goes on, and you can take proactive steps to achieve compliance. You may start by evaluating your existing measures against the steps we have highlighted above. An implementation framework for the new law is being developed and the committee was recently inaugurated. It is expected that the framework will provide clarity on what is expected.

For transfers that you have yet to find an appropriate basis for, you may want to suspend them for now, speak to an expert on next steps and be guided through employing any of the available transfer mechanisms.