Keeping Up with The Regulators: Recent Regulatory Updates in the Nigerian Data Protection Landscape

Nigerian Federal High Court (FHC) declares “Whitelist” on International Data Transfer Ultra Vires, Null and Void

The Whitelist, a list of countries deemed as having adequate data protection laws as contained in Annexure C of the Nigeria Data Protection Implementation Framework 2020 (NDPR Implementation Framework) was issued by the National Information Technology Development Agency (NITDA) (the former data protection authority in Nigeria). This list has been in use since its inception as one of the bases for international transfer of personal data out of Nigeria, to the foreign jurisdictions identified in it.

On 28 November 2023, the Federal High Court, Abuja (FHC) in the case of The Incorporated Trustees of Ikigai Innovation Institute v. National Information Technology Development Agency held that the Whitelist which included countries without a data protection law and/or a data protection authority (e.g., Guinea Bissau, Sierra Leone, Togo, Zambia, etc) is in contravention of Article 2.11 of the Nigeria Data Protection Regulation 2020 (NDPR) and Article 7.0 of the NDPR Implementation Framework.

Consequently, the FHC ordered that the Whitelist be reviewed to ensure compliance with the relevant data protection regulations.

Furthermore, the FHC has set aside the Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs) introduced through the NDPR Implementation framework for not being provided under Article 2.11 and 2.12 of the NDPR. Although we note that BCRS and SCCs are now recognised as mechanisms for data transfer under the recently enacted Nigeria Data Protection Act 2023 (NDPA), particularly Section 41(1)(a) which gives the Nigeria Data Protection Commission (NDPC) (the new data protection authority) the power to approve same. For this purpose, this decision has been overtaken by event. ?

The Nigeria Data Protection Commission (NDPC) Releases the Nigeria Data Protection Strategic Roadmap and Action Plan

The NDPC recently released the Nigeria Data Protection Strategic Roadmap and Action Plan (NDP-SRAP) 2023-2027. The NDP-SRAP provides steps and measures for implementing existing and new policies in the Data Privacy ecosystem. It is a detailed plan designed to promote the growth and consolidation of a thriving Data Protection and Privacy ecosystem in Nigeria. The NDP-SRAP is made up of five pillars which includes Governance, Ecosystem and Technology, Human Capital Development, Cooperation, and Collaboration. The NDP-SRAP lists out certain action plans stakeholders can expect from the NDPC in 2024 and beyond, such as issuing Data Privacy enforcement and compliance instruments, developing a programme for sectoral capacity building, the inauguration of the board and management of the NDPC, etc.

The five-year roadmap sets out practical steps that the NDPC intends to take towards deepening the culture and promotion of privacy rights in Nigeria.

Conclusion and Considerations for Business Organizations

The Nigerian data protection landscape is continuously developing at an alarming rate which accentuates the importance of companies and business organizations to pay attention to the privacy sector. It is important for businesses to prioritize and embrace a culture of data protection and ensure compliance with the various privacy laws in order to protect themselves from any possible regulatory sanctions or reputational risk.

It is expected that with the decision of the FHC, the NDPC may review and publish a new Whitelist to reflect countries with adequate data protection laws and independent supervisory authorities. In addition to this, we also expect that the NDPC will issue a guideline in respect of its adequacy assessment as required under the NDPA. We encourage business organizations who are relying on the current Whitelist for international data transfer to re-evaluate their practices and monitor any provisions by the regulator in this regard. Essentially, business organizations will have to revisit their existing data transfer practice especially with countries deemed to have an inadequate data protection law as held by the FHC.

The NDPA has provided several other grounds for cross border transfers that can be relied on.

Aluko & Oyebode is a licensed data protection organization with experience advising business organizations on data protection requirements in Nigeria.

Contact: Sumbo Akintola | Emmanuel Ido | Timothy Ogele, FNSIG,FPRIDA | Moyinoluwa Jemiriye