Legal Imperatives for Processing Personal Data in Nigeria
Under the NDPR, processing of Personal Data by a Data Controller is considered lawful if :
- the Data Subject has given consent to the processing of Personal Data for one or more specific purposes;
- the processing is necessary for the performance of a contract to which the Data Subject is a party or to take steps at the request of the Data Subject before entering into a contract;
- the processing is necessary for compliance with a legal obligation to which such Data Controller is subject to protect the vital interests of the Data Subject, or
- where such processing is necessary for the performance of a task carried out in the public interest or exercise of the official public mandate vested in the Data Controller. In this case, the Data Processor may elect any of the above options.
Regulation of International Transfer of Personal Data
In Nigeria, Personal Data is processed or intended for transfer to a foreign country or an international organisation shall take place subject to the provisions of the NDPR and the supervision of the Honorable Attorney General of the Federation in Nigeria (HAGF).
It is apt to mention that the NDPR provides for the adequacy of safeguards available in the foreign or recipient countries as a condition for approval of international transfer of personal data. This is aimed at regulating and controlling the international transfer of data as well as protecting Data Subjects in Nigeria. Typically, these safeguards must be enshrined in legally binding instruments, such as contracts or Memoranda of Understanding, between the transferring and recipient parties.
The Attorney General of the Federation (HAGF) is expected to take into consideration a number of factors in measuring adequacy.
Standards for Adequacy
For a foreign transfer of data to be made, the foreign country in question should have an adequate level of protection. Additionally, the HAGF will take into consideration the legal system of the foreign country, particularly, in the areas of rule of law, respect for human rights and fundamental freedom, relevant legislation, and the access of public authorities to Personal Data. Again, the implementation of data protection rules in this foreign country should be enforceable by Data Subject rights, and there should also be access to appropriate administrative and judicial redress for the Data Subjects whose Personal Data are being transferred.
Other factors for consideration include the presence of effective independent supervisory authority in the foreign country with responsibility for enforcing compliance with the data protection rules, availability of advisory and support structure for Data Subjects exercising their rights and for cooperation with the relevant Nigerian authorities. Finally, such foreign country should have entered legally binding conventions, treaties or instruments, pertaining to or concerning the protection of Personal Data.
Adequacy of Safeguards - Where are the Lines Drawn?
In the absence of any decision by the HAGF as to the adequacy of safeguards in a foreign country, a transfer or a set of transfers of Personal Data to a foreign country is expected to take place if:
- the Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks and consequences of such transfers;
- the transfer is necessary for the performance of a contract between the Data Subject and the Controller or the implementation of pre-contractual measures taken at the Data Subject's request;
- the transfer is necessary for the performance of a contract concluded in the interest of the Data Subject between the Controller and another natural or legal person;
- the transfer is necessary for important and overriding reasons of public interest;
- the transfer is necessary for the establishment or defence of legal claims; and
- the transfer is necessary to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of giving consent; provided, in all circumstances, that the Data Subject has been manifestly made to understand, through clear warnings, of the specific principle(s) of data protection, that are likely to be violated in the event of transfer to a third country.
When the international transfers of personal data and the applicable basis for transfer have been identified, processors of personal data being transferred must check, on a case-by-case basis, if the legislation of the foreign country guarantees a level of protection for the personal data is essentially equivalent to or better than that of Nigeria. If the assessment does not reveal an acceptable level of data protection and no appropriate supplementary safeguards is in place to guarantee an adequate level of data protection, the transfer should not be made. Where, however, the recipient country is not on the White List and none of the conditions stipulated is met, the Data Controller will engage NITDA and the HAGF for approval concerning such transfer.
Article provided by INPLP member: Uche Val Obi SAN (Alliance Law Firm, Nigeria)
Dr. Tobias Höllwarth (Managing Director INPLP)