Welcome to Article 7 of our Data Protection and Privacy Knowledge Management Series. We are now halfway through our journey, and the discussion has taken a global turn. In articles 1 – 6, we explored the fundamental concepts of data protection, from lawful processing and Data Protection Impact Assessments (DPIAs) to accountability and data protection principles. In this article, we turn our attention to an important topic in today’s digital ecosystem: cross-border transfers of personal data.
In a world where cloud hosting, remote work, and global collaboration are standard practice, personal data often moves beyond national borders. Yet, every transfer must preserve the rights of Nigerian data subjects.
The Nigeria Data Protection Act (NDPA) and the General Application and Implementation Directive 2025 (GAID 2025) provide the rules that govern these international data movements, with detailed provisions in Schedule 5 (Guidance on Cross-Border Data Transfer). Now, let us examine what these provisions mean for organisations operating within and outside Nigeria.
1. The Legal Basis for Transfers
Section 41 of the NDPA provides the general rule that personal data may be transferred outside Nigeria only if the recipient country, territory, or organisation provides an adequate level of protection, or if one of the conditions specified in Section 43 applies.
The GAID 2025, in Schedule 5, builds on this rule and identifies two primary legal bases for lawful cross-border transfers, as well as a set of derogations for exceptional cases.
2. Basis One: Adequacy Decisions
An adequacy decision means that the Nigeria Data Protection Commission (NDPC) has determined that a particular country, territory, or international organisation provides protection for personal data that is substantially equivalent to Nigeria’s standards. Transfers to such jurisdictions are treated as if the data were processed within Nigeria, meaning no further authorisation is required.
Under Schedule 5 of the GAID 2025, adequacy is determined by evaluating several factors, including:
– Whether the recipient country has a data protection law that is effectively enforced;
– Whether there is an independent supervisory authority;
– Whether data subjects have effective legal remedies in the recipient country; and
– International commitments of the recipient country, including membership of global organisations.
Section 42(4) of the NDPA confirms that the NDPC will publish and update a list of adequate countries or territories. This list may draw inspiration from the EU’s adequacy list under Article 45 of the GDPR, but the NDPC retains discretion to make its own determinations.
The NDPR Whitelist (Historical Context)
Before the NDPA and GAID 2025, the Nigeria Data Protection Regulation 2019 (NDPR) created a whitelist of countries considered to offer adequate protection. That list included: Member states of the European Economic Area (EEA), the United Kingdom, Canada, Israel, New Zealand, Switzerland, and Argentina.
Although this list is not automatically carried over to the NDPA–GAID 2025 regime, it remains a useful benchmark. Until the NDPC issues a new adequacy list under Schedule 5, these countries may be considered “likely” to qualify for adequacy recognition, given their comparable data protection regimes. Below is a comparative overview of recognised adequate jurisdictions:
3. Basis Two: Cross-Border Data Transfer Instruments (CBDTIs)
When adequacy has not been determined, controllers and processors can still lawfully transfer personal data outside Nigeria using Cross-Border Data Transfer Instruments (CBDTIs).
According to Paragraph 3 of Schedule 5, CBDTIs are legally binding instruments that ensure the protection of personal data after it leaves Nigeria. They impose enforceable rights and obligations, ensuring that the data continues to be handled in a way consistent with Nigerian law. The GAID 2025 recognises several forms of CBDTIs, including:
– Contractual Clauses Approved by the NDPC – These may be standard clauses developed by the NDPC or custom agreements submitted for prior approval. They function much like the Standard Contractual Clauses (SCCs) under the GDPR.
– Binding Corporate Rules – Multinational groups or affiliates can adopt internal rules binding all entities involved in cross-border processing.
– Codes of Conduct or Certification Mechanisms – Where approved by the NDPC, an organisation may rely on adherence to a certified data protection code or framework that includes enforceable commitments by the foreign recipient.
Every CBDTI must contain:
– Enforceable data subject rights;
– Effective remedies for breaches;
– Assurance of oversight by a competent authority; and
– Mechanisms to monitor compliance and report to the NDPC.
This approach reflects the NDPA’s principle of accountability and ensures that protection travels with the data.
4. Derogations for Exceptional Circumstances
When neither an adequacy decision nor a CBDTI exists, Paragraph 6 of Schedule 5 introduces derogations — limited exceptions that permit transfers in specific, exceptional situations.
Derogations are intended only for occasional or one-off transfers, not for regular or large-scale data exports. Continuous reliance on derogations would breach the accountability principle.
Transfers may proceed under the following circumstances:
– Explicit Consent – Where the data subject has explicitly consented to the transfer after being informed of the risks involved.
– Contractual Necessity – Where the transfer is necessary for the performance of a contract between the data subject and the controller, or to implement pre-contractual measures at the data subject’s request.
– Public Interest – Where the transfer is necessary for important public interest reasons recognised by law.
– Legal Claims – Where necessary for the establishment, exercise, or defence of legal claims.
– Vital Interests – Where necessary to protect the vital interests of a person who cannot give consent.
Controllers relying on derogations must document the justification, record the risk assessment, and notify the NDPC where applicable.
5. Key Takeaways for Compliance Officers
6. Conclusion
Cross-border transfers are often the most complex part of data protection compliance. The GAID 2025 now provides a structured, risk-based framework for Nigerian organisations to follow, combining global best practice with local accountability. Data Protection Officers should map all international personal data flows, classify them under either adequacy, CBDTI, or derogation, and maintain proper documentation.
In the next article, we will examine data subject rights and redress mechanisms under the GAID 2025, exploring how individuals can enforce their privacy rights within and beyond Nigeria’s borders.
Short Test
-
Under the GAID 2025, what are the two main legal bases for cross-border data transfer?
a) Adequacy and CBDTIs
b) Consent and Contract
c) Legitimate Interest and Public Interest
d) NDPC approval only
-
True or False: Derogations under Schedule 5 of the GAID are intended for continuous data transfers between Nigeria and foreign entities.
-
What must a CBDTI include to be valid under the GAID?
a) NDPC approval
b) Enforceable rights for data subjects
c) Effective remedies for breaches
d) All of the above