In August 2021, Ikigai Innovation Initiative, carried out an assessment of the international transfer of data framework under the Nigeria Data Protection Regulation 2019 (NDPR) and Data Protection Implementation Framework (DPIF). The NDPR and DPIF specifies steps toward regulating and safeguarding data flows from Nigeria to other countries. Articles 2.11 and 2.12 of the NDPR, as well as Article 7.0 of the DPIF, were extensively examined. Article 2.11 and 2.12 of the NDPR
governs the international data transfer framework in Nigeria. Article 7.0 of the DPIF provided additional context. In addition, a list of countries are designated as having adequate data protection framework under Annexure C of the DPIF. The decision concerning the country on this list is meant to comply with the conditions stipulated in Article 2.11 of the NDPR.
We observed the following issues:
8
● Several of the countries on the whitelist do not meet the requirements set out in Article 2.11 of the NDPR; and
● The DPIF's unexpected adoption of the Binding Corporate Rule (BCR) and Standard Contracting Clauses (SCC) as transfer mechanisms despite their omission from the NDPR.
What we have done so far
On 7th September 2021, we filed a complaint with the National Information Technology Development Agency (NITDA), requesting for clarification on the following;
I. The rationale behind the whitelist decision. There are a lot of discrepancies between the provisions in Article 2.11 and the whitelist. It can be said that the provisions in the NDPR were not followed in the decision making process for the development of the whitelist. This is because some of the countries on the whitelist do not meet the requirements established under Article 2.11;
II. Proffer explanations why Nigeria is yet to sign the Malabo Convention, but whitelisted countries that are signatories to the Convention;
III. Why countries without supervisory authorities are included on the whitelist;
IV. The basis of the adoption of the BCR and SCC as transfer mechanisms under the DPIF despite their absence under the NDPR;
V. The role of BCR and SCC, as well as whether Nigeria plans to develop an SCC template; and
VI. It is also important to clarify whether the BCR for multinational companies will be approved by NIITDA or the BCR approved by the European Union and Singapore will be leveraged on.
Regulator's Response
We received a response from NITDA, who through a representative informed us of a plan to host a workshop with Stakeholders to review the NDPR and the DPIF, especially in areas of international data transfer and other key issues. NITDA also commended Ikigai for our input to the continuing growth of digital policies in Nigeria.
Our expectation
We expect that NITDA will act promptly in a bid to swiftly address the issues raised, which could also impact the country assessment or considerations for an adequacy decision by other countries or regional blocs. Conferring adequacy decisions is not for gifting without sufficient appraisal and safeguards. We would continue acting as an unbiased watchdog while pursuing the implementation of policies and frameworks that would engender the development of the Digital Economy at scale.