BLOG

Federal High court nullifies part of the adequacy of the "whitelist" on International data transfer and calls for review of the list.


DEC 09, 2023

We are excited to share that the judgement in our case about Nigeria’s Whitelist of countries for international data transfers has been delivered. The Court ruled in our favour on the material issues and granted all the ancillary reliefs we sought.


Background

In September 2021, Ikigai filed a complaint with Nigeria's then-data protection regulator, the National Information Technology Development Agency (NITDA), challenging the list of countries whitelisted under its adequacy decision published in the NDPR Implementation Framework. Under Article 2.11 of the Nigeria Data Protection Regulation (NDPR), some of the requirements for this designation include the existence of a data protection law and the establishment of a data protection authority, among other things 1. The list included countries without data protection laws and/or a data protection authority. Although the regulator acknowledged our complaint and promised to review the list, this was not done despite repeated follow-ups. 



In September 2022, we filed an action before the Federal High Court in Abuja, challenging the regulator for not following its own law before designating these countries. In the suit, we asked the court to compel the agency to comply with its own law and review the Whitelist of countries, and we also asked the court to declare the agency’s introduction of binding corporate rules and standard contractual clauses, which were introduced in the implementation framework without basis under the NDPR to be "ultra vires". The two transfer mechanisms were not included under the NDPR. The regulator did not file a defence.

Summary of the judgement.

In November 2022, the court delivered its judgement on the case, agreed with our arguments and granted us relief. Some of the notable reliefs granted by the court include:

  1. The court declared that the countries on the Whitelist without a data protection law and/or a data protection authority are inappropriate, and the list should be reviewed to comply with the law. The Whitelist included countries signatories to the African Union Convention on Cybercrime and Personal Data Protection (Malabo Convention). However, some of these countries have yet to introduce a law or have a law but have yet to establish an authority. These include Comoros, Guinea Bissau, Mozambique, Sierra Leone, Togo, and Zambia. Consequently, these countries, despite being whitelisted, did not provide an adequate level of protection for personal data. 
  2. The court emphasised that certain whitelisted countries, including Comoros, Guinea-Bissau, and Sierra Leone, did not have data protection laws or independent data protection authorities, violating the requirements of Article 2.11 of the NDPR and Article 7.0 of NDPR Implementation Framework on the international transfer of data.
  3. Introduction of two new mechanisms for the international transfer of data: The court declared that the introduction of two new mechanisms, Standard Contractual Clauses and Binding Corporate Rules, for international data transfer, which were not provided for under Articles 2.11 and 2.12 of the NDPR, was ultra vires their powers. As a result, these new mechanisms were deemed null and void because they had not been established in any legal framework.
  4. Failure to justify exercising power: The court applied the principle that a public body or authority must act within the law and not exceed or abuse its powers. In this case, the regulator failed to justify its exercise of power in whitelisting some of the countries. The regulator neither responded to the suit nor publicly published any of its analysis of the status of each country it had whitelisted before reaching its decision to whitelist.

Post-judgement note

The judgement marks a significant achievement in our strategic litigation efforts. However, it's important to note that the recent enactment of the Nigeria Data Protection Act has rendered some aspects of the judgement moot. Key concerns have been addressed under the new Act, particularly with the establishment of the Nigeria Data Protection Commission (NDPC), which now has the authority to approve Standard Contractual Clauses and Binding Corporate Rules. Additionally, there have been notable developments in the data protection landscapes of certain countries; for instance, Algeria and Mauritania have established data protection authorities, and India has implemented data protection laws.


What does it mean for the ecosystem ?

While events may have overtaken some aspects of the judgement, these things will remain relevant in the ecosystem for a while. The Nigeria Data Protection Commission will need to act swiftly to review the Whitelist of countries, and in doing that, it must also publish the rationale for judging each country to have an adequate data protection framework. Also, data controllers and processors must reassess their international data transfer arrangements to countries without data protection laws or authorities on the Whitelist. The judgement reinforces the principle of strict adherence to data protection laws and may encourage a more robust and transparent approach to data protection and privacy across various jurisdictions.


Conclusion

We believe this judgement would strengthen accountability and transparency about Nigeria's international data transfer framework. Further, this judgement is quite instructive in compelling the regulators to adhere to their rules. The outcome marks a significant step towards ensuring a robust, adequate, and compliant framework for international data transfers.

You can download certified true copies of the judgement here

…………………………………………………………………………………………………………………………………….

REFERENCE

1 Before a regulator can designate a country as adequate for personal data transfer, the country must ensure an adequate level of protection, demonstrated through its legal system, including respect for human rights and data protection laws, effective data protection implementation and enforcement, independent supervisory authorities for data protection, and international commitments to personal data protection.