Comparative Analysis of Cross-border Data Transfer Regimes: GDPR, UK GDPR and the Nigerian Data Protection Act

Introduction:

The world as we know it today, would not be able to function without the ability to transfer personal data over international borders. There is no gainsaying that there are many risks to the privacy of data subjects in such situations, and as such, laws and regulations have been formulated to provide safeguards for the cross-border transfer of data.

The EU’s General Data Protection Regulation (“GDPR”), UK GDPR and Nigerian Data Protection Act (“NDPA”) take similar approaches to cross-border transfers of personal data (“Transfer”). Transfers are only allowed in instances where certain conditions are met.

What is a Transfer under the GDPR?

While the GDPR does not define a “Transfer”, the European Data Protection Board (EDPB) issued the Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (“Guidelines”).

The elements of a cross-border transfer of personal data under the Guidelines, are as follows:

- The Data Controller or Processor (“Exporter”) is subject to the GDPR.

- The Exporter discloses the data by transmission or otherwise makes it available to another controller or processor (“Importer”).

- Importer is in a third country.

It is crucial to note that remote access from a third country and/or storage in a cloud, could also be considered a cross-border transfer. However, there are also several instances in which data may be processed outside the EU, without a Transfer taking place.

If data is collected directly from a data subject instead of through an Exporter, it is not considered a Transfer. Therefore, when Joseph in London provides his details on a Nigerian website to receive ugwu leaves from Anambra, that would not constitute a cross-border transfer of data.

Conditions for Valid Transfers

Any Transfer to a country outside the EU or the EEA, must comply with the conditions set down as follows:

1. Adequacy Decisions:

An Adequacy Decision is a formal pronouncement by the European Commission which recognizes that a country or international organisation has an adequate level of data protection within its jurisdiction, that is “essentially equivalent” to the level of data protection in the EU. The European Commission considers various factors including the third country’s: rule of law, existence of independent data protection supervisory authorities, international commitments etc. Examples of countries that have received positive adequacy decisions include Argentina, Canada, Japan, Guernsey, and the United Kingdom (“UK”).

2. Appropriate Safeguards

Where the country or international organisation in question is not covered by an adequacy decision, then a transfer may be made subject to an appropriate safeguard. The list of appropriate safeguards is as follows:

- Binding Corporate Rules (BCRs): These are data governance rules used by multinational companies, to facilitate data protection compliance, and to allow the cross-border transfer of personal data within such an organisation. They provide a means for companies to ensure consistent protection of personal data across different jurisdictions. For example, a holding company based in Italy, with subsidiary companies in Morocco, the Dubai and Turkey, can freely transfer data within its company to the extent that all these companies have signed up to approved BCRs approved by the European Commission. Examples of companies that have approved BCRs are ExxonMobil, Mercedes Benz Group, and Otis.

- Standard Contractual Clauses (SCCs): SCCs are different standard clauses that can be signed and incorporated in commercial transactions/contracts. They include clauses related to data security, processing purposes, and individual rights. These SCCs have been adopted by the European Commission and can be voluntarily used by controllers and processors to demonstrate compliance with data protection laws.

- Code of Conduct: Codes of Conduct may be formulated by specialised associations representing categories of controllers/processors, considering specific features and needs of micro, small and medium sized enterprises. These codes are submitted to the relevant supervisory data protection authority in the relevant EU country, who will decide whether it provides sufficient appropriate safeguards and approve it. The European Commission would have to approve any codes of conduct which relate to processing activities in several EU countries.

- Certification Mechanism: These certifications are data protection seals or marks that essentially serve as evidence that the bearers of these marks are fully compliant with the GDPR. These marks can be displayed on relevant documents as a badge that the bearer. Such marks are approved and accredited by the European Data Protection Board.

Exemptions

It should be noted that a Transfer may be permitted in the absence of the abovementioned mechanisms, in the following instances:

- Where explicit consent to the transfer has been given by data subject.

- Where necessary for performance of a contract.

- Where the transfer is necessary for important reasons of public interest.

- Where necessary to establish the defence of legal claims.

- Where necessary to protect the vital interests of the data subject.

- Where the transfer is made from a public register.

- Where the transfer is (i) not repetitive; (ii) concerns only a limited number of data subjects; (iii) is necessary for compelling legitimate interests; and the controller has assessed and provided all suitable safeguards for the protection of personal data.

UK Data Protection Act, UK GDPR, Nigerian Data Protection Regulations (NDPR) and Nigerian Data Protection Act (“NDPA”)

The UK GDPR essentially replicates the provisions of the GDPR in relation to Transfers. The UK has also issued full adequacy findings on countries like Andorra, Argentina, Faroe Islands and Switzerland, while partial adequacy findings have been made about Canada, Japan, and the USA.

The UK Information Commissioner (ICO) also issued the International Data Transfer Agreement (IDTA), which are agreements that regulate the transfer of personal data between countries. The IDTA is essentially the UK’s version of the EU’s SCCs.

UK Extension to the EU-US Data Privacy Framework

The EU-US Data Privacy Framework (DPF) is a legal framework for the transfer of personal data between the EU and EEA to organisations certified under the DPF in the U.S. UK organisations who wish to transfer data to the U.S, can sign up to the UK Extension to EU-US Data Privacy Framework.

NDPR and NDPA

Data protection in Nigeria is primarily regulated by the NDPA, which is also supplemented by the Nigerian Data Protection Regulations (“NDPR”). Unfortunately, neither the NDPA nor the NDPR elucidate on what constitutes a “Transfer”. It is envisaged that the Nigerian Data Protection Commission (“NDPC”) will issue further guidelines on this.

The NDPA proscribes the transfer of data from Nigeria unless the recipient is subject to BCRs, SCCs, Code of Conduct or Certification Mechanisms that provide adequate levels of protection. Again, not much detail is given on these mechanisms, and so future guidelines on this are also envisaged.

In assessing the adequacy of country’s data protection laws, there shall be an assessment of various factors, including enforceable data subject rights, access of public authorities to personal data, effective data protection law, existence of an independent, competent data protection supervisory authority, international commitments etc.

However, the NDPA and NDPR differ from the GDPR on transfers in certain aspects:

- Firstly, the NDPA empowers the NDPC to designate categories of data that are subject to additional specified restrictions on Transfers. Such restrictions may be based on the nature and risk of such data, as well as requiring controllers or processors to notify the NDPC and explain the adequacy of protection.

- Secondly, the requirement for consent of data subject as an exception to the proscription of Transfers, is not “explicit consent”, unlike what is required under the GDPR.

- Thirdly, the NDPA does not contain an exception for data transferred from a public register, as contained in the GDPR.

- Furthermore, the NDPA includes the exception for transfers done for the sole benefit of the data subject without consent (i.e., where it is not reasonably practicable to obtain consent; or where such consent would have likely been given). The language is different and thus could be argued not to include an exception for contracts between the controller and another person, where the interest of the data subject is simply a by-product.

- Finally, under the NDPR, a “Whitelist” of countries which are deemed to have adequate data protection laws was established. The Whitelist contains 38 countries, and in addition lists all the members of the EU and EEA, as well as all African countries who are signatories to the Malabo Convention 2014. It is far less stringent than what is obtainable in Europe of in the United Kingdom. The Whitelist even contains global economic powerhouses who have not received adequacy decisions in Europe, such as the United Arab Emirates, United States of America (outside of the EU-US Data Privacy Framework), China and Brazil.

Conclusion

The transfer of personal data across international borders is an inextricable business necessity. However, it behooves countries around the world to still ensure their citizens are protected from any potential violations. Gleaning the GDPR, UK GDPR, and the NDPR/NDPA above, we can see there are slight differences in approach, but there is a general motion towards the same goal. There is no gainsaying that it is critical for international businesses to understand the regulations and variations as they may pertain to their business operations. This is made even more paramount when the hefty possible fines and penalties are taken into consideration.