Nigeria: Implemented Data Protection Act, 2023 (Act No. 37) including cross-border data transfer regulation

On 12 June 2023, the Data Protection Act, 2023 (Act No. 37), which outlines conditions for transferring personal data, entered into force. The data controller or processor cannot transfer personal data from Nigeria to another jurisdiction unless the recipient is subject to laws, binding corporate rules, contractual clauses, codes of conduct, or certification mechanisms that provide an adequate level of protection similar to the protections granted under the Act. Data controllers and processors must record the basis for such transfers. The Commission may require notification of these measures and their adequacy. Additionally, the Commission can designate categories of personal data subject to additional transfer restrictions based on the nature of the data and risks to data subjects. Alternatively, the transfer can occur if the data subject has consented after being informed of the risks, the transfer is necessary for contract performance, it benefits the data subject, and consent is impracticable or is based on public interest, legal claims and protection of data subjects’ vital interests. The Act also stipulates that no international data transfer codes or mechanisms can be adopted as Nigeria's standard without the approval of the National Assembly.