Nigeria: National Information Technology Development Agency adopted Nigeria Data Protection Regulation 2019 including cross-border data transfer regulation

On 25 January 2019, the National Information Technology Development Agency (NITDA) issued the Nigeria Data Protection Regulation (NDPR). The NDPR sets out conditions for the transfer of personal data across national borders, aiming to maintain domestic data protection standards. Personal data can only be transferred to a foreign country or an international organisation if the receiving entity provides an adequate level of protection, as assessed by the National Information Technology Development Agency (NITDA) and the Honourable Attorney General of the Federation (HAGF). Key factors considered include the legal system, data protection rules, and enforcement mechanisms in the foreign country or international organisation. The regulation also outlines exceptions where data transfers can occur without an adequacy decision, such as when necessary for contract performance, public interest, legal claims, or protecting the vital interests of the data subject. Additionally, data subjects must be informed of the potential risks and provide explicit consent for such transfers.