Cross-border Data Transfers And International Compliance: Legal Opportunities In Global Tech Transactions

Every global technology transaction today moves data across borders. Whether it is a SaaS contract between a Lagos startup and a London cloud provider, a cross-border acquisition involving customer databases, or a fintech platform routing payment data through servers in several jurisdictions simultaneously, personal data transfers are no longer incidental to commercial activity, they are the activity. For Nigerian businesses and their international counterparts, the compliance landscape shifted decisively with the enactment of the Nigeria Data Protection Act 2023 (NDPA) and the issuance of the General Application and Implementation Directive 2025 (GAID) by the Nigeria Data Protection Commission (NDPC). Getting cross-border transfers right is no longer a matter of good housekeeping. It is a condition of doing business.

This article examines the legal architecture governing cross-border data transfers from a Nigerian and comparative perspective, identifies the compliance obligations that transacting parties cannot afford to overlook, and makes the case that well-structured data compliance is not merely a legal cost but a genuine competitive advantage in international technology transactions.

The Nigerian Legal Framework: From NDPR to NDPA and GAID

The foundational rule under Nigerian law is straightforward: personal data may not be transferred outside Nigeria unless the recipient country or organisation provides an adequate level of protection, or one of the conditions for transfer without adequacy is satisfied. This structure is familiar to anyone who has worked with the EU’s General Data Protection Regulation (GDPR), and it places the burden squarely on the data controller to establish the legal basis before the transfer occurs. The NDPC established under the NDPA as Nigeria’s sole data protection authority, administers and enforces this obligation.

An adequacy decision is the most commercially efficient route. Where the NDPC determines that a recipient jurisdiction meets the standards in Schedule 5 of the GAID, enforceable individual rights, independent regulatory oversight, and meaningful international commitments, data may flow there as freely as if it were being processed within Nigeria. The NDPC has not yet published a formal adequacy list under the GAID regime. The whitelist that existed under the repealed NDPR 2019 has no continuing legal effect, which means practitioners must now work from the Schedule 5 criteria on a case-by-case basis. Relying on prior adequacy assumptions in the interim is a live compliance risk.

Where no adequacy decision covers the recipient, currently the position for most of Nigeria’s trading partners, a transfer may proceed if the parties put in place a Cross-Border Data Transfer Instrument (CBDTI) approved by the NDPC. CBDTIs include Standard Contractual Clauses (SCCs), Binding Corporate Rules for intra-group transfers, and approved codes of conduct or certification mechanisms. The critical point that catches many companies off guard is that CBDTIs require prior NDPC approval before any transfer is initiated. Companies that have been operating under GDPR-style SCCs without separately obtaining NDPC approval should treat that gap as an urgent remediation item.

The GAID preserves a narrow set of derogations for exceptional situations: transfers necessary for contract performance with the data subject, transfers made with the data subject’s explicit informed consent after notification of the specific risks, and transfers necessary for the establishment or defence of legal claims. The NDPA also introduced, for the first time, a derogation permitting transfer for the sole benefit of the data subject where obtaining consent is impracticable. None of these derogations are available for routine commercial data flows. The GAID is explicit on this point: commercial interest alone does not constitute a sufficient justification for any transfer.

Enforcement Has Arrived: The Cases That Changed the Conversation

For much of the NDPR era, data protection enforcement in Nigeria was more aspiration than reality. That has changed. In 2024, the NDPC imposed an administrative fine of NGN 766,242,500 on MultiChoice Nigeria, in part for conducting unlawful cross-border data transfers contrary to the NDPA. The following year, the NDPC imposed a USD 32.8 million remedial fee on Meta Platforms for related violations, the largest penalty levied by a data protection authority anywhere in Africa. In August 2025, the NDPC launched sector-wide investigations into 1,368 organisations spanning banking, insurance, pension, and gaming sectors. The signal is unmistakable.

Both enforcement actions involved, among other findings, the transfer of Nigerian personal data offshore without the legal foundations required by the NDPA. For legal practitioners advising on technology transactions, this means that the data transfer provisions of any cross-border arrangement must receive the same analytical rigour as the commercial terms. The era of treating data compliance as a post-signing administrative exercise is over.

The Comparative Dimension: Nigeria in the Global Landscape

Most technology transactions of any scale involve parties operating under multiple regulatory regimes simultaneously. The GDPR remains the dominant international standard, and its adequacy, SCC, and Binding Corporate Rules mechanisms are architecturally similar to Nigeria’s CBDTI framework. A company that has properly structured its GDPR compliance will find the NDPA requirements intelligible. The divergences, however, matter in practice.

Nigeria is not among the countries currently recognised as adequate under the GDPR, meaning that data flowing from the EU to a Nigerian entity must be covered by an appropriate GDPR safeguard such as SCCs. On the same transaction, Nigerian law requires that data flowing from Nigeria to that EU entity be covered by an NDPC-approved CBDTI unless the EU is formally designated as adequate under the GAID. A single bilateral technology arrangement may therefore need to satisfy both frameworks simultaneously, different approval processes, different contractual templates, and different supervisory authorities on each side.

The regional picture is similarly layered. South Africa’s Protection of Personal Information Act 2013 (POPIA), Kenya’s Data Protection Act 2019, and Ghana’s Data Protection Act 2012 all impose cross-border transfer conditions broadly consistent with the adequacy-or-safeguards model. At the continental level, the African Union’s Malabo Convention on Cyber Security and Personal Data Protection, though not yet in force for want of sufficient ratifications, provides the normative anchor for this regional convergence and continues to inform how African legislators approach data protection reform.

Compliance as a Commercial Lever

The instinct in many commercial negotiations is to treat data compliance as a cost centre. In international technology transactions, that instinct is strategically mistaken. Nigerian companies and public institutions are now required to conduct data protection due diligence on their technology vendors before contracting. A foreign SaaS provider or data processor that can demonstrate pre-built NDPA compliance, NDPC-approved SCCs in its data processing agreements, a documented Data Protection Impact Assessment (DPIA) on its cross-border transfer arrangements, a maintained record of processing activities (ROPA) reduces the procurement friction for its Nigerian counterpart and accelerates deal closure.

The mandatory DPIA requirement reinforces this point directly. Under the GAID, cross-border data transfer is expressly classified as a high-risk processing activity, making a DPIA obligatory before the transfer begins. The DPIA must identify the specific risks of the proposed transfer, the mitigation measures in place, and the legal basis being relied upon, and it must be filed with the NDPC. In a transaction context, a properly prepared DPIA is not merely a regulatory filing, it is due diligence documentation that a sophisticated counterparty or its regulator will want to review. Structuring this analysis at the transaction stage rather than retrofitting it under enforcement pressure is both more defensible and considerably less expensive.

The ROPA obligation similarly shapes how cross-border deals should be documented. For each transfer, the ROPA must record the identity of every foreign recipient, the legal basis for the transfer, and the security measures applied. On complex multi-party platforms where data routes through sub-processors in several jurisdictions, this requires a level of contractual discipline that has not always been standard practice in Nigeria’s technology sector. Companies that build this infrastructure into their contracting processes now will be far better placed as the NDPC’s enforcement posture continues to develop.

Practical Points for Transacting Parties

Several considerations deserve emphasis for practitioners advising on cross-border technology transactions with a Nigerian nexus. First, the applicable regulatory framework must be identified at the outset of a transaction, not at the due diligence stage. This includes determining whether the client qualifies as a Data Controller or Processor of Major Importance (DCPMI) under the NDPA, because the compliance obligations that attach to that classification the NDPC registration, annual compliance audit returns filed through a Licensed Data Protection Compliance Organisation, and mandatory DPIA filing are non-negotiable and carry defined timelines. Annual audit returns are due on or before 31 March each year.

Second, the interaction between the NDPA and sector-specific regulations requires careful mapping. Section 63 of the NDPA provides that Part VIII, the cross-border transfer provisions shall be the overarching authority, prevailing over inconsistent sector rules. However, sector regulators retain authority to impose additional restrictions, and in financial services particularly, those restrictions are material. The Central Bank of Nigeria’s Regulatory Framework for Bank Verification Number Operations, for instance, prohibits offshore transfer of BVN data without express CBN approval. Satisfying the NDPA is necessary but not always sufficient.

Third, the constitutional dimension is not merely academic. The GAID expressly provides, at Article 2(2), that nothing in the NDPA or its subsidiary instruments may authorise processing inconsistent with section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended), which protects the right to privacy. In regulatory proceedings or commercial litigation, this constitutional anchor can be a decisive point of argument, either in support of a data subject challenging an unlawful transfer or against regulatory overreach. Practitioners advising on Nigerian data matters should keep it within reach.

Conclusion

Cross-border data transfers sit at the intersection of commercial ambition and legal constraint in a way that is distinctive to the digital economy. The Nigerian framework, as consolidated in the NDPA 2023 and operationalised by the GAID 2025, is a serious regulatory instrument: it draws from the architecture of the GDPR, adapts it to Nigeria’s constitutional and commercial context, and is backed by a regulator that has demonstrated both the will and the institutional capacity to enforce. For businesses operating in or into Nigeria, the question is not whether to comply but how to integrate compliance into the structure of their arrangements from the beginning.

The global technology market rewards parties that can move data efficiently, securely, and lawfully. In the Nigerian context, that means mastering the NDPA and GAID framework, engaging the NDPC approval processes for CBDTIs before transfers begin, completing DPIAs in advance, and treating compliance not as a regulatory tax but as a marker of commercial credibility. Done well, it is also a competitive advantage in one of Africa’s most dynamic digital markets.

REFERENCES

A. Legislation

1. Nigeria Data Protection Act 2023 (Act No. 44 of 2023) – primary Nigerian statute governing the collection, processing, storage, and transfer of personal data; assented to on 12 June 2023. Part VIII (ss 41-43) governs cross-border data transfers; s 30 establishes the DPIA obligation; s 63 provides for the supremacy of the cross-border transfer provisions; and s 65 defines Data Controllers and Processors of Major Importance (DCPMIs).

2. Nigeria Data Protection Commission (Establishment) Act 2023 – established the Nigeria Data Protection Commission (NDPC) as the independent regulatory authority responsible for the administration and enforcement of the NDPA 2023.

3. Constitution of the Federal Republic of Nigeria 1999 (as amended) – s 37 (right to privacy); s 45 (permissible derogations from fundamental rights). The GAID 2025 expressly provides, at Art 2(2), that nothing in the NDPA or its instruments may authorise data processing inconsistent with ss 37 and 45 of the Constitution.

4. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data (General Data Protection Regulation) [2016] OJ L 119/1 (GDPR) – Arts 44-50 (cross-border transfer framework); Art 45 (adequacy decisions); Art 46 (appropriate safeguards including SCCs and BCRs); Art 49 (derogations for specific situations).

5. South Africa, Protection of Personal Information Act 4 of 2013 (POPIA) – s 72 governs cross-border transfer of personal information to foreign third parties; enforced by the Information Regulator of South Africa.

B. Subsidiary Legislation and Regulatory Instruments

6. Nigeria Data Protection Commission, General Application and Implementation Directive 2025 (NDPC/NDP ACT-GAID/01/2025) (GAID) – issued 20 March 2025; effective 19 September 2025. The GAID repeals the Nigeria Data Protection Regulation 2019 (NDPR) and the NDPR Implementation Framework 2020 in their entirety. Schedule 5 establishes the Cross-Border Data Transfer Framework, including adequacy assessment criteria, recognised CBDTIs, and available derogation. Art 8 sets the DCPMI threshold. Art 27 classifies cross-border transfers as high-risk processing activities requiring mandatory DPIAs.

7. European Commission, Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 – adequacy decision establishing the EU–US Data Privacy Framework; permits transfers of personal data from EU/EEA to certified US organisations without additional safeguards.

8. Central Bank of Nigeria, Regulatory Framework for Bank Verification Number Operations and Watch-List for the Nigerian Banking Industry – prohibits the offshore transfer of Bank Verification Number (BVN) data without express prior approval of the CBN; constitutes a sector-specific restriction that applies in addition to the NDPA cross-border transfer requirements.

C. Enforcement Actions

9. Nigeria Data Protection Commission v Multi-choice Nigeria Limited, Administrative Enforcement Action (NDPC, July 2024) – the NDPC imposed an administrative fine of NGN 766,242,500 on Multi-choice Nigeria for data privacy violations including unlawful cross-border data transfers contrary to the NDPA 2023. This was the first major enforcement action under the NDPA.

10. Nigeria Data Protection Commission v Meta Platforms Inc, Remedial Fee Determination (NDPC, 2025) – the NDPC imposed a USD 32.8 million remedial fee on Meta Platforms for violations including the unlawful transfer of Nigerian users’ personal data offshore without the requisite legal basis under the NDPA. The penalty represents the largest imposed by any data protection authority in Africa.

D. International Instruments

11. Convention of the African Union on Cyber Security and Personal Data Protection (Malabo Convention), adopted 27 June 2014, EX.CL/846(XXV) – the principal African Union instrument on cybersecurity and personal data protection. Not yet in force (requires 15 ratifications). Provides the normative foundation for regional data protection convergence across Africa and informed the drafting of Nigeria’s NDPA 2023.

E. General Texts and Secondary Sources

12. Andersen Nigeria, ‘Cross-Border Data Transfers Under the NDPA 2023 and GAID 2025: Compliance Obligations and Practical Guidance’ (Andersen Legal & Tax Advisory, 2025) – practitioner analysis of the NDPC’s cross-border transfer framework, including the CBDTI approval process, DPIA requirements, and the treatment of derogations under Schedule 5 of the GAID.

13. KPMG Nigeria, The Nigeria Data Protection Act 2023: Key Provisions and Compliance Implications (KPMG Nigeria Advisory, 2023) – analysis of the NDPA’s departure from the NDPR 2019, including the expanded regulatory mandate of the NDPC and the new cross-border transfer provisions.

14. Damilola S Olawuyi and Ifeoluwa Olubiyi (eds), Information and Communications Technology Law in Nigeria (Hybrid Consult 2021) – addresses the pre-NDPA regulatory framework for data transfers, digital commerce, and platform regulation in Nigeria; provides historical context for the legislative developments discussed in this article.

www.Gresyndale.com/blog/

https://www.linkedin.com/company/gresyndale-legal/