International Transfer of Data

Hey there! Welcome to another edition of the Privacy Note.

In this edition we will be looking at what the NDPR says about the Transfer of Personal Data outside Nigeria.

So, can organizations transfer data to locations outside Nigeria? Yes! What then needs to be done to ensure such transfer is compliant with the requirements of the regulation?

But before we go into the crux of today’s edition, let us take a look at a certain trend which closely borders on the international transfer of personal Data; Targeted Advertisements

In an age of globalization boosted by the internet, many organizations transact cross border businesses every day and there is an inevitable transfer of Data as a result. Many e-commerce platforms make use of targeted advertisements to target specific clients using technologies like cookies and trackers to study human spending patterns and preferences. If you’re an ardent user of the internet I’m sure you must have come across ads which seem to know just what has been on your mind lately, or what you’ve been searching for across different websites, this is not magic or ‘juju’, lol. You may have inadvertently or given a website or app permissions to track your movement across the internet. Endeavour to check the privacy policy and cookies of policy of apps and websites that you are not familiar with before using them.

It is also possible that your Personal Data may have been transferred (sold or exchanged for some benefit) across border to foreign businesses who then send targeted adverts to you. The NDPR has provisions to ensure that no Data Controller can arbitrarily transfer or exchange your Personal Data without a Legal Basis, especially without your consent.

One core principle of the NDPR on foreign transfer of Personal Data is that the foreign country where your Data is to be transferred to must have an adequate level of Data protection regulation and enforcement. The Attorney General of the federation is tasked with supervising the accreditation of foreign countries as fit for the transfer of Personal Data. In doing this Attorney General shall pay particular attention to such country’s respect for the rule of law and human rights amongst other things.

However, a foreign transfer of Personal Data may as well take place without the supervision of the Attorney General. The NDPR provides for the following exceptions:

  1. Where you have explicitly consented to the transfer; this is the most common method used by Data Controllers. Once again, ensure you take time to read the privacy policies before interacting with different platforms because the permission for consent would usually be inserted into the policy.
  2. Where the transfer is necessary for the performance of a contract with you or which is performed in your favor.
  3. Where the transfer is necessary for reasons of public interest.
  4. Where the transfer is important for the protection of your vital interest!

For further reading and a broader understanding, reference can be made to Article 2.11 (a-e), 2.12(a-f) of the NDPR.

That’s it for this week’s edition of Privacy notes folks! Now that you know those Jumia Ads are not magic (Lol), maybe you’d take a little time to read those long annoying privacy notices before clicking ‘I Accept’. Take a look at the cookies policy, you would usually have the liberty to select the cookies you approve of or none at all. Be safe, relax and enjoy the last weekend for the month of April.

See you next week.


Leave a Reply

Your email address will not be published. Required fields are marked *