BY MICHAEL IRENE, PhD
Early this year, the international data transfer agreement, a data transfer addendum to the European Commission’s standard contractual clauses for international data transfers were issued. This would allow for continuous transfer of data and aiding of business on global initiatives.
First, it ensures that on a business-to-business level, companies are making the right effort to meet “adequacy decisions” (something that I would touch on in a later piece). However, from a Nigerian perspective, one needs to understand the implications of transferring data outside Nigeria and what are the intending regulatory perspectives the National Information Technology Development Agency (NITDA) plans to approach this critical element in data privacy.
I think the best place to start is to state that there needs to be a clear methodology when it comes to international data transfers between Nigeria and other African nations and most importantly, how the data of Nigerians are transferred outside Africa especially with regards to cloud storage and its accompanying usage. There needs to be a clear indication of where NITDA stands on this.
This clear clarification can help new and existing businesses understand what factors they need to consider when dealing with companies outside the African Union. As technology expands and to sort of contain the impending increase in national cyberattacks, Nigeria needs to begin to take seriously the implications of international transfers and how it would affect the country.
Second, NITDA should have a consultation section with companies explaining in further details the kind of security protocols, vetting standards and due diligence that they must employ before going into a transfer agreement with international organisations. Doing this would enable the companies understand the importance of preventing the country from widespread intrusion and help protect the data assets in the nation itself. Failure to do this would present vulnerabilities to existing businesses on many levels.
Setting standards for international transfers of data provides that robust avenue for defined obligations, roles and responsibilities and dispute resolution. In that, the importer and exporter of data understand their positions and how their actions could make or mar the business negotiations. It is important that a clearly defined approach is created for the smooth operation of business.
For example, if company X (data exporter) exports data to company y (data importer); and, in a couple of days after they’ve entered into an agreement, there is a breach in Company Y, who would be held liable? One would argue that it should be company Y since the data now rest in their company’s database. However, company y in this case comes with a rebuttal arguing that company X didn’t meet certain transfer methods for such data sets, and this leads to a lengthy legal case.
In this case, setting the standards from the regulatory body especially creating a clearly defined expectation in these type of international transfer agreements will help prevent lengthy litigation discussions and promote a saner interaction among businesses. It will be interesting to see how Nigeria and most African nations chart their way through the labyrinth of international data transfers.