By Michael Irene, PhD
If your company does not collect, use or process any personal data from other countries, or transfer data to other countries, there is no need to worry about international data transfers. But, most Nigerian companies do, either because they have employees, customers, suppliers or other business partners in other jurisdictions, or because their customers, suppliers or other business partners do. You can cause an international transfer simply by calling up to view data sets on a laptop. Because data itself is not tangilbe, and because access does not feel the same as using or processing to many, business people often overlook such cross border data transfers and the corresponding compliance requirements.
If your company recieves or transfers data internationally, you will probably have to select and implement specific compliance mechanisms—either because you are required to comply with law, because your foreign business partners demand it or because you are responsible for the compliance status of the foreign entities.
Most Nigerian companies find international activities challenging because they have to understand and comply with requirements of laws, markets, technology standards, and other factors of multiple countires. The same is true for data privacy compliance. Few businesses can satisfy themselves that they do not receive, or host or send personal data across Nigeria. This is true for companies that have no other foreign interests or nexus, because internet protocols amy route otherwise purely domestic communication accorss the borders. However, most Nigerian companies do have additional nexus to foreign jurisdictions in today’s global economy: Nigerian companies publish their home pages for visitors anywhere in the world, sell to customers abroad, buy goods or services from suppliers in low cost jurisdictions and use online services hosted in other countries. And even companies that try to keep their business as domestic as possible usually find that their customers and suppliers are exposed to foreign laws and attempt to pass on their resulting requirements contractually.
There is one legal requirement that companies over the world are likely to be confronted with in one way or another is also one of the most viral legal constructs of all times: European restrictions on international transfers of peronsonal data. Most companies in the world are more or less affected— either because they or their subsidiaries are directly subject to these laws or because direct or indirect business partners are passing on their own compliance obligations. The question raised is: how do Nigerian companeis transfer personal data from Nigeria to other continents?
Nigerian companies must clear three hurdles before they can transfer data from Nigeria to any other country. They must (a) comply with all local requirements from Nigerian Data Protection Regulation(NDPR) relating to the collection and other local processing of personal data (b) justify discolsure to another data controller or contractually limit the recipient company to act as a mere data processor, and (c) ensure that the recipient company affords adequate level of data protection. These hurdles—and the corresponding requirements to clear these hurdles— are the best way for companies in a “developing” nation must ensure organisational technical transfers.
The first hurdles highlights the need to substantive measures such as minimising the scope of processing and data retention time periods and ensuring data intergrity and security, offering data access to the right individuals per time.
Second hurdles means Nigerian companies must engage service providers that respect data privacy and embed these into their corporate structure. More generally, Nigerian companies do not typically have to make extra steps as their certain questions they can use to detect the data proteciton position of the said company.
Third hurdle would require the company to ensure that the recipient country or company provides adequate level of data protection. By default, they must carry out hurdle two in dilligent fashion. This third hurdle requires companies to select specific compliance mechanisms for international transfers.
*Dr. Irene is Data Protection Consultant and writes in from London.