Briefly

June 24, 2026

Briefly
Nigeria Data Protection Commissionpress_release
press_releaseNigeria·Nigeria Data Protection Commission·Briefly Analysis

Abstract

The Nigeria Data Protection Commission (NDPC) recently reinforced its stance on cross-border data transfers, building upon the foundational Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025. This renewed emphasis underscores the stringent requirements for transferring personal data outside Nigeria, mandating robust safeguards such as adequacy decisions, binding corporate rules, or approved contractual clauses. Legal practitioners must guide their clients in navigating these complex regulations, ensuring compliance to avoid significant penalties and uphold data subjects' rights in an increasingly globalized digital economy.

Introduction

On June 24, 2026, the Nigeria Data Protection Commission (NDPC) issued a significant communication, reiterating and elaborating on the regulatory framework governing cross-border data transfers. This announcement, while not introducing entirely new legislation, serves as a critical reinforcement of the existing provisions within the Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025. It signals the NDPC's commitment to rigorous enforcement and clarifies expectations for data controllers and processors engaged in international data flows.

The implications of this renewed focus are far-reaching for businesses operating in Nigeria or processing the personal data of Nigerian citizens, regardless of their physical location. The NDPC's directive highlights the necessity for meticulous adherence to established mechanisms for ensuring adequate data protection when personal data leaves Nigerian jurisdiction. This article will delve into the statutory underpinnings, key compliance mechanisms, and practical considerations for legal professionals advising clients on cross-border data transfers under Nigeria's evolving data protection regime.

Background

Nigeria's data protection landscape has undergone a significant transformation, moving from a fragmented approach to a comprehensive statutory framework. The journey began with the Nigeria Data Protection Regulation (NDPR) 2019, issued by the National Information Technology Development Agency (NITDA), which served as the pioneer comprehensive guideline for data protection in the country.

However, the cornerstone of the current regime is the Nigeria Data Protection Act (NDPA) 2023, which received Presidential assent on June 13, 2023. The NDPA 2023 established the Nigeria Data Protection Commission (NDPC) as the primary regulatory authority, replacing the NDPR 2019 and its Implementation Framework of 2020. Subsequently, the NDPC issued the General Application and Implementation Directive (GAID) 2025 on March 20, 2025, which provides comprehensive and binding directives for implementing the NDPA, including detailed provisions on cross-border data transfers. Together, the NDPA 2023 and the GAID 2025 now constitute the complete governing framework for data protection in Nigeria, establishing a restrictive framework for cross-border data transfers premised on the principle that personal data should not leave Nigeria without adequate safeguards.

Analysis

The NDPA 2023, particularly Sections 41, 42, and 43, along with the GAID 2025, sets out the stringent conditions for transferring personal data from Nigeria to another country. By default, cross-border data transfers are prohibited unless the recipient jurisdiction or entity can demonstrate an adequate level of protection for the personal data. The NDPC is empowered to make 'adequacy decisions,' formally designating countries, regions, or specific sectors within a country that afford an adequate level of protection.

Where an adequacy decision is not in place, data controllers and processors must rely on other approved mechanisms. These include binding corporate rules (BCRs), which are internal, legally binding privacy codes of conduct for multinational corporate groups, and standard contractual clauses (SCCs) approved by the NDPC. The GAID 2025 further elaborates on these instruments, requiring that such clauses legally compel the foreign recipient to mirror NDPA-compliant security infrastructure and respect the statutory rights of Nigerian data subjects. Additionally, codes of conduct or certification mechanisms that ensure an adequate level of protection may also be utilized, subject to NDPC approval.

Beyond these primary mechanisms, Section 43 of the NDPA provides for 'other lawful bases' or derogations for cross-border transfers. These exceptions include explicit consent from the data subject, provided they have been informed of the possible risks due to the absence of adequate protections. Transfers may also be permissible if necessary for the performance of a contract with the data subject, for important public interest grounds, for the establishment, exercise, or defense of legal claims, or in an absolute emergency to protect the life or physical safety of the data subject. A critical requirement introduced by the GAID 2025 is the mandatory conduct of a Data Protection Impact Assessment (DPIA) for cross-border transfers, recognizing them as a high-risk activity.

For legal practitioners, advising clients on these requirements necessitates a thorough understanding of both the NDPA and GAID. This includes assisting in the drafting and negotiation of SCCs, developing and implementing BCRs, and conducting comprehensive transfer impact assessments to evaluate the risks associated with international data flows. The extraterritorial scope of the NDPA means that foreign organizations processing the personal data of Nigerian citizens must also comply, irrespective of their domicile. The NDPC's active enforcement, including significant fines against major corporations, underscores the imperative for robust compliance strategies.

Conclusion

The NDPC's recent communication serves as a timely reminder of the critical importance of adhering to Nigeria's cross-border data transfer regulations. For legal practitioners, this means proactively engaging with clients to review their existing data transfer mechanisms, ensuring they align with the NDPA 2023 and the GAID 2025. This includes verifying the adequacy of recipient jurisdictions, implementing NDPC-approved contractual clauses or binding corporate rules, and conducting mandatory Data Protection Impact Assessments for high-risk transfers.

Failure to comply with these stringent requirements can result in substantial administrative fines, potentially reaching ₦10 million or 2% of an organization's annual gross revenue, whichever is higher, alongside possible criminal sanctions. Practitioners should advise clients to establish robust internal policies, provide ongoing training, and maintain detailed justifications for all cross-border data movements. Staying abreast of future NDPC guidance and adequacy decisions will be crucial for navigating the evolving landscape of data protection in Nigeria and ensuring continued operational legality in the global digital economy.

Citations

  1. 1.Nigeria Data Protection Act 2023, No. 37, Federal Republic of Nigeria Official Gazette, 2023.
  2. 2.Nigeria Data Protection Regulation 2019, Assented to 25 January 2019.
  3. 3.Nigeria Data Protection Act (NDPA) 2023 General Application and Implementation Directive (GAID) 2025, NDPC/NDP ACT-GAID/01/2025, Issued 20 March 2025.
AI Business Impact

How does this affect your business?

Get an AI analysis of this article grounded in your jurisdictions, practice areas, and any policy documents you've uploaded to Wansom.

June 24, 2026 — Briefly | Briefly