Authority: Federal High Court of Nigeria
Jurisdiction: Nigeria
Relevant law: Nigeria Data Protection Regulations; National Information Regulation Implementation Framework; Technology Development Act of 2007.
Type: Violation
Outcome: Violation
Started: 28 July, 2022
Decided: 30 November 2023
Published: 30 November 2023
Fine: N/A
Parties: Incorporated Trustees of Ikigai Innovation Initiative vs. National Information Technology Agency.
Case No./Parties: FHC/ABJ/CS/1246/2022
Appeal: N/A
Original Source: Federal High Court of Nigeria
Original contributor: Isaac Vincent

Contents

  1. Summary
    1. Facts
    2. Holding
  2. Comment
  3. Further resources
  4. Decision

Summary

The implementation by a regulator of a data protection framework which was not grounded in existing law, was declared null and void. Additionally, a whitelist whose basis could not be justified was struck off.

Facts

The NITDA (the then Data Protection Regulator) issued an adequacy “Whitelist” pursuant to the Nigeria Data Protection Regulation Implementation Framework 2019 (the Framework). The Whitelist comprised of “Countries deemed as having adequate data protection Laws.” The Regulator also published Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs) under the Framework.

The Complainant filed a complaint stating that some of the countries in the Whitelist did not meet the requirements of the NDPR to wit; it included a list of countries without adequate data protection laws and /or a supervisory authority responsible for the implementation of these laws.

The Complainant contended that it is impossible to assess the adequacy of protection for personal data in a country that lacks both a data protection law and an independent data protection authority. The Complainant therefore requested that the list be reviewed to ensure compliance.

The Complainant also sought a declaration that there was no basis for the introduction of Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs) in the Framework as both were not provided for under the NDPR

Holding

The Court held that the Whitelist which included countries without adequate data protection laws or without the existence of independent supervisory authorities is in contravention of Article 2.11 of the Nigeria Data Protection Regulation (NDPR) and should be reviewed to ensure compliance with the requirements of the NDPR. The court:

  1. Nullified part of the Whitelist which contained countries without data protection legislation and supervisory bodies on the basis that such countries cannot provide an adequate level of protection for personal data.
  2. Agreed with the Respondent, that the BCRs and SCCs were not provided for under the NDPR and as such had no legal basis.
  3. Held that the NITDA had not complied with its own laws and had acted ultra vires its powers in including non compliant countries in the Whitelist and in introducing BCRs and SCCs into the Framework.

Comment

Peesently, Section 41 (1) (a) of the Nigeria Data Protection Act now specifically includes BCRs and SCCs as mechanisms for international transfer of data and vests the NDPC with the power to approve BCRs and SCCs for the transfer of personal data out of Nigeria.