Introduction
On
In this article, I analyse this case and discuss its possible ramifications for international data transfers from
Why adequacy assessment
Personal data is a critical input in the global digital economy and its international transfer is essential for the provision of various services and benefits to individuals. However, such transfers also pose significant challenges and risks for the protection of personal data and the rights of data subjects, especially when the data is intended to be processed in countries that have different or lower standards of data protection than the country of origin. Consequently, international data transfers are subject to rigorous oversight by privacy regulators and Data Protection Authorities (DPAs) due to these privacy risks. An example of this scrutiny is the decision of the
Adequacy assessment is a mechanism to ensure that international data transfers are conducted in a way that respects the privacy and security of personal data and the fundamental rights and freedoms of data subjects. It involves the evaluation of the level of data protection in a third country by a DPA, to determine whether it is comparable to the level of data protection provided in the country of origin. If a third country is deemed to have an adequate level of data protection, data can be transferred to that country without any additional safeguards or authorisations. This simplifies international data transfers and reduces the administrative and legal burden for the data exporters and importers.
Adequacy assessment is important for several reasons. First, it promotes the harmonisation and convergence of data protection standards and practices across different jurisdictions, which can enhance the trust and cooperation among DPAs, consumers and other stakeholders. Second, it eliminates digital trade restrictions to the free flow of data in cross-border business transactions, which can benefit the economy and society. Third, it safeguards the rights and interests of data subjects, who can enjoy the same level of data protection regardless of where their data is transferred or processed.
However, adequacy assessment is beset with some challenges and limitations. For example, it requires a comprehensive and rigorous analysis of the legal and institutional framework, the enforcement and oversight mechanisms, and the international commitments and obligations of the third country. In some cases, it requires continuous monitoring and review of the adequacy decision, which can be revoked or suspended if the level of data protection in the third country changes or deteriorates. Moreover, it may be affected by political and diplomatic factors, as well as by judicial interpretations and decisions, such as the judgement under review in this article and the EU case of Data Protection Commissioner v
Legal framework for international data transfers under the NDPR and Implementation Framework
Under the NDPR, there are, in principle, two ways in which the transfer of personal data to third countries or international organisations is permissible. International transfers of personal data may take place on the basis of: an adequacy decision (art. 2.11); or, in the absence of such an adequacy decision, where an exemption applies (art. 2.12). Under the Implementation Framework, Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs) are introduced under art. 7.3 as an international data transfer mechanism where an organisation seeks to transfer personal data to another entity within its group of companies or an affiliate company.
According to art. 2.11 a) of the NDPR, the Attorney General of the Federation (AGF) supervises the transfers of personal data from
Additionally, art. 2.11 c) - e) of the NDPR requires the
In transferring personal data abroad, art. 7.1 of the Implementation Framework stipulates that the following information is required: the list of countries where the personal data of Nigerian citizens and residents is transferred in the regular course of business; the data protection laws and the relevant data protection office/administration of those countries; the NDPR-compliant privacy policy of the data controller; an overview of the encryption method and data security standards; and any other detail that ensures the adequate protection of the privacy of personal data in the target country. Art. 7.2 also states that the Agency shall coordinate transfer requests with the
Facts of
In the main hearing,
Moreover, the Court held that, according to the NDPR and the Implementation Framework, the Agency had to consider the third countries contained in the White List as offering an adequate level of protection for personal data. The Court asserted that this was a mandatory condition of art. 2.11 of the NDPR and art. 7.0 - 7.2 of the Implementation Framework. In the light of this, the Court concluded that the inclusion of
Finally, the Court held that the use of BCRs and SCCs as mechanisms for international data transfers, as established under art. 7.3 of the Implementation Framework, was invalid since they were not provided for in arts. 2.11 - 2.12 of the NDPR, and thus exceeded the powers of the Agency under the NDPR. The Court based its decision on the case of Amasike v
Considering this and other factors, the Court granted all the reliefs requested by the Plaintiff Ikigai.
Implications for the future of international data transfers in
The Court's decision implies that under the NDPR, any international data transfers from
Furthermore, data protection compliance organisations (DPCOs) should be aware that, without any guidance from the
Under the NDPA, the procedure for international data transfers is similar in some parts to the NDPR, and the lawfulness of such transfers depends on whether the third country or recipient complies with a law, BCRs, SCCs, code of conduct, or certification mechanism that ensures an adequate level of protection for the personal data (section 41 (1) (a)), or if an exemption applies (section 43 (1)). Section 42 (2) requires the Commission to consider the following factors when assessing the adequacy of the level of protection: the availability and enforceability of data subject rights, the possibility of a data subject to seek administrative or judicial redress, and the rule of law; the existence of a suitable instrument between the Commission and a competent authority in the recipient jurisdiction that guarantees adequate data protection; the access of a public authority to personal data; the existence and effectiveness of a data protection law; the existence and operation of an independent, competent data protection, or similar supervisory authority with sufficient enforcement powers; and the international obligations and agreements binding on the relevant country and its participation in any multilateral or regional organisations.
As of the date of this writing, the Commission is yet to exercise its power under the NDPA to designate any third country as providing an adequate level of protection, nor has it endorsed any BCRs, SCCs, codes of conduct, certification mechanisms or other instruments for international data transfers. Consequently, to ensure the legality and permissibility of international data transfers under the NDPA, the data controller (and/or processor) must rely on one of the exemptions provided for in section 43 (1).
Conclusion
Following the Court's judgment in this case, the Commission is expected to conduct adequacy assessments of third countries and issue positive adequacy decisions that will enable unrestricted data transfers from
To this end, the Commission should as a matter of priority adopt a proactive and cooperative approach to adequacy assessments, by consulting with data controllers, processors, DPAs of the third countries, data subjects and other concerned stakeholders, and by reaffirming its adherence to the principles and standards established in both the NDPA and NDPR. A positive adequacy decision by the Commission must rely on core data protection principles present in the legal framework of that third country that align with those stipulated in the NDPA and the NDPR. It must also indicate the scope of its applicability, whether national or sectoral, and the identity of an independent public authority in charge of enforcing the data protection rules. It is further recommended that the Commission establish a robust framework to oversee and evaluate its adequacy decisions on an ongoing basis and be ready to respond to any changes or challenges that may emerge.
In conclusion, international data transfers are a vital component of the global digital economy and digital society. Therefore, DPAs must conduct adequacy assessments for international data transfers, in compliance with the applicable legislative frameworks. Adequacy assessments are a means of ensuring that the personal data of data subjects is safeguarded throughout its transit, irrespective of its destination. Finally, it must be emphasised that adequacy assessment is not only a legal requirement, but also of strategic importance for the Commission, as it can enhance its reputation, influence, and impact in the global data protection landscape.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Mr Chukwuyere Izuogu
Streamsowers & Kohn
Tel: 1271 2276
Fax: 1271 2277
URL: www.sskohn.com
© Mondaq Ltd, 2024 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source