Categories: GeneralLegal Opinion

An Analysis of Nigeria’s Legal Framework for Cross-Border Data the AFCFTA Perspective

ABSTRACT

The African Continent, in its vision to harmonize and unify trading within the region, has curated an innovative yet complicated solution to the prevalent economic challenge on the continent. The AfCFTA is an ambitious trade pact to form the world’s largest free trade area by creating a single market for goods and services for almost 1.3 billion people across Africa and deepening the economic integration of the region. The trade area could have a combined gross domestic product of around $3.4 trillion,[1] but achieving its full potential depends on significant policy reforms, trade facilitation measures across African signatory nations and the cohesion of regulations for data sharing across borders in the context of this essay. The goal of shared prosperity among African countries was evident during the official opening ceremony of the 10th Extraordinary Summit of the AU Assembly of Heads of State and Government held on March 21, 2018, in Kigali, Republic of Rwanda.[2] This agreement signals the shared vision for African leaders to create a uniform market for African society in a bid to drive economic progress.

The data market is an ever-growing industry, which spurs a constant need for data security amidst measures to ensure the protection of citizens privacy and safety. In the first quarter of 2017, Forbes projected that the data market would hit 200 billion dollars by the end of 2020.[3] In this light, it is trite that the impact of the AfCFTA Agreement on cross-border data transfer and the protection of Nigerians’ privacy in the African proposed uniform market is thoroughly examined. Nigeria’s Data Protection Regime has set guidelines regulating the transfer of data across borders. The Nigeria Data Protection Act establishes restrictions on the transfer of data across borders, with certain exceptions stipulated in the Act.[4] Unarguably, the AfCFTA will not only improve the overall economic situation on the African continent but will also enhance integration, unity, and shared prosperity. While the AfCFTA has a plethora of opportunities, the risks it poses as far as data protection is concerned cannot be undermined.

INTRODUCTION

The evolution of technology has ushered in a significant transformation in the landscape of international business interactions and global trade. This monumental shift has also exerted a profound influence on the dynamics of data exchange.[5] This article will examine the nature of cross-border data transfer, the implications it has on the protection of data as contained in the Nigerian Constitution, and [6] its legal and regulatory regime within the Nigerian legal landscape.

The never-ending progress of technology in the digital world enlarges the need for data to be transferred from one country to another. Take, for instance, the growth of international payment systems like Paystack, Stripe, Amazon Pay [7], and other digital gateway systems that are leading the financial technology industry with innovative features to help simplify payments for individuals, businesses, and companies with no geographical bounds.

Cross-border data transfer is simply the sharing of personal data from one national jurisdiction to another.[8] It is not unknown that the global economy of the twenty-first century is heavily reliant on the quick and seamless exchange of data across international borders. However, cross-border data transfer poses a critical challenge to the reality of data privacy and protection in the general sense. It is often said that data is the new oil. This statement is a result of the fact that the generation of data keeps rising at an astronomical rate every day, with financial opportunities created for institutions and companies alike from data creation and sharing. Cross-border transfers enable Software as a Service (SaaS) companies to provide innovative, cutting-edge services to all economic sectors, paving the way for emerging technologies such as IoT and AI. In addition, it also promotes economic growth, health, safety, and the common good. However, a lot of jurisdictions are now placing a number of limitations in place to regulate the process of data management to ensure National security, protection of citizens’ data from misuse or compromise.

In view of this, countries, through their legislation on data protection, put restrictions on the sharing of data across borders to ensure data security and protection. However, looking at the provisions of the AfCFTA, which look to provide an unrestricted movement of goods and services among African countries that are parties to this agreement, raises a conflict with the needed restriction on cross-border data sharing.

Nigeria for instance, highlights the requirements to be fulfilled by data controllers and processors before the information of their data subjects can be shared across different jurisdictions. The Data Protection Act provides the basis, wit:[9]

“S. 41.(1.) A data controller or data processor shall not transfer or permit personal data to betransferred from Nigeria to another country, unless –

(a) the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection with respect to the personal data in accordance with this Act; or

(b) One of the conditions set out in Section 43 of this Act applies.

(2) A data controller or data processor shall record the basis for the transfer of personal data to another country under subsection (l) and the adequacy of protection under section 42 of this Act.

(3) The Commission may make regulations requiring data controllers and data processors to notify it of the measures in place under subsection (1) and to explain their adequacy in terms of Section 42 of this Act.

(4) The Commission may, by regulations, designate categories of personal data that are subject to additional specific restrictions on transfer to another country based on the nature of such personal data and the risks to data subjects.”

Judging from the provisions of Section 41 of the Data Protection Act, it is clear that there is a set principle for data sharing, placing a corporate responsibility on data controllers and data processors to meet the requirements of the Act before a data subject’s data can be exported abroad. One of the major requirements to be fulfilled is for the receiving country to have an adequate level of protection for citizens’ data, which must be backed by relevant legal instruments and frameworks. However, one major backset that puts a clog in the wheel of the operation of the AfCFTA on the continent is the non-commendable approach of African countries to matters of data privacy and protection. Currently, there are only 36 out of 54 African countries that have legislation on data privacy [10]. It cannot be said that these countries have a robust framework for data protection, with some countries merely boasting of drafts and incomprehensive legislation. There is a conspicuous lack of uniform Laws and Legislation on data privacy in Africa compared to the General Data Protection Regulation (GDPR), to which virtually all European countries are parties, including the United Kingdom, despite BREXIT concerns. There is a high likelihood of interregional conflict concerning data sharing within the context of the AfCFTA.

THE IMPACT OF CROSS-BORDER TRANSFER WITHIN THE AfCFTA ON DATA PROTECTION LAWS

The Malabo Conference marked a significant milestone in the African Union’s efforts to establish a unified framework for data protection across the African continent. This convention represented the inaugural step in addressing not only cybercrime but also data protection issues within the region; unfortunately, only 15 countries have signed the provisions of the Malabo Conference into Law. If the African Community cannot find common ground on a unified data privacy instrument, what will then be the assurance that the free trade agreement signed will uphold the principles of data protection? The General Data Protection Regulation, which serves as the yardstick for data privacy and protection in Europe, makes provision for the following principles of data processing wit: Lawfulness, Fairness, and Transparency Purpose Limitation; Data Minimisation; Accuracy; Storage Limitations; Integrity and Confidentiality; Accountability.[11]

These principles have been inculcated in the African legislation on data privacy and protection, which begs the question of whether the African community is prepared to uphold these principles judging from the provisions of the AfCFTA. Nigeria’s recent adoption of the Organization for Economic Co-operation and Development’s (OECD) “Significant Economic Presence” rule in the country’s Finance Act 2020 is heavily based on data. It expands the tax net to cover multinationals using its citizens’ data. It is germane to consider that no country wants to give another country unregulated access to its data. Invariably, data issues have become a matter of dispute for sovereign states. Although AfCFTA has made the free flow of services and information possible, what has been done to protect that information? For member states to fully benefit from the digital economy aspect of international trade, they must recognize the fact that data is power and create effective regimes for data protection.[12]

The provisions of the AfCFTA rely on cross-border data flows or data storage, which typically aim to prohibit restrictions on the flow of data across borders. Depending on the exact formulation of such a rule, this could include preventing laws that require permission or consent to be given by users for the transfer of their data, Laws that require copies of data to be stored locally, Laws that require data to be ‘processed’ locally, or outright bans on such data transfers.The proponents of such provisions are keen to ensure that their companies can access and process the data of citizens in other countries without hindrance, as well as make use of foreign companies to provide services for data processing, should they so choose. They assert that restrictions on data transfers needlessly increase compliance costs for cross-border e-commerce businesses. Other countries argue that such provisions erode their legitimate capacity to restrict flows of their citizens’ data for reasons of data security, government surveillance, or to try to encourage foreign companies to set up data centers or processing operations locally for economic reasons.

The proposed effect of the AfCFTA is clear to see, as it can be deduced that there is a call for African countries to aid the practicality of the free trade agreement by allowing a free flow of data in a bid to harmonize digital trading across the African continent. However, the legal frameworks of certain African countries pose a serious challenge to the realization of the AU’s dream of free trade across the African continent. For instance, the ‘Cabinet Secretary may determine certain types of processing which may only be conducted through a server or data centre located in Kenya on the basis of strategic interests of the State or for the protection of revenue[13]

NIGERIA STANCE AND EXPECTED RESPONSE

The Data Protection Act provides a legal regime for Data Privacy and Protection in Nigeria [14] The Data Protection Act, enacted in Nigeria to provide a legal framework for data privacy and protection, serves as a fundamental safeguard for individuals’ personal data within the country. It outlines essential principles and standards governing the collection, processing, and transfer of personal data, in line with global data protection best practices. These principles encompass consent, transparency, data subject rights, and security measures to ensure the responsible handling of personal information. Nigeria faces a multifaceted challenge and opportunity concerning data privacy and protection. On one hand, the agreement presents a unique opportunity for economic growth and increased cross-border trade. On the other hand, the free flow of goods, services, and data across borders necessitates careful consideration of data privacy implications and potential risks.

  1. Harmonisation of Data Protection Laws: In a bid to materialise the content of the AfCFTA agreement, it is pertinent that Nigeria devises a strategy to harmonise its data protection laws to a continental standard to accommodate the needs of other African countries. However, this can only be achieved if members of this agreement align with the perspective of curating a shared data protection legislation to govern the conduct of cross border data transfer, while easing the complexities that they may accompany the agreement.
  2. Assessment of Cross Border Data Transfer Mechanisms: There is a need to lessen the harshness of the mechanisms surrounding the cross border data transfer if Nigeria is targeting to save its grappling economic situation.
  3. Capacity Building and Awareness: The information about data privacy and protection in Nigeria is deplorable,to ensure that there is an adequate awareness about data privacy and protection in Nigeria.

THE NEED FOR A UNIFORM AFRICAN DATA PROTECTION LEGISLATION

The United Nations Conference of Trade and Development underscores the importance of data protection, within the context of international trade. “Data protection is directly related to trade in goods and services in the digital economy. Insufficient protection can create negative market effects by reducing consumer confidence.” The importance of data protection in international trade and development cannot be undermined. The AfCFTA will no doubt bolster the economic situation of Africa as a continent, however, the growth and development of this instrument will be hindered by the lack of concrete stance on data protection mechanisms. Digital trade being unrestricted in the AfCFTA suggests the willingness of African countries to uphold a free flow of data across the continent and when data is involved, the security and protection of data has to be considered. Article 15 of the AfCFTA[15] modelled after the World Trade Organization’s (WTO) General Agreement on Trade in Services (GATS). However, it is not surprising that the provisions of this article does not provide a robust framework for data protection governance in the context of the free trade agreement.

As we look ahead to the possibilities of the free trade agreement, it is pertinent to note that to align the objectives of the FTA to data protection principles, there is a need for a unified data protection regulation. This unified policy should contain and regulate the following:

  • Definition, scope of coverage, and regional stance on data governance;
  • Rules for promoting seamless interoperability of cross-border data flows in a secure manner;
  • Minimum standards on ethical use of data;
  • Coordinated cybercrime Laws, procedures for conducting investigations into reports, and intelligence;
  • Coordinated approach on taxing borderless transactions concluded through digital channels;
  • Principles on data protection, data security and privacy;
  • Regulation on how open government data can be accessed;
  • Management of digital identities;
  • Data localization exceptions;[16]
  • Having a consolidated data protection law that governs these activities will be essential for the operations of the AfCFTA.

CONCLUSION

The digital revolution and data explosion across the globe has necessitated stronger data governance efforts. A robust data governance framework fosters good use of information, through rules, regulations, and policies that establish controls to ensure security, accountability, and trust. Increased data flows across borders add another level of complexity to data governance and demand greater action to ensure the protection and ethical use of data, especially citizens’ data when being collected, processed, and used. The AfCFTA provides a golden opportunity for African countries to pull itself from the ruins of poverty, substandard trade practices and investment. Nevertheless, to bring the Free Trade Agreement into fruition, it is imperative to harmonise policies that address the practical implementation of the AfCFTA.

FOOTNOTES

[1] World Bank, ‘The African Continental Free Trade Area’ https://www.worldbank.org/en/topic/trade/publication/the-african-continental-free-trade-area accessed 25 September, 2023

[2] African Union Press Release,

‘AU Member Countries Create History by Massively Signing the AfCFTA Agreement in Kigali’ https://au.int/en/pressreleases/20180321/au-member-countries-create-history-massively-signing-afcfta-agreement-kigali accessed 25 September, 2023

[3] Gill Press, ‘6 Predictions For The $203 Billion Big Data Analytics Market’

[4] Data Protection Act, s. 41

[5] Muhiz Adisa, ‘An Overview Of Cross-Border Transfer Of Personal Data In Nigeria’ https://www.mondaq.com/nigeria/privacy-protection/1337076/an-overview-of-cross-border-transfer-of-personal-data-in-nigeria accessed 26 September, 2023

[6] CFRN, s. 37

[7] Rob Keating, ‘Top 10 International Payment Gateways’ https://gocardless.com/guides/posts/top-international-payment-gateways/ accessed 26 September, 2023

[8] InCountry, ‘Guide to the Cross-border Transfer of Personal Data for Global Companies’ https://incountry.com/blog/guide-to-the-cross-border-transfer-of-personal-data-for-global-companies/#:~:text=What%20is%20cross%2Dborder%20data,of%20data%20across%20international%20borders. accessed 26 September, 2023

[9] Data Protection Act, s. 41

[10] Aissatou Sylla, ‘Recent developments in African Data Protection Laws – Outlook for 2023’ https://www.lexology.com/library/detail.aspx?g=baef72ee-10bd-4eb9-a614-a990c236bb45 accessed 26 September, 2023

[11] GDPR, Article 5

[12] S. Sogbetun, I. Moshood, ‘The Impact of Data Protection Rules on the Digital Economy Aspect of the African Continental Free Trade Agreement (AfCFTA)’ https://www.alp.company/resources/business-advisory/impact-data-protection-rules-digital-economy-aspect-african-continental accessed 26 September

[13] Kenya Data Protection Act, s. 50

[14] Nigeria Data Protection Act, s. 1

[15] “privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and account”

[16] CSEA Africa, ‘Strengthening Data Governance in Africa’ https://cseaafrica.org/wp-content/uploads/2021/08/Strengthening-Regional-Data-Governance-in-Africa-1.pdf accessed 26 September, 2023.

This Article Was Written By: Muyiwa a law student of Ekiti State University and may be reached on philipmuyiwa2017@gmail.com

lawpavilion

Recent Posts

NOTICE OF DISCLAIMER FOR WRONGFUL AND MISLEADING PUBLICATION

LawPavilion's attention has been drawn to a publication titled "Supreme Court Gives Landmark decisions on…

12 hours ago

20 Popular Acronyms Your Legal Team Must Know

Introduction  Acronyms and the legal profession are inseparable. Among the many facets of legal language,…

2 days ago

Legal Tech: A Step-by-Step Guide for Beginners

Introduction The legal industry is undergoing a significant transformation, driven by technological advancements. This shift…

2 days ago

Status of a Registered Chieftaincy Declaration

CASE TITLE: OGIEFO v. HRH JAFARU & ORS (2024) LPELR-62942(SC)JUDGMENT DATE: 19TH JULY, 2024PRACTICE AREA:…

2 days ago

Whether The Federal High Court and The State High Courts Have Concurrent Jurisdictions in Respect of Banker/Customer Relationships

CASE TITLE: FBN PLC & ANOR v. BEN-SEGBA TECHNICAL SERVICES LTD & ANOR (2024) LPELR-62998(SC)JUDGMENT…

2 days ago

Whether the EFCC can Investigate State House of Assembly Fund Disbursement and Administration

CASE TITLE: EFCC v. GOVT OF ZAMFARA STATE & ORS (2024) LPELR-62933(CA)JUDGMENT DATE: 20TH SEPTEMBER,…

2 days ago