Cross-Border Data Transfers from Nigeria

The Nigeria Data Protection Act 2023 (NDPA) and its General Application and Implementation Directive 2025 (GAID) impose clear conditions on the transfer of personal data from Nigeria to any other country. These conditions apply regardless of how routine the transfer appears and regardless of how reputable the foreign provider is. If your product involves personal data and virtually every modern business does, the NDPA’s cross-border transfer rules apply to you.

The Invisible Transfer

A cross-border data transfer occurs any time personal data is processed on servers outside Nigeria not just when files are deliberately sent abroad. The distinction matters, because modern software infrastructure is almost entirely international by default.

When a Nigerian startup hosts its application on Google Cloud or AWS, customer data is processed on servers in Ireland or Virginia. When it routes a user query through an AI API like OpenAI or Anthropic, that conversation is personal data being processed in the United States, on every single interaction. When its team uses Slack, HubSpot, or Mailchimp, user data flows through foreign data centres. Each of these is a cross-border transfer that must be supported by a lawful mechanism under the NDPA.

The most common response when founders first hear this is denial. “We don’t send data abroad.” But if you use Gmail, you do. If your app is hosted anywhere outside Nigeria, you do. The infrastructure of modern software is inherently international.

The picture extends further than most founders realise. Access to data is itself a form of processing. A co-founder in the UK who logs into your admin dashboard, an overseas investor who receives a data export during due diligence, a parent company’s engineering team with server access, all of these constitute cross-border transfers. The question is not only where the data is stored, but where it is accessed.

What the Law Requires

The governing provisions are Sections 41 to 43 of the NDPA, operationalised by Article 45 and Schedule 5 of the GAID 2025. The framework rests on a single demanding principle: personal data may not leave Nigeria unless the destination provides protection substantially equivalent to Nigerian law.

The NDPA recognises a hierarchy of mechanisms for achieving this. An adequacy determination — where the NDPC formally declares a country sufficiently protective. Also, Cross-Border Data Transfer Instruments (CBDTIs), legally binding agreements that impose NDPA-equivalent obligations on the foreign recipient. At the base, for narrow exceptional cases only, are derogations covering individual consent, contractual necessity, vital interests, and fiduciary obligations.

In practice, adequacy is not currently available as a route. The old NITDA whitelist that businesses relied on under the 2019 NDPR — covering EEA states, the UK, Canada, Israel, and others was set aside by a Federal High Court in November 2023 and formally superseded by the GAID 2025. The NDPC has not yet issued an updated list. For virtually every international transfer a Nigerian business makes today, the practical lawful mechanism is a CBDTI: a signed Data Processing Agreement (DPA) binding the foreign recipient to NDPA standards, submitted to the NDPC for approval.

For multinational groups, an alternative is Binding Corporate Rules, a group-wide policy approved by the NDPC governing data flows across all entities. The GAID also recognises approved codes of conduct and certification mechanisms. The derogations, by contrast, are deliberately narrow and unsuitable for routine commercial processing. Routing user data through an American analytics platform cannot be justified on the basis of consent alone.

GDPR Compliance Is Not Enough

Many Nigerian startups assume that because their foreign vendors are GDPR-compliant, their NDPA obligations are satisfied. This is incorrect. The two frameworks are similar in structure but differ in specific requirements. A DPA drafted only with European law in mind may not satisfy Nigerian law without supplementary terms. Any agreement you rely on for NDPA purposes must be reviewed against Nigerian not EU requirements.

The Compliance Framework

Know Your Classification

The NDPA’s full compliance obligations apply to Data Controllers or Processors of Major Importance (DCPMIs): organisations that process personal data of more than 200 individuals within six months, or that operate in regulated sectors including financial services, health, education, insurance, aviation, and e-commerce. The 200-person threshold is lower than most founders expect, a fintech with a few hundred active users is already a DCPMI. DCPMIs must register with the NDPC, appoint a Data Protection Officer, engage a licensed DPCO, and file annual Compliance Audit Returns.

Map Your Data Flows

Before any mechanism can be put in place, you need to know where your data goes. This means building a complete map of every service, platform, and individual outside Nigeria that receives personal data from your operations, recording what data is involved, which country the recipient is in, and what safeguards exist. This exercise routinely surprises businesses, a startup that believes it has a handful of international data flows often discovers fifteen or twenty when it examines its full technology stack carefully.

Execute Your Data Processing Agreements

For most transfers, the practical legal basis is a signed DPA with the foreign recipient. Virtually every major cloud and SaaS provider, AWS, Google, Microsoft, Stripe, OpenAI, HubSpot, Salesforce, Slack makes a standard DPA available. The gap in most Nigerian startups is not that these agreements do not exist. It is that nobody has signed them. Where you are relying on a custom or novel CBDTI rather than a standard provider agreement, the instrument must be submitted to the NDPC for approval before the transfer begins.

Conduct a DPIA and Update Your Privacy Notice

The GAID 2025 classifies cross-border transfers as inherently high-risk, triggering a mandatory Data Protection Impact Assessment before the transfer begins. The DPIA must be filed with the NDPC. In parallel, your privacy notice must specifically name the countries your data goes to and the safeguards in place for each, general language about “international transfers” is not sufficient. Every foreign recipient must also be logged in your Record of Processing Activities (ROPA), which must be kept current as your technology stack evolves.

Sector-Specific Considerations

Fintech companies face a dual regulatory burden that many overlook. The CBN’s Regulatory Framework for BVN Operations prohibits the transfer of BVN data outside Nigeria without the CBN’s express prior approval, a requirement that sits entirely separately from the NDPA. A CBDTI approved by the NDPC does not satisfy this restriction. Most Nigerian fintechs use BVN data for identity verification and must navigate both regulators simultaneously.

Healthtech companies handle data that qualifies as sensitive personal data under the NDPA, attracting heightened obligations and closer regulatory scrutiny on any international transfer. Companies with foreign investors, board members, or parent companies that access Nigerian user data for governance purposes must ensure those arrangements are covered by appropriate intra-group agreements, board portals, data rooms, and investor reporting platforms all potentially trigger the transfer rules.

The Enforcement Picture

Enforcement is no longer a future concern. In 2024, the NDPC fined MultiChoice Nigeria ₩766,242,500 for violations including unlawful cross-border transfers. In 2025, Meta was assessed a remedial fee of USD 32.8 million for similar failures. The Commission has issued Compliance Notices to over a thousand organisations in structured sector-wide investigations.

The NDPC has shown it is willing to go after household names. A startup that assumes it is too small to attract attention is making a strategic error. Enforcement often begins with a complaint, and a single data subject complaint can open a full investigation.

Beyond regulatory fines which can reach ₩10 million or two percent of annual gross revenue, whichever is greater, non-compliance carries commercial risk. International investors increasingly treat NDPA compliance as a governance indicator during due diligence. A startup that cannot produce its DPAs, DPIAs, and ROPA signals infrastructure immaturity, and that creates deal risk. This has, in demonstrable cases, caused funding rounds to stall.

Where to Begin

The framework is logical and the path to compliance is achievable. Start with an honest data flow map — list every tool your company uses that touches personal data and determine which process that data outside Nigeria. From there: register with the NDPC if you have not; execute DPAs with your foreign vendors starting with your cloud host and highest-volume SaaS tools; update your privacy notice; engage a licensed DPCO before the 30 May 2026 CAR deadline; appoint a DPO if you qualify as a DCPMI.

The NDPA reflects a considered judgment that the personal data of Nigerian citizens deserves legal protection wherever it travels. For startups building products that people trust with their financial details, health data, and identities, compliance is not just a legal obligation. It is part of what it means to build something worthy of that trust.