Menu Close

An Analysis of Nigeria’s Legal Framework for Cross-Border Data the AFCFTA Perspective

Ajayi Philip Muyiwa


The African Continent in its vision to harmonise and unify trading among the region has curated an innovative yet complicated solution to the prevalent economic challenge in the continent. The AfCFTA is an ambitious trade pact to form the world’s largest free trade area by creating a single market for goods and services of almost 1.3 billion people across Africa and deepening the economic integration of the region. The trade area could have a combined gross domestic product of around $3.4 trillion,[1] but achieving its full potential depends on significant policy reforms, trade facilitation measures across African signatory nations and the cohesion of regulations of data sharing across borders in the context of this essay. The goal for shared prosperity beared by African countries was evident during the official opening ceremony of the 10th Extraordinary Summit of the AU Assembly of Heads of State and Government held on 21 March 2018, in Kigali, Republic of Rwanda.[2] This agreement signals the shared vision for African leaders to create a uniform market for the African Society in a bid to drive economic progress.

The data market is an ever growing industry which spurs a constant need for data security amidst measures to ensure the protection of citizens privacy and safety. In the first quarter of 2017, Forbes had projected that the data market will hit 200 billion dollars by the end of 2020.[3] In this light, it is trite that the impact of the  AfCFTA Agreement on cross border data transfer and the protection of Nigerians’ privacy in the African proposed uniform market is thoroughly examined. Nigeria’s Data Protection regime has set guidelines regulating the transfer of data across borders, the Nigeria Data Protection Act establishes a restriction on the transfer of data across borders with certain exceptions stipulated in the Act.[4] Unarguably, the AfCFTA will not only improve the overall economic situations of the African continent but will also enhance integration, unity and shared prosperity. While the AfCFTA has a plethora of opportunities, the risks it poses when data protection is concerned cannot be undermined.


The evolution of technology has ushered in a significant transformation in the landscape of international business interactions and global trade. This monumental shift has also exerted a profound influence on the dynamics of data exchange.[5] This article will examine the nature of cross border data transfer, the implications it has on the protection of data as contained in the Nigerian Constitution,[6] its legal and regulatory regime within the Nigerian legal landscape.

The never ending progress of technology in the digital world enlarges the need for data to be transferred from one country to the other. Take for instance, the growth of international payment systems like Paystack, Stripe, Amazon Pay[7] and other digital gateway systems who are leading  the financial technology industry with innovative features to help simplify payments for individuals, businesses and companies with no geographical bounds.

Cross border data transfer is simply the sharing of personal data from one national jurisdiction to another.[8] It is not unknown that the global economy of the twenty-first century is heavily reliant on the quick and seamless exchange of data across international borders. However, cross border data transfer poses a critical challenge to the reality of data privacy and protection in the general sense. It is often said that data is the new oil. This statement is as a result of  the fact that the generation of data keeps rising at an astronomical rate every day, with financial opportunities created for institutions and companies alike from data creation and sharing. Cross-border transfers enable Software as a Service(SaaS) companies to provide innovative, cutting-edge services to all economic sectors, paving the way for emerging technologies such as IoT and AI. In addition, it also promotes economic growth, health, safety, and common good. However, a lot of jurisdictions are now placing a number of limitations in place to regulate the process of data management to ensure National security, protection of citizens’ data from misuse or compromise.

In view of this, countries through their legislations on data protection put a restriction on the sharing of data across borders to ensure data security and protection. However, looking towards the provisions of the AfCFTA which looks to provide an unrestricted movement of goods and services among African countries who are parties to this agreement raises a conflict with the needed restriction on cross border data sharing.

Nigeria for instance highlights the requirements to be fulfilled by data controllers and processors before the information of their data subjects can be shared across to a different jurisdiction. The Data Protection provides the basis, wit:[9]

“S. 41.(1.) A data controller or data processor shall not transfer or permit personal data to be

transferred from Nigeria to another country, unless –

(a) the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection with respect to the personal data in accordance with this Act; or

(b) one of the conditions set out in section 43 of this Act applies.

(2) A data controller or data processor shall record the basis for transfer of personal data to another country under subsection (l) and the adequacy of protection under section 42 of this Act.

(3) The Commission may make regulations requiring data controllers and data processors to notify it of the measures in place under subsection (1) and to explain their adequacy in terms of section 42 of this Act.

(4) The Commission may, by regulations, designate categories of personal data that are subject to additional specific restrictions on transfer to another country based on the nature of such personal data and risks to data subjects.”

Judging from the provisions of section 41 of the Data Protection Act, it is clear that there is a set principle for data sharing, placing a corporate responsibility on data controllers and data processors to meet the requirements of the Act before a data subject’s data can be exported abroad. One of the major requirements to be fulfilled is for the receiving country to have an adequate level of protection for citizens’ data and must be backed by relevant legal instruments and frameworks. However, one major backset that puts a clog in the wheel of the operation of the AfCFTA in the continent is the non commendable approach of African countries to the matters of data privacy and protection. Currently, there are only 36 out of 54 African countries who have a legislation on data privacy,[10] it cannot be said that these countries have a robust framework for data protection, with some countries merely boasting of drafts and incomprehensive legislations. There is a conspicuous lack of uniform laws and legislations on data privacy in Africa, compared to the General Data Protection Regulation (GDPR) which virtually all European Countries are party to including the United Kingdom despite BREXIT concerns. There is a high likelihood of inter regional conflict concerning data sharing within the context of the AfCFTA.


The Malabo Conference marked a significant milestone in the African Union’s efforts to establish a unified framework for data protection across the African continent. This convention represented the inaugural step in addressing not only cybercrime but also data protection issues within the region; unfortunately, only 15 countries have signed the provisions of the Malabo Conference into law. If the African Community cannot find a common ground on a unified data privacy instrument, what will then be the assurance that the free trade agreement signed will uphold the principles of data protection. The General Data Protection Regulation which serves as the yardstick for data privacy and protection in Europe makes provision for the principles of data processing wit: Lawfulness, fairness, and transparency Purpose limitation; Data minimisation; Accuracy; Storage limitations; Integrity and confidentiality; Accountability.[11]

These principles have been inculcated in the African legislations on data privacy and protection, which begs the question whether the African community is prepared to uphold these principles judging from  the provisions of the AfCFTA. Nigeria’s recent adoption of the Organization for Economic Co-operation and Development (OECD) “Significant Economic Presence” rule in the country’s Finance Act 2020 is heavily based on data. It expands the tax net to cover multinationals using its citizens’ data. It is germane to consider that no country wants to give another country unregulated access to its data. Invariably, data issues have become a matter of disputes for sovereign states. Although AfCFTA has made free flow of services and information possible, what has it done to protect that information? For member states to benefit fully from the digital economy aspect of international trade, they must recognize the fact that data is power and create effective regimes for data protection.[12]

The provisions of the AfCFTA relies on cross-border data flows or data storage which typically aim to prohibit restrictions on the flow of data across borders. Depending on the exact formulation of such a rule, this could include preventing laws that require permission or consent to be given by users for the transfer of their data, laws that require copies of data to be stored locally, laws that require data to be ‘processed’ locally, or outright bans on such data transfers.The proponents of such provisions are keen to ensure that their companies can access and process the data of citizens in other countries without hindrance, as well as make use of foreign companies to provide services for data processing, should they so choose. They assert that restrictions on data transfers needlessly increase compliance costs for cross-border e-commerce businesses. Other countries argue that such provisions erode their legitimate capacity to restrict flows of their citizens’ data for reasons of data security, government surveillance, or to try to encourage foreign companies to set up data centres or processing operations locally for economic reasons.

The proposed effect of the AfCFTA is clear to see, as it can be deduced that there is a call for African countries to aid the practicality of the free trade agreement by allowing a free flow of data in a bid to harmonise digital trading across the African continent. However, the legal frameworks of certain African countries pose a serious challenge to the realisation of the AU’s dream of free trade across the African continent. For instance, the ‘Cabinet Secretary may determine certain types of processing which may only be conducted through a server or data centre located in Kenya on the basis  of strategic interests of the State or for the protection of revenue’[13]


The Data Protection Act provides a legal regime for data privacy and protection in Nigeria[14] The Data Protection Act, enacted in Nigeria to provide a legal framework for data privacy and protection, serves as a fundamental safeguard for individuals’ personal data within the country. It outlines essential principles and standards governing the collection, processing, and transfer of personal data, in line with global data protection best practices. These principles encompass consent, transparency, data subject rights, and security measures to ensure the responsible handling of personal information. Nigeria faces a multifaceted challenge and opportunity concerning data privacy and protection. On one hand, the agreement presents a unique opportunity for economic growth and increased cross-border trade. On the other hand, the free flow of goods, services, and data across borders necessitates careful consideration of data privacy implications and potential risks.

  1. Harmonisation of Data Protection Laws: In a bid to materialise the content of the AfCFTA agreement, it is pertinent that  Nigeria devises a strategy to harmonise its data protection laws to a continental standard to accommodate the needs of other African countries. However, this can only be achieved if members of this agreement align with the perspective of curating a shared data protection legislation to govern the conduct of cross border data transfer, while easing the complexities that they may accompany the agreement.
  2. Assessment of Cross Border Data Transfer Mechanisms: There is a need to lessen the harshness of the mechanisms surrounding the cross border data transfer if Nigeria is targeting to save its grappling economic situation.
  3. Capacity Building and Awareness: The information about data privacy and protection in Nigeria is deplorable,to ensure that there is an adequate awareness about data privacy and protection in Nigeria.


The United Nations Conference of Trade and Development underscores the importance of data protection, within the context of international trade. “Data protection is directly related to trade in goods and services in the digital economy. Insufficient protection can create negative market effects by reducing consumer confidence.” The importance of data protection in international trade and development cannot be undermined. The AfCFTA will no doubt bolster the economic situation of Africa as a continent, however, the growth and development of this instrument will be hindered by the lack of concrete stance on data protection mechanisms. Digital trade being unrestricted in the AfCFTA suggests the willingness of African countries to uphold a free flow of data across the continent and when data is involved, the security and protection of data has to be considered.  Article 15 of the AfCFTA[15] modelled after the World Trade Organization’s (WTO) General Agreement on Trade in Services (GATS). However, it is not surprising that the provisions of  this article does not provide a robust framework for data protection governance in the context of the free trade agreement.

As we look ahead to the possibilities of the free trade agreement, it is pertinent to note that to align the objectives of the FTA to data protection principles, there is a need for a unified data protection regulation. This unified policy should contain and regulate the following:

  1. Definition, scope of coverage, and regional stance on data governance;
  2. Rules for promoting seamless interoperability of cross-border data flows in a secure manner;
  3. Minimum standards on ethical use of data;
  4. Coordinated cybercrime laws, procedures for conducting investigations into reports, and intelligence;
  5. Coordinated approach on taxing borderless transactions concluded through digital channels;
  6. Principles on data protection, data security and privacy;
  7. Regulation on how open government data can be accessed;
  8. Management of digital identities;
  9. Data localization exceptions;[16]

Having a consolidated data protection law that governs these activities will be essential for the operations of the AfCFTA.


The digital revolution and data explosion across the globe has necessitated stronger data governance efforts. A robust data governance framework fosters good use of information, through rules, regulations, and policies that establish controls to ensure security, accountability, and trust. Increased data flows across borders add another level of complexity to data governance and demand greater action to ensure the protection and ethical use of data, especially citizens’ data when being collected, processed, and used. The AfCFTA provides a golden opportunity for African countries to pull itself from the ruins of poverty, substandard trade practices and investment. Nevertheless, to bring the Free Trade Agreement into fruition, it is imperative to harmonise policies that address the practical implementation of the AfCFTA.

Muyiwa is a law student of Ekiti State University and may be reached on


[1] World Bank, ‘The African Continental Free Trade Area’  accessed 25 September, 2023

[2] African Union Press Release,

‘AU Member Countries Create History by Massively Signing the AfCFTA Agreement in Kigali’ accessed 25 September, 2023

[3] Gill Press, ‘6 Predictions For The $203 Billion Big Data Analytics Market’

[4] Data Protection Act, s. 41

[5] Muhiz Adisa, ‘An Overview Of Cross-Border Transfer Of Personal Data In Nigeria’ accessed 26 September, 2023

[6] CFRN, s. 37

[7] Rob Keating, ‘Top 10 International Payment Gateways’ accessed 26 September, 2023

[8] InCountry, ‘Guide to the Cross-border Transfer of Personal Data for Global Companies’,of%20data%20across%20international%20borders. accessed 26 September, 2023

[9] Data Protection Act, s. 41

[10] Aissatou Sylla, ‘Recent developments in African Data Protection Laws – Outlook for 2023’ accessed 26 September, 2023

[11] GDPR, Article 5

[12] S. Sogbetun, I. Moshood,  ‘The Impact of Data Protection Rules on the Digital Economy Aspect of the African Continental Free Trade Agreement (AfCFTA)’ accessed 26 September

[13] Kenya Data Protection Act, s. 50

[14] Nigeria Data Protection Act, s. 1

[15] “privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and account”

[16] CSEA Africa, ‘Strengthening Data Governance in Africa’ accessed 26 September, 2023.

Share on

Leave a Reply

Your email address will not be published. Required fields are marked *