Cross-Border Data Transfers in Nigeria – U.S. SaaS Companies

U.S. companies dominate Nigeria’s SaaS landscape. From Google Workspace and Microsoft 365 to Zoom, Salesforce, and AWS, American providers power much of Nigeria’s digital economy. But serving Nigerian customers means handling Nigerian Personal Data  and that brings into play the Nigeria Data Protection Act (NDPA) 2023. For DPOs and privacy counsel of U.S. SaaS companies and Nigerian customers, one big challenge is ensuring lawful Cross-Border data transfers. This article explains the rules and what NDPA compliance for U.S. SaaS companies requires in practice.

General Rules on Cross-Border Transfers in Nigeria

Under the NDPA and its General Application and Implementation Directive (GAID), Personal Data may only leave Nigeria if (a) The destination country is recognised by the NDPC as providing an adequate level of protection; (b) The transfer is covered by a Cross-Border Data Transfer Instrument (CBDTI), such as Standard Contractual Clauses (SCCs), codes of conduct, or certification mechanisms. (c) A recognised exception applies, such as explicit data subject consent, the performance of a contract, protection of vital interests, or important public interest.

Cross-Border Transfers to the U.S. 

Nigeria does not recognise the United States as having an adequate level of data protection. This means Nigerian Personal Data cannot be transferred to U.S. servers unless a valid safeguard is in place. For U.S. SaaS providers looking to comply with the NDPA, the most realistic safeguard may be the adoption of SCCs. There are a number of reasons for this view. Firstly, SCCs are regulator-approved clauses that bind both the Nigerian customer (data exporter) and the U.S. SaaS provider (data importer) to strict obligations. SCCs also grant Nigerian data subjects enforceable rights even if their data is processed in the U.S. Lastly, the NDPA explicitly recognises SCCs as valid Cross-Border data transfer instruments.

Although the NDPA also allows Cross-Border transfers based on data subject consent, we generally consider consent to be a weak and risky basis for SaaS companies, because any such consent must be informed, specific, and revocable at any time. Thus, relying on consent alone is insufficient for serious compliance.

Key Takeaways for U.S. SaaS Companies

Proactive NDPA compliance on cross-border transfers is not just about regulation. NDPA Compliance can also have some commercial advantages. Firstly, Nigerian companies procuring SaaS are required to conduct due diligence on their vendors.  Thus, ensuring that SaaS contracts are already NDPA-Compliant and strategic. Failing to prepare puts the burden back on the Nigeria prospect/customer and would typically mean contracting slows down. Also, legal teams are forced to negotiate additional protections, and prospects face avoidable regulatory risk. By contrast, U.S. SaaS companies that can demonstrate compliance up front will close deals faster, reduce friction in procurement, and position themselves as trusted partners in Nigeria’s regulated digital economy.

Balogun Harold insights are shared for general informational purposes only and does not constitute legal advice. For tailored guidance, please contact our Technology and Data Protection Lawyers at bhlegalsupport@balogunharold.com