Cross-Border Data Transfers in Nigeria – U.S. SaaS Companies
U.S. companies dominate Nigeria’s SaaS landscape. From Google Workspace and Microsoft 365 to Zoom, Salesforce, and AWS, American providers power much of Nigeria’s digital economy. But serving Nigerian customers means handling Nigerian Personal Data and that brings into play the Nigeria Data Protection Act (NDPA) 2023. For DPOs and privacy counsel of U.S. SaaS companies and Nigerian customers, one big challenge is ensuring lawful Cross-Border data transfers. This article explains the rules and what NDPA compliance for U.S. SaaS companies requires in practice.
General Rules on Cross-Border Transfers in Nigeria
Under the NDPA and its General Application and Implementation Directive (GAID), Personal Data may only leave Nigeria if (a) The destination country is recognised by the NDPC as providing an adequate level of protection; (b) The transfer is covered by a Cross-Border Data Transfer Instrument (CBDTI), such as Standard Contractual Clauses (SCCs), codes of conduct, or certification mechanisms. (c) A recognised exception applies, such as explicit data subject consent, the performance of a contract, protection of vital interests, or important public interest.
Cross-Border Transfers to the U.S.
Nigeria does not recognise the United States as having an adequate level of data protection. This means Nigerian Personal Data cannot be transferred to U.S. servers unless a valid safeguard is in place. For U.S. SaaS providers looking to comply with the NDPA, the most realistic safeguard may be the adoption of SCCs. There are a number of reasons for this view. Firstly, SCCs are regulator-approved clauses that bind both the Nigerian customer (data exporter) and the U.S. SaaS provider (data importer) to strict obligations. SCCs also grant Nigerian data subjects enforceable rights even if their data is processed in the U.S. Lastly, the NDPA explicitly recognises SCCs as valid Cross-Border data transfer instruments.
Although the NDPA also allows Cross-Border transfers based on data subject consent, we generally consider consent to be a weak and risky basis for SaaS companies, because any such consent must be informed, specific, and revocable at any time. Thus, relying on consent alone is insufficient for serious compliance.
Key Takeaways for U.S. SaaS Companies
Proactive NDPA compliance on cross-border transfers is not just about regulation. NDPA Compliance can also have some commercial advantages. Firstly, Nigerian companies procuring SaaS are required to conduct due diligence on their vendors. Thus, ensuring that SaaS contracts are already NDPA-Compliant and strategic. Failing to prepare puts the burden back on the Nigeria prospect/customer and would typically mean contracting slows down. Also, legal teams are forced to negotiate additional protections, and prospects face avoidable regulatory risk. By contrast, U.S. SaaS companies that can demonstrate compliance up front will close deals faster, reduce friction in procurement, and position themselves as trusted partners in Nigeria’s regulated digital economy.
Balogun Harold insights are shared for general informational purposes only and does not constitute legal advice. For tailored guidance, please contact our Technology and Data Protection Lawyers at bhlegalsupport@balogunharold.com

Kunle A.
LL.B. (UNILAG), B.L. (Nigeria), LL.M. (UNILAG), Barrister & Solicitor (Manitoba)
Kunle is a Partner in the Firm’s Transactions & Policy Practice. Admitted as a Barrister & Solicitor of the Supreme Court of Nigeria in 2009, he has spent over a decade advising clients on high-value transactions and policy matters at some of Nigeria’s leading law firms.
k.adewale@balogunharold.com
Olu A.
LL.B. (UNILAG), B.L. (Nigeria), LL.M. (UNILAG), LL.M. (Reading, U.K.)
Olu is a Partner in the Firm’s Transactions & Policy Practice. Admitted as a Barrister & Solicitor of the Supreme Court of Nigeria in 2009, he has spent over a decade advising clients on high-value transactions and policy matters at some of Nigeria’s leading law firms.
olu@balogunharold.com
Esther O.
LL.B. (OOU), B.L. (Nigeria)
Esther is a Legal Analyst at Balogun Harold.
Related Articles
The Host Community Development Trust: Key Commercial Issues
A central issue concerns the scope of the powers of the Nigerian Midstream and Downstream Petroleum Regulatory Authority to issue the Midstream Petroleum (Host Communities Development Trust) Regulations 2024.
Payment Transaction Data Localisation in Nigeria: New CBN Rules and Their Legal Implications
While the CBN payment transaction data directive appears straightforward, its legal implications depend on how its key requirements are interpreted and operationalised in practice.
The Legal Framework for Classified Information in Nigeria: Key Considerations
It would be prudent for the Federal Government undertake a comprehensive review of the Official Secrets Act to ensure that it reflects contemporary national security, technological and governance realities.
Data Localisation in Nigeria: Key Considerations for Cloud Service Providers and AI Companies
Nigeria does not yet have a single, economy-wide data localisation statute. Instead, the regime has developed incrementally on a sector-by-sector basis, through a combination of primary legislation, sectoral regulations, licensing conditions, and regulatory guidelines issued by agencies