GDPR – Its Effect on Non-EU Member States (Nigeria)



The European Union General Data Protection Regulation (GDPR) became effective in May 2018 to replace
the Data Protection Directive 95/46/EC1 as it is designed to harmonize data privacy laws across Europe,
protect and empower all European Union (EU) citizens data privacy and reshape the way organizations
across the World approach data privacy.

The world is a global village where economic and social integration has led to a substantial increase in cross-border flows of personal data. Technology allows various organizations to make use of personal data to
pursue their activities hence the need for a framework on the protection. The aim of the GDPR is to protect
all EU citizens from privacy and data breaches in today’s data-driven world.

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a standardized data protection law across all 28 European
Union (EU) countries that addresses the protection of personal data of all data subjects (Individuals) within
the EU, the free movement of such data within the EU and the export of such data outside the EU.

Application of The Regulation

GDPR applies to:

1. Data handlers (controllers2 and processers3) established in the EU regardless of whether their data processing activities take place in the EU or not.

2. Personal data of individuals who are in the EU, whose data are being processed by a controller or
processor established outside the EU who offer goods and services to such individuals or where such
individual’s behaviour in the EU is being monitored by the controller or processor.

3. Controllers and processors not established in the EU who process personal data of individuals in a
place where an EU member state’s law applies by virtue of public international law.4

The GDPR Principles on Data Protection

To further expatiate on this, the EU General Data Protection Regulation (GDPR) outlines six data protection
principles that organisations need to follow when collecting, processing and storing individuals’ personal
data. The data controller is responsible for complying with the principles and must be able to demonstrate
the organisation’s compliance practices. These principles are:

1. Lawfulness, Fairness and Transparency: Organisations will need to make sure they are law abiding in
their data collection practices and that they are not hiding anything from data subjects.

2. Purpose Limitation: Organisations are to collect personal data for a specific purpose which is to be
clearly stated and for as long as necessary to complete that purpose. Processing that is done for
archiving purposes in the public interest or for scientific, historical or statistical purposes can be kept
for a longer period.

3. Data Minimisation: Organizations are to process only personal data that are relevant to their purpose
of processing.

4. Accuracy: The GDPR states that “every reasonable step must be taken” to erase or rectify data that is
inaccurate or incomplete. Individuals have the right to request that inaccurate or incomplete data be
erased or rectified.

5. Storage Limitation: Organizations are to delete personal data immediately it is no longer needed.

6. Integrity and Confidentiality: The GDPR states that personal data must be “processed in a manner
that ensures appropriate security of the personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage, using appropriate technical
or organisational measures.

The Effect of GDPR on Non-EU State – extraterritorial applicability

An expanded read of Article 3 of the GDPR6 shows that the regulation does not only apply to businesses in the EU but extends to businesses outside EU States who market goods or services to individuals in the EU.

This includes data collected in connection with goods and services offered to such individuals or the
monitoring of their behaviour as far as their behaviour takes place within the EU.

The actual wordings of Article 3 of the GDPR does not make any reference to citizenship, it applies to any
‘data subject’ in the EU, i.e. a person living in the EU. Notably, Article 3(2) applies to the processing of personal
data of any individual “in the EU” hence, individual’s nationality or residence is irrelevant. The GDPR protects
the personal data of citizens, residents, tourists, and other persons visiting the EU. So, provided an individual
is in the EU, any personal information of that person collected by any controller or processor who meets the
requirements of Article 3(2) is subject to the GDPR. 

The Court Justice of European Union (CJEU) may have examined when an activity (such as offering goods
and services) will be considered “directed to EU Member States in a separate context” under the “Brussels
1” Regulation (44/2001/EC) governing “jurisdiction…”

The CJEU’s notable illustration boarders around the “international nature” of the relevant activity (e.g. certain
tourist activities) as mentions of telephone numbers with an international code, use of a top-level domain
name other than that of the state in which the trader is established (such as .uk .de or .eu), the description
of “itineraries…from Member States to the place where the service is provided” and mentions of an
“international clientele composed of customers domiciled in various Member States” could all form activity
of offering goods and services to EU States.

This list is not exhaustive, and the question would be determined on a case-by-case basis.7
This implies that businesses in non-EU states whose scope of operations fall within the provisions of Article
3 of the GDPR will have to comply with the Regulation to avoid facing penalties.

GDPR and Nigeria

It is an established fact that privacy in Nigeria is a fundamental right guaranteed by the Constitution.
Section 37 of the Constitution provides that:

The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic
communications is hereby guaranteed and protected”

Besides the above provisions of the constitution which is not copious enough for the protection of the
privacy of individuals’ data, there is presently no comprehensive data privacy or personal information
protection law in Nigeria that sets out detailed provisions on the protection of the privacy of individuals. This
poses a problem to data processing companies in Nigeria who will have to adjust to the provisions of the
GDPR even though they have had a long period of non-compliance to any data protection law whatsoever
save for selected sectors like the communications industry. This invariably means that Nigerian businesses
that have anything to do with data emanating from European Countries may have to rethink their strategy
in line with the (GDPR) and they will need to change the way they view and use data9 or face the penalties
of non-compliance.

Given that compliance with the GDPR will be a continuous affair, experts in GDPR law compliance have come
up with strategies on how companies in Nigeria can comply easily with the EU’s data protection law and
remain competitive in global businesses within and outside of the EU member countries. Some of the
strategies include awareness creation, training, making companies GDPR ready, engagement and building
of expertise skills on data laws, among others.

The GDPR is a welcome development in our data driven world. With the introduction of the Regulation, data
subjects are assured of the control of their personal data as controllers and processors must ensure that
the processing of data is lawful, fair and transparent. Non-compliance with this requirement will attract
heavy penalties on the controllers and processors in EU and non-EU states.


1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to
the processing of personal data and on the free movement of such data

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the
purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or
Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation) (Text with EEA relevance)

(Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Joined cases (C-585/08) and

1999 Constitution (As Amended) of The Federal Republic of Nigeria

Article 83 of the General Data Protection Regulations. Organizations in breach of GDPR can be fined up to 4% of annual
global turnover or €20 Million (whichever is greater).

This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts

What do you think?