Memorandum of Understanding (Nigeria Data Protection Commission)

MEMORANDUM OF UNDERSTANDING
BETWEEN
PRIVACY COMMISSIONER OF CANADA
AND
NIGERIA DATA PROTECTION COMMISSION
ON
DATA PRIVACY AND PROTECTION KNOWLEDGE EXCHANGE AND MUTUAL ASSISTANCE ON INFORMATION SHARING

---

The Privacy Commissioner of Canada (PCC) and the Nigeria Data Protection Commission (NDPC), (the “Participants”) in:

ACKNOWLEDGING the increasing complexity and pervasiveness of information technologies and the consequent need for Data Protection Authorities to stay abreast of technological advancements and evolving best practices in data protection and privacy;

UNDERSTANDING the critical role of knowledge exchange in enhancing the capacity of Data Protection Authorities to effectively safeguard personal information, ensure compliance with data protection laws, and address cross-border data protection and privacy issues;

EMPHASIZING the importance of mutual legal assistance and inter-governmental information sharing to facilitate the enforcement of data protection laws, promote transparency, and protect the privacy rights of individuals in an increasingly interconnected world;

AFFIRMING the commitment to fostering a collaborative environment that promotes the exchange of knowledge, research, and technical expertise between data protection authorities to advance the protection of personal data, address common challenges and enforce data protection regulations;

RECOGNIZING that s. 14 (1) (c) of the Nigeria Data Protection Act, 2023 (NDP Act) authorizes the National Commissioner to be responsible for the execution of the policies and administration of the affairs of the NDPC;

RECOGNIZING that s. 5 (i)(o) of the NDP Act, empowers NDPC to ensure compliance with national and international personal data protection obligations and best practices; and to carry out other legal actions as are necessary for the performance of the functions of the Commission;

RECOGNIZING that s. 23.1 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 authorizes the Privacy Commissioner of Canada (PCC) to share information with the authorities from other countries that have responsibilities relating to the protection of personal information in the private sector;

RECOGNIZING the role of each Participant and the importance of practical working-level arrangements between the Office of Privacy Commissioner of Canada and the Nigeria Data Protection Commission;

HAVE REACHED THE FOLLOWING UNDERSTANDING:

1. Definitions

   For the purposes of this Memorandum,

   1. “Applicable Privacy Law” means the laws and regulations of the country of each Participant on personal data protection and privacy.

      In the case of the Privacy Commissioner of Canada, “Applicable Privacy Law” means Part 1 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”).

      In the case of the National Commissioner of NDPC, it means the Nigeria Data Protection Act, 2023; this includes any amendments to the Participants’ Applicable Privacy Laws.

      Other laws or regulations as the Participants may, from time to time, jointly decide in writing to be an Applicable Privacy Law for the purposes of this Memorandum.

   2. “Confidential Information” means any non-public information, including information subject to obligations regarding confidentiality or privacy, including information that is sensitive for national security reasons, personally identifiable information, and confidential commercial or financial information including such information about third parties.
   3. “Covered Privacy Contravention” means conduct that would be in contravention of the Applicable Privacy Laws of one Participant’s country and that is the same or substantially similar to conduct that would be in contravention of the Applicable Privacy Laws of the other Participant’s country.
   4. “Person” means any natural person or legal entity, including any corporation, unincorporated association, or partnership.
   5. “Request for Assistance” means procedures relating to Mutual Assistance under this Memorandum.
   6. “Requested Participant” means the Participant from which assistance is sought under this Memorandum, or which has provided such assistance.
   7. “Requesting Participant” means the Participant seeking or receiving assistance under this Memorandum.
2. Objectives and Scope
   1. The Participants understand that it is in their common interest to:
      1. facilitate the sharing of expertise, best practices, and regulatory experiences in relation to legal frameworks, and enforcement mechanisms, in the field of data protection and privacy;
      2. facilitate research and education related to the protection of personal information;
      3. establish structured channels for communication and cooperation to address cross-border data protection issues and ensure mutual assistance effectively;
      4. promote a better understanding by each Participant of economic and legal conditions relevant to the implementation of the Applicable Privacy Laws and promotion of data protection and privacy best practices;
      5. communicate as needed to discuss matters of mutual interest and to enhance regulatory cooperation;
      6. consult each other at an early stage on any issues that have significant implications for both Participants; and
      7. keep each other informed of developments in their respective countries having a bearing on this Memorandum.
   2. In furtherance of these common interests, and subject to Section IV, the Participants will use their best efforts to:
      1. exchange and provide relevant information in relation to matters within the scope of the Memorandum, such as information relevant to consumer and business education; government and self-regulatory best practice solutions; amendments to relevant legislation; and staffing and resource issues. This can include staff exchanges to facilitate knowledge sharing and develop cross-border cooperation between participants.
3. Procedures Relating to Mutual Assistance
   1. Each Participant will designate a primary contact for the purposes of Request for Assistance and other communications under this Memorandum.
   2. When a Request for Assistance is initiated, Participants will ensure that:
      1. A Request for Assistance includes sufficient information to enable the Requested Participant to determine whether a request relates to a Covered Privacy Contravention and to take action in appropriate circumstances. Such information may include a description of the facts underlying the request and the type of assistance sought, as well as an indication of any special precautions that should be taken while fulfilling the request.
      2. A Request for Assistance specify the purpose for which the information requested will be used.
      3. Prior to initiating a Request for Assistance, Participants perform a preliminary query to ensure that the request is consistent with the scope of this Memorandum and does not impose an excessive burden on the Requested Participant.
   3. Participants intend to communicate and cooperate as appropriate, about matters that may further the regulation of Privacy Laws and develop expertise in data protection and privacy.
   4. The Participants will notify each other without delay, if they become aware that information shared under this Memorandum is not accurate, complete, and up-to-date.
   5. Participants will use their best efforts to resolve any disagreements related to cooperation that may arise under this Memorandum through the contacts designated under Section III (A), and, failing resolution in a reasonably timely manner, by discussion between the Participants.
4. Limitations on Assistance and Use
   1. The Requested Participant may exercise its discretion to decline the request for assistance, or limit or condition its cooperation, in particular where it is outside the scope of this Memorandum, or more generally where it would be inconsistent with domestic laws, or important interests or priorities. The Requesting Participant may request the reasons for which the Requested Participant declined or provided limited assistance.
   2. Participants will only share personal information pursuant to this Memorandum to the extent that it is necessary for fulfilling the purposes of this Memorandum, and will, wherever possible, use best efforts to obtain the consent of the individual(s) concerned before doing so.
   3. For greater certainty, the Participants will not share Confidential Information unless it is for the purpose set out in Section II.B.1.
   4. Participants will not use any information obtained from the Requested Participant for purposes other than those for which the information was originally shared.
5. Confidentiality
1. Information shared under this Memorandum is to be treated as confidential and will not be further disclosed without the consent of the other Participant.
2. Each participant will use best efforts to safeguard the security of any information received under this Memorandum and respect any safeguards agreed to by the Participants. In the event of any unauthorized access or disclosure of the information, the Participants will take all reasonable steps to prevent a recurrence of the event and will promptly notify the other Participant of the occurrence.
3. The Participants will oppose, to the fullest extent possible consistent with their countries’ laws, any application by a third party for disclosure of confidential information or materials received from Requested Participants, unless the Requested Participant consents to its release. The Participant who receives such an application will notify forthwith the Participant that provided it with the confidential information.
6. Changes in Applicable Privacy Laws

   In the event of a significant modification to the Applicable Privacy Laws of a Participant’s country, the Participants will use their best efforts to consult promptly, and, if possible, prior to the entry into force of such enactments, to determine whether to amend this Memorandum.

7. Retention of Information

   Information received under this Memorandum will not be retained for longer than is required to fulfil the purpose for which it was shared or than is required by the Requesting Participant’s country’s laws. The Participants will use best efforts to return any information that is no longer required if the Requested Participant makes a written request that such information be returned at the time it is shared. If no request for return of the information is made, the Requesting Participant will dispose of the information using methods prescribed by the Requested Participant or if no such methods have been prescribed, by other secure methods, as soon as practicable after the information is no longer required.

8. Costs

   Unless otherwise decided by the Participants, the Requested Participant will pay all costs of executing the Request. When the cost of providing or obtaining information under this Memorandum is substantial, the Requested Participant may ask the Requesting Participant to pay those costs as a condition of proceeding with the Request. In such an event, the Participants will consult on the issue at the request of either Participant.

9. Duration of Cooperation
   1. This Memorandum takes effect on the date it is signed. The Participants intend to review the operation of this memorandum periodically and at a time that is mutually decided by both participants.
   2. Assistance following this Memorandum will be available concerning Covered Privacy Contraventions occurring before as well as after this Memorandum is signed.
   3. This Memorandum may be terminated on 30 days written notice by either Participant. However, prior to providing such notice, each Participant will use best efforts to consult with the other Participant.
   4. On termination of this Memorandum, the Participants will, in accordance with Section V, maintain the confidentiality of any information communicated to them by the other Participant in accordance with this Memorandum, and return or destroy, in accordance with the provisions of Section VII, information obtained from the other Participant in accordance with this Memorandum.
10. Legal Effect

    Nothing in this Memorandum is intended to:

    1. Create binding obligations, or affect existing obligations under international law, or create obligations under the laws of the Participants’ countries.
    2. Prevent a Participant from seeking assistance from or providing assistance to the other Participant pursuant to other agreements, treaties, arrangements, or practices.
    3. Affect any right of a Participant to seek information on a lawful basis from a Person located in the territory of the other Participant’s country, nor is it intended to preclude any such Person from voluntarily providing legally obtained information to a Participant.
    4. Create obligations or expectations of cooperation that would exceed a Participant’s jurisdiction.

Signed in English