The Regulatory-Command Asymmetry

The urgency of reconciling the territorial limits of sovereign jurisdiction with the deterritorialised movement of data is a question of data sovereignty. Within Africa, this question is ambitiously addressed by Nigeria’s package of regulatory frameworks, which combines a comprehensive data protection statute, detailed implementation regulations, a draft Digital Sovereignty Bill, and a national AI policy— a combination without a clear analogue elsewhere on the continent. Yet, political will and robust regulatory drafting are not sufficient to guarantee data sovereignty. The case of Nigeria illustrates why. Nigeria’s data-regulation architecture, however well-drafted, operates within what this post terms a regulatory-command asymmetry: a structural gap between lawful assertion of prescriptive jurisdiction and the capacity to enforce it, produced by the interaction of Nigerian regulatory instruments with the extraterritorial reach of another state’s public law over the same corporate entity. The gap is not doctrinal. It is a function of the infrastructural, economic, and diplomatic leverage that conditions the exercise of effective jurisdiction— leverage which Nigeria, and the wider continent, presently lack in relation to the corporate parents that hold the data.

The discussion in this blogpost demonstrates how the operative instrument of extraterritorial jurisdiction asserted by the United States— the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) 2018— produces the regulatory-command asymmetry that structurally overrides Nigerian prescriptive jurisdiction, and then offers recommendations for rectifying it.

The Architecture and the Instrument

Nigeria’s data sovereignty architecture is ambitious. Signed on 12 June 2023,  the Nigeria Data Protection Act 2023 (NDPA), establishes extraterritorial application in section 2(2), applying to any data controller or processor handling the personal data of Nigerian subjects, regardless of location. To regulate data flows, section 41 restricts cross-border transfer of personal data, conditioning it under sections 41(1) and 42 on the recipient providing an adequate level of protection that is substantially similar to the NDPA. Alternatively, section 43 permits cross-border transfers under six specific exceptions known under the NDPA as derogations. Finally, the Act creates the Nigeria Data Protection Commission (NDPC) as the primary regulator. The General Application and Implementation Directive (GAID) 2025 operationalises the NDPA with detailed compliance obligations, such as the requirements, per art. 7, for data controllers and processors to register with the NDPC and to file NDP Act Compliance Audit Returns with the same NDPC, not later than the 31st of March every year. The draft Nigeria Digital Sovereignty and Fair Data Compensation Bill 2025 and the draft National AI Commission Bill 2025—both illustrations of political momentum for digital sovereignty— are currently in active legislative development. This is among the most comprehensive digital-sovereignty packages in Africa. These frameworks, however, have not secured effective data sovereignty and, given the structural subordination of territorial jurisdiction to external legal commands, are unlikely to do so. Effective data sovereignty necessitates the actual operational—not just legal—capacity of a state to determine the conditions under which data generated by, about, or held in respect of its residents and territory can be accessed, processed, or transferred.

Section 2713 of Title 18 of the US Code, the reason for the lack of effective data sovereignty, added by the CLOUD Act, compels providers subject to US jurisdiction to preserve, back up, and disclose the contents of wire or electronic communications and other records within the provider’s possession, custody, or control, regardless of whether the data is located inside or outside the United States. The statute operates on the corporate parent and reaches any data the parent controls, including data held by Nigerian subsidiaries and on infrastructure located in Lagos or elsewhere. Section 2523 authorises executive agreements creating reciprocal direct-access channels with qualifying foreign governments. Presently, only the United Kingdom and Australia qualify and have entered into such agreements.

The NDPA and the CLOUD Act therefore constitute competing assertions of jurisdiction over the same data — personal data of Nigerian residents held by US-parented providers — with incompatible commands. The NDPA regulates the same entity that is subject to the CLOUD Act’s command. This is the regulatory-command asymmetry: a familiar tension between jurisdiction to prescribe and jurisdiction to enforce, but one that is produced here not through inter-state conflict of laws in the classical sense but through the corporate form itself. The attempt to treat this asymmetry simply as a conflict-of-laws issue presupposes a symmetric relationship between states and an adjudicable disputation that is not obtainable in the specific instance. First, the jurisdictional conflict is asymmetric: the US command reaches the corporate parent regardless of what Nigeria commands the local subsidiary, and Nigeria has no symmetrical capacity to reach a US parent if it disagreed. Second, this asymmetry is not a feature of any disputation, characteristic of conflict-of-laws analyses, but rather a consequence of how the corporate form and US extraterritorial jurisdiction constitute the architecture in which Nigeria’s data sovereignty is foreclosed. Put differently, the conflict is adjudicated before a conflict-of-law analysis. Contrarily, a Yale ISP white paper on this issue, which focused on the conflict-of-laws register, engaged with the Global South in passing. Moreover, the same paper accepted that “the primary reason for the failure to resolve the internet jurisdictional puzzle to date lies in the compartmentalization of the discourse” but failed to engage a political-economy lens.

By converting structural questions into technical-juridical questions of choice-of-law, choice-of-remedy, choice-of-jurisdiction, comity analysis etc., the choice-of-law analysis presupposes an adjudicable issue that, as we will see below, is decided not by “what is the choice-of-law” but rather “if we are compelled, we hand over the data.”

Regulatory-Command Asymmetry

The asymmetry is not theoretical. On 10 June 2025, Anton Carniaux, legal director of Microsoft France, appeared before the French Senate inquiry commission. Asked under oath whether Microsoft France could guarantee French customer data against the reach of US authority, Carniaux replied: “If we are compelled, we hand over the data.”

This admission demonstrates a structural issue. It names the mechanism this post calls the regulatory-command asymmetry, i.e. the structural subordination of host-state civil regulation to home-state criminal investigation commands over the same corporate entity. Several features produce this outcome.

1. Addressee mismatch. Host-state regulation binds the local subsidiary (e.g. Microsoft Nigeria Ltd). Home-state command binds the corporate parent (Microsoft Corporation). These are distinct legal persons. A Nigerian sanction of Microsoft Nigeria does not reach, nor prevent, Microsoft Corporation’s § 2713 obligation. The asymmetry here reflects a deficit of political leverage: although section 2 of the NDPA is directed at the foreign parent company, enforcement in practice is politically costly, aside from the bureaucratic and judicial obstacles to enforcing against a foreign parent (as evidenced by the Federal Competition and Consumer Protection Commission’s $220 million fine against Meta/WhatsApp, which remains unpaid). Robust enforcement might also expose Nigeria to designation under the USTR Special 301 report, a diplomatic and economic tool used to pressure foreign governments to remove barriers targeting US companies, potentially through withdrawing trade preferences or escalating to formal trade disputes.
2. Control-doctrine mismatch. Under the CLOUD Act, Microsoft Corporation has ‘control’ of data held by its subsidiaries for the purposes of § 2713. The parent can produce the subsidiary’s data regardless of the subsidiary’s resistance. The asymmetry here flows from infrastructural and economic power.
3. Sanction-severity and Market-power mismatch. Nigerian enforcement of the NDPA operates principally through civil penalties. Under section 48(4), penalties may reach up to 2 percent of annual gross revenue for data controllers of major importance. If a provider refuses to disclose data as required by § 2713 Cloud Act, the Courts can enforce the obligation through a contempt of court under 18 U.S.C. § 401. Rational corporate decision-making selects the lesser sanction; thus, criminal compulsion with the prospect of deprivation of liberty outranks civil fines. More crucially, a US corporation that pushes against US authority risks losing government contracts, regulatory goodwill, technology export licenses, capital-market access, and the ecosystem that sustains its corporate agenda, whereas a Nigerian fine is only a tactical rather than existential cost.
4. Instrument mismatch. Nigerian digital-sovereignty engagement with US hyperscalers is conducted principally through MoUs and MoU-equivalent arrangements that are not published, not ratified, and not legally enforceable in ways that could override US public-law compulsion on the hyperscaler’s parent. This stands in contrast to the government-to-government executive agreements under the CLOUD Act, which create a procedural mechanism for foreign qualifying governments to assert their interests in cross-border data disputes—a mechanism unavailable to countries like Nigeria not party to such an agreement.

The asymmetry is therefore not a drafting defect in the NDPA. Pending legislative interventions requiring data localisation will prove no more useful. The deeper implication — which the European Union has confronted — is that Article 48 GDPR, which restricts the transferral of data upon a court order under certain conditions, could not prevent the Carniaux admission. Nigerian drafting will not do better than the GDPR by legislating harder.

A second dimension compounds the first. The CLOUD Act’s § 2703(h) provides a statutory comity framework but only for customers of providers in qualifying countries under § 2523. Non-qualifying states, including Nigeria and effectively all of Africa, are left with residual common-law comity analysis. Common-law comity tends to favour the US interests since it is discretionary, provider-initiated, depends on the forum court’s initiative, and is ultimately applied in a way that prioritises domestic interests. Nigerian data subjects are thus doctrinally excluded from the procedural protections that US law extends to customers in qualifying countries: qualifying countries receive reciprocal access and statutory comity; non-qualifying countries receive neither.

The Path Forward?

First, the path forward begins with the recognition that ambitious data-localisation laws and genuine expressions of data sovereignty cannot, on their own, renegotiate the structural asymmetry between Nigeria and US hyperscalers.

Second, architectural measures. For designated categories of sensitive Nigerian data — National Identification Numbers, Bank Verification Numbers, health-registry data, financial KYC data, and government communications — the NDPC should require processing on infrastructure outside the § 2713 ‘possession, custody, or control’ chain. This would require a national cloud solution.

Third, collective action. Nigeria’s leverage deficits are individual; collective action reduces them. The AfCFTA Protocol on Digital Trade provides the continental instrument which commits AU member states to permitting cross-border data transfers subject to legitimate public policy restrictions, requires member states to adopt personal data protection frameworks, and commits them to cooperation on data governance. Nigeria should advocate for an annex, parallel to Article 48 GDPR, requiring that production of African-held personal data to non-African governments be channelled through mutual legal assistance treaties or an African Union framework instrument. A continental blocking norm is materially harder for the United States to punish bilaterally than a Nigerian one.

Conclusion

The regulatory-command asymmetry raises questions that go beyond Nigeria and beyond the NDPA. The classical architecture of international law assumes that the extraterritorial reach of one state’s laws is contested, where it is contested at all, in the forum of inter-state relations: through the Lotus reservation, through comity analysis, through mutual legal assistance, and ultimately through the sovereign equality of states expressed in Article 2(1) of the UN Charter. The CLOUD Act operates in a different register. It does not assert jurisdiction over Nigerian territory; it asserts jurisdiction over a corporate parent whose subsidiaries happen to hold data generated on Nigerian territory. The conflict is displaced from the inter-state plane to the corporate-structural plane, and the tools classical international law has developed for the former do not reach the latter.

For states outside the § 2523 club — basically every state on the African continent — the consequence is that jurisdiction to prescribe and jurisdiction to enforce come apart in a manner that sovereignty instruments cannot, by themselves, close. Nigeria’s prescriptive reach under section 2(2) NDPA is lawful and uncontroversial as a matter of principles of international law, such as territoriality and active personality. Its enforcement reach against Microsoft Corporation, Alphabet, or Amazon is not a legal question at all. It is a question of political economy, of infrastructure, and of the asymmetric costs of assertion. Recognising this is the precondition for any serious response.