Both NITDA and the Attorney General must comply with NDPR and other laws and failure to ensure this in making the whitelist of countries further to the Data Protection Implementation Framework and the Binding Corporate Rules and Standard Contractual Clauses renders them null and void.