DATA & PRIVACY LAWS IN NIGERIA Part 2

data-privacy-laws-in-nigeria

Section 37 of the Nigerian Constitution (1999) provides that; “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected”[1]. Unfortunately, there is currently not one comprehensive data privacy or personal information protection law in Nigeria that sets out detailed provisions on the protection of the privacy of individuals and citizens. This calls for the passing of a law dealing specifically with issues of data privacy and the protection of the Nigerian citizen’s private information and details of such required law have been made to the Nigerian legislature.

Given current technological trends the world over, and such that has been adapted within Nigeria, it is clear that Section 37 of the Nigerian Constitution as a stand-alone right without strict rules of engagement on how these rights can be protected and exercised is no longer enough protection for citizens.

This is the second installment in a 3-part article that will deal with this topic exhaustively. (See Part 1 here)

PART II

  1. The Nigerian Telecommunications Commission RTS Regulation 2011: The Nigerian Telecommunications Commission is the Nigerian telecommunications sector regulator, charged with oversight functions on the industry. In line with this duty, it issued the Registration of Telephone Subscribers Regulation (RTS Regulation) in 2011. The regulation attempts some protection of the data collected, collated, retained and managed by telecommunication companies operating in Nigeria and independent registration agents in view of their obligations to collate and retain data of subscribers under the Regulation.

 

As such, Section 11 of the RTS Regulation 2011 titled “Data Protection” states as follows:“(1) in furtherance of the rights guaranteed by virtue of section 37 of the Constitution of the Federal Republic of Nigeria 1999 and subject to any reasonable guidelines, terms and conditions that may from time to time be issued by either the Commission or License, any Subscriber whose Personal Information is stored in the Central Database, shall be entitled to view the said information and to request updates and amendments thereto[5]. (2)

The Subscriber information contained in the Central Database shall be held on a strictly confidential basis and no persons or entities shall be allowed access to any Subscriber information in the Central Database, except as provided in paragraph 1 above and in paragraph 5 of section 10 of these regulations or by any Act of the National Assembly[6].

[pullquote align=left]
Licensees, Independent Registration Agents, and Subscriber Registration Solution Providers shall not under any circumstance, retain, deal in or make copies of any Subscriber Information or store in whatever form any copies of the Subscriber Information for any purpose other than as stipulated in these Regulations or an Act of the National Assembly.
[/pullquote]

Section 11(4) of the Regulation, states that Licensees shall utilize Personal Information pursuant to the regulations, solely for their operations and in accordance with the provisions of Part V of the General Consumer code Practice for Telecommunications Services and any other instruments of the Commission or any Act of the National Assembly issued from time to time to regulate the specific purposes for which the Personal Information may be used[7], while Section 11(7) provides a blanket rule that the subscribers’ information shall not be transferred outside the Federal Republic of Nigeria much unlike under the NITDA guidelines. The General Consumer code Practice for Telecommunications Services referred to above in the RTS Regulation 2011 also set out certain data protection mechanism for consumers of telecommunication services in Nigeria.

Specifically, Section 35 of the General Consumer Code Practice for Telecommunications Services which provides that a Licensee may collect and maintain information on individual consumers reasonably required for its business purposes. However, such collection and maintenance of information on individual Consumers shall be

  • Fairly and lawfully collected and processed;
  • Processed for limited and identified purposes;
  • Relevant and not excessive;
  • Accurate;
  • Not kept longer than necessary;
  • Processed in accordance with the Consumer’s other rights;
  • Protected against improper or accidental disclosure; and
  • Not transferred to any party except as permitted by any terms and conditions agreed with the Consumer, as permitted by any permission or approval of the Commission, or as otherwise permitted or required by other applicable laws or regulations.

 

A Licensee is required under Section 35 (2) of the code to meet generally accepted fair information principles including;

  • Providing notice as to that individual Consumer Information they collect and its use or disclosure;
  • The Choices Consumers have with regard to the collection, use and, disclosure of that information;
  • The access Consumers have to that information, including to ensure its accuracy; and
  • The security measures taken to protect the information and the enforcement and redress mechanisms that are in place to remedy any failure to observe these measures.

 

Please note that these rules apply to individual Consumer information whether initially provided verbally or in written form, so long as that information is retained by the Licensee in any recorded form [1].

It is unfortunate to note that failure of Licensees, Independent Registration Agents or any such other entities to comply with the data protection provisions of the Regulation are only treated as a breach of the regulations. The penalty for non-compliance is a fine which could range from N200, 000 – N1, 000,000 and perhaps forfeiture of the commercial benefit derived from the unauthorized use of such Subscriber Information. [pullquote]
The Regulations do not treat such breach of the data protection measures as a violation of the individual subscriber’s right to privacy, which is actionable at the instance of the affected Subscriber. Undoubtedly, this diminishes the potency of the data protection provision of the RTS regulation 2011 and renders it nugatory.
[/pullquote]

In the same vein, the provisions of the Consumer Codes can only be enforced in accordance with the “Administrative Fines” set out in Chapter IV of the Nigerian Communications’ (Enforcement Process) Regulation 2005. The administrative fine against such an erring Licensee is a paltry sum of N500,000 and a further sum of N500,000 per day after the expiration of the notice for as long as the contravention persists.
The above positions reflect the neglect shown towards Data Privacy and Personal Information regulation in Nigeria. An ideal data protection law should be created that guarantees the right of citizens to seek adequate redress in Court for any breach occasioned by an act or omission of operators in the sector, including the Commission itself.

PLEASE NOTE: This article is for general information only. It is not offered as advice, on any particular matter, whether legal, procedural or otherwise. We’d love to read your comments in the section below, you could also send us an email via the contact page.

 

REFERENCES

[1] Constitution of the Federal Republic of Nigeria (Promulgation) Act, Chapter C23, Laws of the Federation of Nigeria 2004 (as amended)

[2] Section 1.6 NITDA Guideline, Version 3.1, September 2013

[3] Section 2.1 NITDA Guidelines, Version 3.1, September 2013

[4] Section 2.1(4) NITDA Guidelines, Version 3.1, September 2013

[5] Note Similarity with Sections 17 & 18 of the POPI Act

[6] Note Similarity with Sections 19(1) of the POPI Act

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *