There is no doubt that the huge amount of data generated through the electronic systems in the ICT and Telecoms sectors (including the financial sector) creates several unique problems such as storage loss, identity theft, web attacks, unlawful and unauthorized use of personal information, etc. However, the key question is whether there are adequate legal safeguards and framework to protect customers from unauthorized use of personal information, loss of information or fraudulent use of same. Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of companies to use data for the purposes of their business.
Regrettably, Nigeria does not have a specific or comprehensive data protection Law, comparable to other countries like South Africa, India, the United Kingdom, Canada, and the United States of America, despite the repeated calls by industry stakeholders for its enactment.
Indeed, the only legislation that provides for the protection of the privacy of Nigerian citizens in general terms is the Constitution of the Federal Republic of Nigeria (as amended). Section 37 of the Constitution provides that: "The privacy of citizens, their houses, correspondence, telephone conversations and telegraphic communication is hereby guaranteed and protected".
Other than this constitutional provision, (which in itself is insufficient in terms of details and framework), there is no other legislation that sets out detailed provisions on the protection of privacy in Nigeria.
There are however some industry specific legislations and/or regulations of general application that deal with some aspects of data protection. One such industry-specific regulation is the Consumer Code of Practice Regulations 2007 issued by the Nigerian Communications Commission (NCC). The Regulations provide that all licensees (i.e. the telecoms operators) must take reasonable steps to protect customer's information against "improper or accidental disclosure" and must ensure that such information is securely stored. It also provides that customer's information must "not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations".
In order to protect the data of subscribers of telephone services in Nigeria, the NCC revised and amended the SIM Card Registration Regulation 2010. The amended regulation was cited as "Regulation of Telephone Subscribers Regulation (RTS Regulation) 2011. It represented a wider perspective and afforded some protection of the data collected, collated, retained and managed by the telecommunication companies and independent agents in respect of their obligations to collate and retain data of subscribers under the Regulations.
In 2013, the National Information Technology Development Agency (NITDA) published Draft Guidelines on Data Protection (the Guidelines). The Guidelines were the first attempt in Nigeria at establishing a data protection framework of general application. However, since their publication, there has been no indication that the Guidelines have been fully adopted. It is interesting to note that a cursory look at the draft guidelines show that it is not more than it claims to be "draft guidelines" with little or nothing to show legislative authority or thoughtfulness.
Other attempts to fill the vacuum was the passage of the Electronic Transaction Bill in 2015 by the 7th National Assembly, which though contains data protection provisions of general application, falls far short of acceptable minimum standards and does not offer comprehensive data protection when compared with the United Kingdom Data Protection Act, 1998 (DPA) and the Protection of Personal Information Act (POPI') enacted by the Republic of South Africa in 2013.
The relevance of a robust data protection legislation cannot be underestimated. It would bring about transparency and accountability in the way and manner the industry operators deal with individual's sensitive data. Thus it would introduce basic rules of registration for users of data and right of access to that data for the individuals to which they are related. Furthermore, it would introduce uniformity and certainty in the country's data protection regime; and this has the tendency of making Nigeria a preferred investment destination in ICT. Interestingly, it would make industry operators to exercise reasonable care when dealing with subscriber's data stored in their database and also ensure they comply at all times with the international minimum data protection standards.
In addition, the absence of a uniform/standard data protection framework may create some level of uncertainty in the procedure required to be followed before a customer's data can be accessed by a third-party (individuals or relevant government institutions, or even foreign institutions). This is particularly so in view of the recent issues surrounding the grant of access rights without the consent of the customer. However, where a definite procedure is provided under the law and reflected in the agreements between service providers and their customers/other service provider's, it becomes easy to either avoid the liability that may arise in such circumstance or properly apportion the risk or liability.
Finally, in light of the recent revolution in Nigeria's ICT Sector, the time is now for Nigeria to have a single and robust Data Protection legislation so as to foster investors' confidence in the industry. It is hoped that the policy makers and industry operators would identify this need and work in concert to propose a brand new Draft Bill on Data Protection to the National Assembly.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.