Nigeria: Data Commoditisation In Nigeria: Legal Considerations For Creating A Viable Market For Big Data Transactions

Introduction

Dubbed the new oil, consumer data drives global digital economy with new business models developed to leverage data analytics for target marketing. This has resulted in exponential growth for big tech companies, reflected in their market capitalisation or valuations.¹

According to the Nigerian Communications Commission (NCC), internet penetration (as at August 2018) was 105 million with more than 20.5 million Nigerians using smart phones.² This has created a deluge of data for technology companies (TechCos) and other digital service providers which are mined and sold to advertisers with nil or minimal direct value attributable to either the government or data subjects (DSs). Hence, the clamour for data privacy regulations on one hand and data residency on the other. This has been argued to have the potential to grant data sovereignty to countries where such data emanates.

Notwithstanding, some have argued that connectivity and access granted to users by TechCos are adequate compensation, as users in most cases are not billed to use these platforms. Also, the data analytics related income could help to 'subsidise' airtime and data tariff costs for subscribers. In addition, these data are 'unusable' until insights are derived from them by TechCos. Government is already earning so much from the ICT industry vide Value Added Tax (VAT), companies' income and personal income taxes, NITDA Levy (1%),³ Annual Operating Levy (2.5%),⁴ etc; it does not make sense to kill the goose that lays the golden eggs.

Without disparaging these lines of thought, there could be a counter argument that governments should not be denied adequate value from revenues created from their residents as these are needed to fund critical infrastructure used by DSs to access internet platforms. Given the Federal Government (FG)'s perennial need to source funds for the country's annual budget, it might be prescient to continue to consider innovative funding options, to avoid budget deficits, whilst also diversifying revenue sources away from petroleum related income. Even the much touted Voluntary Assets and Income Declaration Scheme (VAIDS) realised a paltry N30 billion as opposed to the projected N360 billion - less than 10% of the projected sum.⁵

Creating a viable big data market could contribute to shoring up Nigeria's revenue, given the potential layers of value chain which could invariably lead to increase VAT remittance (for both in and out-country data transactions) and Companies Income Tax (CIT) from operators in the market.

Although, the FG controls huge amount of data through its online and offline data capture of residents in Nigeria, it is arguable whether the FG should only play a regulatory role and not delve into the market as a player in the big data space. The major obstacle to such approach would be moral hazard arising from ethical conflict of interest issues. Governments can only leverage the data for regulatory, administrative, service provision and national security reasons, etc. having already charged fees in appropriate cases for the primary purpose (e.g. issuance of driver's license/international passport) for which it obtained citizens' data. It is also possible that the enabling legislation may restrict the use to which such public data could be deployed. For instance in the US, public health records collected by the National Centre for Health Statistics (NCHS) may only be used for the purpose for which they were obtained.⁶

This article seeks to look at ways the FG can create value by regulating data commoditization through Data Exchange (DataEx) Market similar to the Nigerian Stock Exchange (NSE) albeit virtual where resident's data are transacted and attendant tax liabilities are imposed on such transactions.

Data Residency: Essential for Data Commoditisation?

Data residency, or data localisation, is the legal requirement that data about a country's citizens or residents collected, processed or emanating from a particular territory are warehoused within its jurisdiction with strict conditions as to privacy, breach notification, consent, etc. for export. This is usually done by countries for national security reasons. Countries such as Australia (health records), China (personal, business and financial data), South Korea (geospatial and map data), Russia (all personal data), Germany (telecommunications metadata), etc. have various data residency laws to protect their residents.⁷ Also, India recently proposed to have all data from cloud computing services resident in-country.⁸

In Nigeria, there is no general requirement for residents' data to be localised in-country. However, Para 14.2(3) Guidelines for Nigerian Content Development in Information and Communication Technology (ICT) (ICT Local Content Guidelines) requires that government Ministries, Departments and Agencies (MDAs) shall "ensure that all government data is hosted inside the country within 18 months from the publication of the guidelines." In effect, only government data is required to be localised. Although the ICT Local Content Guidelines did not define what constitutes government data, it could be presumed to mean all data emanating from government's activities including data collected by government MDAs for National Identity Card, driver's license, international passport, etc. purposes.

It is noteworthy that Paragraph 12, Data Protection Guidelines (DPG), 2017 made pursuant to section 6, National Information Technology Development Agency (NITDA) Act,⁹ grants data controllers the rights to transfer data outside Nigeria provided they ensure that: "the receiving country has Data Protection Guidelines or legislations; it forms part of the fulfilment of a contract or a contract with clear terms on protection of personal data between the Data Controller and the receiving Organization; the consent of the Data Subject to that effect was obtained." Although the DPG was released in 2017, it is doubtful if it has become effective as it does not contain a commencement date: Para 2.0.

Whilst a school of thought argues that data should be treated as a commodity due to the inherent value derived by TechCos from data analytics, another school believes that it is difficult to classify data (not being a 'real' or tangible product), as such.¹⁰ Considering the value created during data transactions, governments could leverage same in a bid to regulate and impose necessary tax obligations.

For instance, section 2 Value Added Tax (VAT) Act, Cap. V1 LFN 2004 provides that "... tax shall be charged and payable on the supply of all goods and services ... other than those goods and services listed in the First Schedule to this Act." Thus, VAT is chargeable on all billable data transactions in Nigeria. It was previously thought that cross-border data transactions could escape VAT,¹¹ but recent case law has put paid to such postulations.

This was the thrust of Vodacom Business Nigeria Limited v. Federal Inland Revenue Service (FIRS)¹² where the Federal High Court (FHC) held that contract for the supply of satellite network bandwidth capacities services (an intangible service) by a non-resident in Nigeria was subject to VAT pursuant to the Reverse Charge Mechanism. Thus, services are liable to tax in the place of supply which is the place where the supplied services are consumed. This was also the position in FIRS v. Gazprom Oil & Gas Nigeria Limited (Gazprom),¹³ wherein the FHC reiterated that resident entities are required by law to remit VAT on transactions with non-resident entities even where the non-resident entity failed to issue VAT invoice.

Although, it is arguable whether Nigerian tax law recognises the application on the Reverse Charge Mechanism, these judicial decisions in line with the principle of stare decisis remains the position of the law until they are set aside. Can it be said that data residency is essential for data commoditisation? To answer this question, it is important to consider the basis for data residency. As earlier stated, data residency laws are enacted to protect the privacy of DSs. More so, it creates data interchange standard which must be met before data is transferred to other jurisdictions. Essentially, this speaks to how government exerts control over how the data of its residents are processed within its jurisdiction.

It is however arguable whether data residency is essential for data commoditisation. This is premised on the fact that long before the move to have data localised in-country, data extracted by online platforms such as facebook, google, etc. had been commoditised. However, with the clamour for increased privacy compliance requirements evidenced with the new European Union General Data Protection Regulation (EU GDPR),¹⁴ data residency laws/regulation would protect DSs/residents.

Thus, for government to derive value from commoditisation of data by big TechCos, it is essential to strictly regulate data exchange through data residency laws. On the flip side, it could be argued that having strong data residency laws could stiffen innovation in the tech space such as cloud services. Nonetheless, it could increase investment in in-country data centres as opposed to other jurisdictions.

Big Data Exchange: Extracting Value from Data Commoditisation

Undoubtedly, data is big business and governments all over the world are making plans to tap into the value created by big data. One of such ways is the recognition of revenues generated by data processors/controllers under the European Commission (EC) Proposal for Council Directive (COM (2018) 148) which proposes to impose minimum tax on the revenue of such companies even though they do not engage in the sale of conventional 'goods and services.'

In Nigeria, there could be ways the FG can leverage the country's increasing digital penetration by creating the regulatory framework cum enabling business environment upon which a private sector driven DataEx Market could thrive. This could be similar to BDEX, a US based Data Exchange Platform (DXP) where Application Programming Interface (APIs) are used to enable data flow into the exchange and buyers can purchase the data using identifiers. The market would simply comprise data controllers and big data companies.

Under the operations/transactions layer, data is extracted by data owners which is then processed and sold at the common market (DataEx) to digital companies and advertisers. Para 4.1 (2)(w) DPG had defined data owner as "...the organisations or a hired third party in possession of any data collected by (sic) from a Data Subject either directly or indirectly." Although, it is arguable whether this definition does not seek to expropriate data by denying DSs' proprietary rights. It could provide a practical framework within which DataEx could be built.

Upon the creation of DataEx, the FG can thereafter monitor data transactions with a view to safeguarding national security interests. More so, it could impose tax obligations on those transactions to generate revenue to fund its budget.

Conclusion

Although this is an emerging area, given the value TechCos derive from big data transactions, it is prescient to have a system in place that ensures that the privacy of DSs are not breached. Furthermore, government needs to be focused on national security goals to avoid residents' data getting into the wrong hands; accordingly the necessity for data residency laws cannot be overemphasised. Apart from the national security angle, there is the commercial angle which involves deriving value from data transactions.

The creation of DataEx would ensure that the interest of both the DSs and governments are protected. Currently, there is no framework for creation of DataEx in Nigeria. Notwithstanding, NITDA could begin to consider a common framework to ensure that the interests of all stakeholders are protected.

Footnotes

1. According to YCharts (www.ycharts.com) on the US Stock Market as at 8th August, 2018, 'data' companies have impressive capitalisations: Apple - US$1.001 trillion, Alphabet (Google parent company) - US$873.47 billion, Microsoft - US$838.14 billion, and Facebook - US$535.38 billion.

2. Statista.com, 'Smartphone Users in Nigeria 2014 – 2019': (https://www.statista.com/statistics/467187/forecast-of-smartphone-users-in-nigeria/) accessed 5 September 2018

3. Section 12(2)(a) NITDA Act, Cap. N156, LFN 2004

4. Regulation 3, NCC Annual Operating Levy Regulations No. 93, 2014

5. Ndubuisi Francis, 'Proceed from VAIDS Hit N30billion', ThisDay June 6, 2018 (https://www.thisdaylive.com/index.php/2018/06/06/proceeds-from-vaids-hit-n30bn/) accessed 20 September, 2018

6. Section 308(d) United States Public Health Service Act (42 U.S.C. 242m)

7. A Chander and U. P Le, 'Data Nationalism', Emory Law Journal, Vol.6 Issue 3 pg. 677

8. Aditya Karla, 'Exclusive: India Panel Wants Localization of Cloud Storage Data in Possible Blow to Big Tech Firms', Reuters, August 4, 2018 (https://www.reuters.com/article/us-india-data-localisation-exclusive/exclusive-india-panel-wants-localization-of-cloud-storage-data-in-possible-blow-to-big-tech-firms-idUSKBN1KP08J?feedType=RSS&feedName=technologyNews) accessed 5 September 2018.

9. Cap. N156, LFN 2004

10. James Davies, 'The Most Important Question Today; Is Data a Commodity?', Telecoms.com 18 December, 2017 (http://telecoms.com/486808/the-most-important-question-today-is-data-a-commodity/) 7 September 2018

11. Where the data is being transferred outside Nigeria wherein it enjoys zero rated status, Part III, First Schedule VAT Act

12. (2018) 35 TLRN 1

13. Unreported Suit No: FHC/ABJ/TA/1/2015.

14. EU GDPR which was made on 14 April, 2016 became effective on May 25, 2018 and replaces European Commission Directive 95/46/EC

October 2018

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.