The National Information Technology Development Agency (NITDA) has launched an investigation into alleged gross of privacy violation by Truecaller services.
The investigation was instigated by the discovery that Truecaller’s privacy policy is not in compliance with global laws on data protection and that of the Nigerian Data Protection Regulation (NDPR).
It was also discovered that about 7 million Nigerians who use the services know little or nothing about privacy rights. And according to NITDA, they need to be educated.
Tekedia Mini-MBA edition 14 (June 3 – Sept 2, 2024) begins registrations; get massive discounts with early registration here.
Tekedia AI in Business Masterclass opens registrations here.
Join Tekedia Capital Syndicate and invest in Africa’s finest startups here.
The report of the findings notes that Truecaller privacy policy is made of two sets, one for those in the European Economic Area (EEA), and the other outside the EEA. Nigeria is said to fall under the latter category. Furthermore, every Nigerian user is contracting Truecaller India. The findings gathered that there has been breach of NDPR’s policy, that is different from EEA.
Article 1.1 of Truecallers’ privacy policy was quoted as an example. It states that Truecaller may supplement the information provided by you with the information from third parties and add it to the information provided by you.
The NITDA explained that it contravenes Article 2.1 (b) of the NDPR which requires data collection and processing to be accurate, and Article 1.3 (iii) which requires that valid consent must be specific. So by supplementing the personal information of Nigerians without specific consent and accuracy, they are susceptible to serious invasion of their privacy.
Another example quoted by NITDA is Article 1.2 of Truecaller’ policy, which states that when you install and use the services, Truecaller will collect personal information from you and any devices you may use in your interaction with our services.
The personal information may involve every data of your online activity. From IP address to device ID, to websites you have visited, to your outgoing calls and messages.
The probe finds these data collections to be excessive and invasive of personal data. It is also contrary to Article 2.3 (2)d of the NDPR, which states that when assessing whether consent is freely given, utmost account shall be taken of whether the performance of a contract, including the provision of a service, is conditional to one’s consent to the processing of personal data that is not necessary or excessive for the performance of that contract.
Another issue of concern noted in Truecallers’ privacy policy is the sharing of personal information with third party. The NITDA noted that it is global best practice for users to be reminded that there is data collection technique (like cookies) on the platform. Giving the user the opportunity to choose whether to use the webpage or not. That was also flouted by Truecaller as there are no such prompts or queries in their web platform.
The data information Agency expressed their disappointment over the highlighted issues, noting that it has exposed many Nigerians to identity theft. And many have been framed over issues they know nothing about. The Director General of NITDA, and the Chief Information Officer of Nigeria, Kashifu Abdullahi Inuwa, thus promised Nigerians that the Agency will act to protect their privacy and will continue to monitor the activities of digital service providers in Nigeria, to ensure ethical behavior.