The Nigeria Communications Commission (NCC) recently directed telecommunication operators (otherwise referred to as telcos) to commence the monitoring of calls and other communication services passing through their networks. The commission also mentioned that telcos who do not comply with this directive will incur a fine of 5 million naira and additional 500,000 naira until compliance. This directive was introduced to curb insecurity and kidnapping incidents within the country.
This is no doubt a positive step undertaken by the commission to address insecurity challenges within the country. However, I would have expected that the commission worked with its sister organisation, the Nigeria Information Technology Development Agency (NITDA), before publicly releasing such a directive.
The Nigeria data protection regulation 2019 defines personal data as any information that can identify a natural person. It specifically mentions that IMEI number, IMSI, SIM etc. as examples of personal data identifier. It also mentions that collection of data can be regarded as processing of personal data.
Furthermore, the Nigeria data protection regulation 2019, section 2.1a (i), clearly states that, ‘personal data shall be collected and processed in accordance with specific legitimate and lawful purpose consented to by the data subject, provided that further processing may be done only for archiving processes in the public interest.’ Section 2.1c states that the data can only be stored for the period within which it is reasonable needed. Section 2.3 specifically mentions and defines that consent ought to be sought from the data subject and how such consent should be obtained.
In line with NCC’s directive, storing of the personal data of the data subject without their consent amounts to a violation of their privacy rights. The directives also did not clearly state the storage period for the collection of such personal data.
Section 2.2 of the Nigeria data protection regulation 2019, no doubt shows that lawful processing may apply in this case, as processing is needed for compliance with a legal obligation to which the controller (telcos) is subject.
Section 2.10 defines penalty for default, where telcos could be subjected to a fine of 2% or 1% of their annual gross revenues from the preceding years, depending on the number of data subjects they are dealing with. This penalty definitely outweighs the fine to be imposed by the NCC, if telcos do not comply with the privacy directive. A comparison of NCC’s fine with the privacy fine shows that telcos would be more compelled to obey the Nigeria data protection regulations. It also put telcos in a difficult and tricky situation where they may have to choose which of the regulations to comply with.
I would advise telcos and the commission to read through this directive, in detail, to understand areas where the NCC’s directive may result in a violation of the privacy rights, as defined by the Nigeria data protection regulation 2019.
Another major concern of this directive is the use of the stored personal data. NCC clearly states that telcos would be responsible for the purchase of equipment needed to store these personal data. Would this not incentivise telcos to process these personal data and perhaps sell such data to marketing or advertising companies? Furthermore, can the personal data be politicized by the Government to intimidate private citizens? These and more questions require pondering.
Clearly, the directive shows that the commission has not communicated their intentions with the sister agency (NITDA). While the intention of the commission is noble, the commission however needs to sit and deliberate with NITDA, to avoid a violation of the privacy of Nigerians as well as avoid confusion to data controllers (such as telcos) on which directive to comply with.