New NCC Directive Will Push Telcos to Violate Nigeria Data Protection Regulation

New NCC Directive Will Push Telcos to Violate Nigeria Data Protection Regulation

The Nigeria Communications Commission (NCC) recently directed telecommunication operators (otherwise referred to as telcos) to commence the monitoring of calls and other communication services passing through their networks. The commission also mentioned that telcos who do not comply with this directive will incur a fine of 5 million naira and additional 500,000 naira until compliance. This directive was introduced to curb insecurity and kidnapping incidents within the country.

This is no doubt a positive step undertaken by the commission to address insecurity challenges within the country. However, I would have expected that the commission worked with its sister organisation, the Nigeria Information Technology Development Agency (NITDA), before publicly releasing such a directive.

The Nigeria data protection regulation 2019 defines personal data as any information that can identify a natural person. It specifically mentions that IMEI number, IMSI, SIM etc. as examples of personal data identifier. It also mentions that collection of data can be regarded as processing of personal data.

Furthermore, the Nigeria data protection regulation 2019, section 2.1a (i), clearly states that, ‘personal data shall be collected and processed in accordance with specific legitimate and lawful purpose consented to by the data subject, provided that further processing may be done only for archiving processes in the public interest.’ Section 2.1c states that the data can only be stored for the period within which it is reasonable needed. Section 2.3 specifically mentions and defines that consent ought to be sought from the data subject and how such consent should be obtained.

In line with NCC’s directive, storing of the personal data of the data subject without their consent amounts to a violation of their privacy rights. The directives also did not clearly state the storage period for the collection of such personal data.

Section 2.2 of the Nigeria data protection regulation 2019, no doubt shows that lawful processing may apply in this case, as processing is needed for compliance with a legal obligation to which the controller (telcos) is subject.

Section 2.10 defines penalty for default, where telcos could be subjected to a fine of 2% or 1% of their annual gross revenues from the preceding years, depending on the number of data subjects they are dealing with. This penalty definitely outweighs the fine to be imposed by the NCC, if telcos do not comply with the privacy directive. A comparison of NCC’s fine with the privacy fine shows that telcos would be more compelled to obey the Nigeria data protection regulations. It also put telcos in a difficult and tricky situation where they may have to choose which of the regulations to comply with.

I would advise telcos and the commission to read through this directive, in detail, to understand areas where the NCC’s directive may result in a violation of the privacy rights, as defined by the Nigeria data protection regulation 2019.

Another major concern of this directive is the use of the stored personal data. NCC clearly states that telcos would be responsible for the purchase of equipment needed to store these personal data. Would this not incentivise telcos to process these personal data and perhaps sell such data to marketing or advertising companies? Furthermore, can the personal data be politicized by the Government to intimidate private citizens? These and more questions require pondering.

Clearly, the directive shows that the commission has not communicated their intentions with the sister agency (NITDA). While the intention of the commission is noble, the commission however needs to sit and deliberate with NITDA, to avoid a violation of the privacy of Nigerians as well as avoid confusion to data controllers (such as telcos) on which directive to comply with.

Advertisements

Share this post

2 thoughts on “New NCC Directive Will Push Telcos to Violate Nigeria Data Protection Regulation

  1. When you have two contrasting regulations, they end up cancelling each other out, the outcome? No action!

    Again, you don’t use a bulldozer to kill an ant, to think that it’s reasonable to monitor every citizen’s call, just to track the bad guys is ridiculous; it’s impossible not to abuse it.

    Even asking the telcos to do so themselves is another joke, that’s abdication of responsibility on the part of government.

    The whole proposition is terrible and ridiculous, so nothing to say here.

    Reply
  2. Great article Yinka. I made some points when I shared your article on twitter some minutes ago. The privacy violations concerns are legitimate. However, NITDA’s NDPR has its own issue which has a direct implication for collaboration amongst agencies. If these issues are left unattended, then the NDPR may end up as that toothless bulldog that can bark but can not bite.

    Reply

Leave a Reply