Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Privacy and data security
What is your jurisdiction’s regulatory stance on net neutrality?
The Nigerian Communications Act does not have any direct or specific provision on net neutrality or traffic management. However, the Nigerian Communications Commission (NCC) is engaging stakeholders with a view to establishing an Internet Code of Service. The NCC expects that the code will promote and safeguard an open internet.
Are there regulations or restrictions on encryption of communications?
There are no specific regulations or restrictions on the encryption of communications. However, adherence to international standards in relation to encryption and related matters is expected from operators.
Are telecoms operators bound by any rules or requirements on the retention of consumer communications data? If so, for how long must data be retained?
Under the Consumer Code of Practice Regulations, the operator is required to retain records of a customer’s bill and related charges for a minimum period of 12 months. Information collected and recorded as part of the operators complaint handling process is also required to be retained for at least 12 months after the resolution of the complaint.
The Cybercrime (Prohibition, Prevention etc) Act 2015 requires service providers to keep all traffic data and subscriber information for a period of two years. On the request of a relevant authority or any law enforcement agency, a service provider is required to preserve, hold or retain:
- traffic data;
- subscriber information;
- non-content information; and
- content data.
What rules and procedures govern the authorities’ interception of communications and access to consumer communications data?
The Cybercrime (Prohibition, Prevention etc) Act 2015 provides that where there is reasonable ground to suspect that the content of an electronic communication is required for the purposes of a criminal investigation, on the basis of an information on oath, a judge may order a service provider to intercept, collect, record, permit or assist with the collection or recording of content data and traffic data in relation to specified communications transmitted by means of a computer system.
Pursuant to the Nigerian Communications Act 2003, the NCC may determine whether an operator should implement the capability to allow for authorised interception of communications and it may specify the technical requirements for doing so.
Data security obligations
What are telecoms operators’ general data security obligations to consumers?
The draft Guidelines on Data Protection 2013 issued by the National Information and Technology Development Agency (NITDA) covers all organisations that process the personal data of Nigerian citizens inside and outside of Nigeria and prescribes minimum data protection requirements for the collection, storage, processing, management, operation and technical controls in relation to such information.
The draft NITDA guidelines provide that:
- personal data must be processed fairly and lawfully;
- personal data must only be used in accordance with the purposes for which it was collected;
- personal data must be adequate, relevant and not excessive;
- personal data must be accurate and where necessary kept up to date;
- personal data must be kept for no longer than is necessary;
- personal data must be processed in accordance with the rights of data subjects;
- appropriate technical and organisational measures must be established to protect the data; and
- personal data must not be transferred outside of Nigeria unless adequate provisions are in place for its protection.
The General Consumer Code issued by the NCC as a schedule to the Consumer Code of Practice Regulations 2007 recognises and restates the internationally accepted general principles on data protection and privacy and is largely similar to the provision of the draft NITDA guidelines. The code also provides detailed complaint submission and handling processes for the contravention of any of the provisions of the code.
The Registration of Telephone Subscribers Regulation 2011 was issued by the NCC to provide a regulatory framework for the registration of subscribers to mobile telephone services and for the establishment, control, administration and management of the central database. In compliance with the regulations, providers of mobile telephone services are required to collect, store and transmit subscriber information to the central database. In line with the provisions of the regulations, the central database is the property of the Federal Government of Nigeria and is kept at the NCC. However, the regulations allow mobile telephone service providers to retain and use subscriber information collected by them on their networks in accordance with the provisions of the General Consumer Code of Practice for Telecommunications Services, which has provisions that comply with the international standards on data protection and privacy.
Under the Cybercrime (Prohibition, Prevention etc) Act 2015 service providers are required to preserve and retain traffic data and subscriber information for a period of two years and to release this information to law enforcement agencies if requested to do so. When providing the information to law enforcement agencies the service provider must consider the privacy rights of the individual and take appropriate measures to safeguard the confidentiality of the data retained, processed or retrieved. The act also details fines and terms of imprisonment for:
- the interception of electronic messages;
- unlawful interception;
- computer fraud and forgery;
- unauthorised modification of data; and
- systems interference.
Click here to view the full article.