There is great excitement about recent developments in the private sector in Nigeria. E-commerce, mobile banking and more recently digital banking are just a few examples of such innovative developments. There is one common theme in all these developments: the collection, processing and use of personal data.
Given the importance of personal data to privacy rights, these innovations must be accompanied by a corresponding progress in data protection and cyber security mechanisms.
Why is this important?
40% of Nigeria’s adult population have accounts with a financial institution or a money service provider. That implies that at least 40 million Nigerians have their data registered with one financial institution or the other. A significant number of these financial institutions have also adopted digital banking and while that development remains at an infant stage, it remains highly significant with respect to individual data. By reason of their status, financial institutions have ready access to all forms of personal information including fingerprints and photos. They are also responsible for issuing credit and debit cards. In 2017, 53% of the most popular fraud-related posts on Facebook led to carding services or credit card fraud.
The telecoms industry is also another significant data mine. At least 92 million Nigerians of the 150 million with registered mobile phones use internet data according to a 2017 report by KPMG. Over 36 million of these registered users are also smartphone users. The number keeps rising every year. Registration and use of these mobile phones often requires the provision of personal data such as names, email addresses, locations and credit card details to these telecom companies. Personal information of Nigerians are also routinely collected on entertainment platforms such as IrokoTV which had over 65,000 subscribers as at 2017. Biometric data capturing is also used for an increasing number of functions including obtaining a driver’s license, national identity cards, voter’s cards and electronic passports.
Existing Legal/Regulatory framework: Signs of Progress?
Notwithstanding the fact that Section 37 of the Nigerian constitution guarantees the privacy of Nigerians including their electronic and mobile correspondence, there remains no comprehensive personal protection information law in Nigeria. In 2015, the CyberCrime Act was enacted criminalizing certain offences such as unauthorized modification of computer data, system interference and identity theft. More importantly, it places a duty on every service provider to disclose information relating to investigation of offences under the Act. What it does not do is place service providers under an obligation to protect individual’s privacy. Financial institutions are also not placed under the obligation. However, the 2019 Data protection Regulations imposes stricter obligations on data handling bodies to develop security measures to protect data. Companies that breach this duty are liable to fines of 2% of their preceding gross income or 10 million Naira. The Central Bank of Nigeria’s Risk-based Cybersecurity guidelines also prescribe data protection standards for deposit money providers and payment service providers. Other relevant laws on data protection include the National Identity Management Commission Act 2007, Freedom of Information Act 2011 and Credit Reporting Act 2017. However, a significant setback with respect to data protection and cyber security in Nigeria was the refusal of assent by President Muhammadu Bill to the Digital Rights and Privacy Bill 2019.
On the overall, there are signs of progress and steps in the right direction. Questions nevertheless remain as to the capacity of bodies such the National Information Technology Development Agency to effectively monitor companies’ data protection policies. Doing so requires a level of expertise that may not be readily available. Another issue is the fact that none of these laws or regulations cover all businesses or persons located in Nigeria. This potentially limits the impact of enforcement measures.
improving Cybersecurity and Data protection in Nigeria: Sustaining the momentum
As indicated above, great progress has been made in developing a regulatory framework for data protection and cybersecurity. This momentum nevertheless needs to be sustained and accelerated if possible. One reason for this is the particular penetration and impact of cybercrime and other forms of data abuse in Nigeria. Cybercrime activities is said to cost the Nigerian economy 500 million dollars per year. According to Deloitte, cybersecurity breaches of various organizations in Nigeria led to billion Naira losses in 2018. For an economy that generates only 400 billion dollars, million dollar and billion naira losses have a significant negative impact and cannot be described as negligible. Our cybersecurity measures must increase at a faster rate than is currently the case to keep up with such colossal losses. The latest budget proposals do not indicate any exact amount being allocated to cybersecurity notwithstanding the increase in allocated funds for security in general. There is no express provision in the 2019 appropriation bill for cybersecurity research and a lack of a well-defined security policy makes assessing government efforts in cybersecurity even more difficult. In contrast, the United Kingdom government announced in January 2019 the allocation of £100 million as investment in new cybersecurity research. including in small businesses to . The budget for the 2020 financial year in the US saw an allocation of $9.6 billion dollars to cybersecurity. To put the necessity of cybersecurity research in context, Nigeria ranks third globally in cybercrime only behind these two countries.
In addition to government investment, there is the need for an increase in private sector and research participation in cybersecurity. Currently, very few organizations in Nigeria specialize in cybersecurity and data protection. In contrast, there are over 200 cybersecurity firms in the UK and over 2,024 of such firms in the US. Cybersecurity research takes place at the highest level in at least 19 UK Universities and there are 3 centres at different universities specifically for doctoral training in cybersecurity. There is no cybersecurity research centre in Nigeria established by the government and the operational status of its proposed government cybercommand is unclear. Even if such a centre or command were to exist, there remains the problem of recruiting the right people to perform the necessary function. Nigeria is currently struggling to keep hold of its software engineers and even those who remain still have to deal with various infrastructural challenges, none of which appear to be resolved anytime soon. The good news is that there are available courses and training programmes on cybersecurity that both IT enthusiasts and non-enthusiasts can use. The rise in tech startups can also be channelled towards building a ‘quasi-cyber security’ army useful for both public and private data protection. Government funding for these startups similar to the £5000 grants to boost cyber security granted to small businesses in the UK by the UK government will greatly enhance such prospects.
Another way by which increased private sector participation in data protection and cybersecurity can be enhanced is through pressurizing advocacy by the representatives of civil society to hold private companies, especially financial and telecom companies to account over the disclosure of data protection measures that are in place. Greater awareness of the CyberCrime Act and corresponding data protection regulations is necessary to achieve this purpose. Data subjects have a right to know what their personal data is being used for and this right should be exercised. The duty of disclosure in relation to data use must apply to both small and large organizations. Based on current evidence, it is difficult to see how organizations are complying with this disclosure duty or indeed the requirement to inform the public of their data protection policies. Businesses may be helped in this regard by regulatory bodies issuing compliance guidelines as is the case under the European equivalent.
Expansion of services to include online or mobile app services must also be accompanied by investment in cybersecurity and data protection. Nigeria already has its hands full in terms of law enforcement offline. Failure to address cybersecurity and data protection effectively will only compound its online woes.
Oluwafifehan Ogunde is an research specialist and consultant with research interests in human rights law, criminal law and constitutional law. He has a Master’s degree in Human Rights Law from the University of Nottingham and a Bachelor’s degree from the University of Sheffield. He is also a barrister and solicitor of the Federal Republic of Nigeria, having been called to the Nigerian Bar in February 2012.