On the 21st of
October, 2013 Nigeria’s telecommunications regulator; the Nigeria Communications
Commission (NCC), issued a public notice via its twitter handle; @NgComCommission, which came into effect
on the 1st of November, 2013 directing all cybercafé licencees and
operators in the country to maintain an up to date data base of its
subscribers/users detailing information such as; full names, names of corporate
body (in the case of a corporate establishment), traceable physical address,
full faced passport photograph, telephone numbers, permanent residential
address(not P. O. Box), evidence of registration with Corporate Affairs
Commission(CAC)(applicable to corporate bodies only) and other forms of
identification including international passport, driver’s licence, national
identity card, etc. According to the NCC,
this database is to aid law enforcement authorities in fighting the increasing
rate of cybercrime committed through cybercafés across the country.
It is not in doubt that
cybercrime is rampant in Nigeria. A February 2010 report by the Internet Crime
Complaint Centre named Nigeria the top African nation and third in the world
(after USA and UK) in its global cybercrime ranking. It has also been reported that Nigerian
consumers lost a total of N1.246 trillion to cybercrime in 2012 and recently
the Central Bank of Nigeria (CBN) reported that the Nigerian banking sector lost over 20billion through internet fraud. There is therefore every need to
fight this cankerworm called cybercrime in Nigeria.However,the Government (NCC,
law enforcement agents, etc.)must ensure that the fight against cybercrime is
done within the limits of the law and must avoid infringing;without lawful
justification, the constitutional right to privacy of millions of innocent
Nigerians who use cyber cafes or do anything that may negatively impact on that
right. It is yet to be proven by NCC that most of these crimes are committed
using cybercafés. It is even debatable if these internet crimes are perpetrated
using cybercafés considering the availability of faster internet on smartphones
coupled with cheap internet plans been offered by the GSM service providers(for
instance on 31 October 2013, Globacom slashed its blackberry internet subscription (BIS) tariffs by half.The Absolute Month platform which hitherto was
N2,800 with 3GB data, now goes for N1, 000 with 3GB data) and the convenience
of browsing the internet on smartphones, tablets and personal laptops which are
increasingly becoming affordable.
Without conceding that
cybercafés are used to commit most of the cybercrimes in Nigeria, let us assume
that it is actually the case and NCC rightfully desires to step in to curb this
monstrous menace of cybercrime by urging cybercafé lincencees and operators to
keep an up to date data base of its subscribers/users (that is assuming the
users in the case of non-corporate bodies; submit their actual data and not
fictitious data). What then becomes of this huge data base of personal and
sensitive information of individuals in the hands of cybercafé operators since there
are no data protection laws regulating the use of such data in Nigeria? How
long will such data be kept? What remedies are available for any person whose
personal information has been misused? The data; for instance, phone numbers
could be sold or leaked to companies who could use it to send spam or
unsolicited/unwanted text messages(adverts) to people. Someone’s identity could
also be stolen and used by criminals for e.g. the name, passport and phone
number could be used to fabricate or produce a fake identity card and left at a
crime scene. The Police on arrival at the crime scene could pick up the identity
card and arrest the person whose name, picture and address appear on the card
and interrogate or let’s say torture (because a times that is what their
interrogation is all about) the person. In the long run it may be discovered
that the identity card was fabricated and the person whose details appear on
the card was not actually at the crime scene, however, such person may have
suffered bodily injuries (sometimes severe) from the torture by the Police.
These concerns and issues
raised above could be addressed to a large extent with a data protection law.
In recent times many subscribers of the GSM providers in Nigeria have been
flooded with promotional or commercial messages. These messages sometimes are unwanted
text messages including commercial messages otherwise known as spam which could
be annoying and intrusive. In the United States, two laws– the Telephone Consumer Protection Act (TCPA) and the Controlling the Assault of Non-
Solicited Pornography and Marketing (CAN- SPAM) Act – have been enacted to
address spam. The TCPA and the Federal Communications Commission’s (FCC) rules
ban many text messages sent to a mobile phone using an auto dialer(auto dialer;
according to Wikipedia, is an electronic device or software that automatically
dials telephone numbers. Once the call has been answered, the auto dialer
either plays a recorded message or connects the call to a live person). These
texts are banned unless (1) you previously gave consent to receive the message
or (2) the message is sent for emergency purposes.In the UK, the Privacy and Electronic Communications Regulations 2003 cover the way organisations send
direct marketing by electronic means, including by text message (SMS).
Organisations cannot send you marketing text messages you didn’t agree to
receive, unless: (a) the sender has obtained your details through a sale or
negotiations for a sale; (b) the messages are about similar products or
services offered by the sender; and (c) you were given an opportunity to refuse
the texts when your details were collected and, if you did not refuse, you were
given a simple way to opt out in all the text messages you received.
China too is not left out
in the legislative efforts to curb spam and protect personal data thus on
October 25, 2013, the Chinese Congress passed an amendment to the Peoples’ Republic
of China Law on the Protection of Consumer Rights and Interests (the
“Amendment”);to address growing problems related to the misuse of consumers’
personal information in contemporary China.The Amendment establishes strict
rules on how business operators should collect and use personal information,
and how offenders may be punished. The Amendment emphasizes that the personal
information collected by a business operator and its staff must be kept
strictly confidential. It also prohibits business operators from leaking,
selling or illegally providing such information to others, and requires
operators to adopt appropriate technical measures to safeguard the information.
At the same time, business operators may not send commercial messages to a
consumer unless the consumer has provided consent or requested the information.
Apart from those countries
mentioned above, many other countries have a law or laws aimed at protecting
personal information or data. In South Africa, the Protection of Personal
Information Act has been passed by parliament and is awaiting assent by the President;
and in Mauritius the Data Protection Act 2004 (the “MU DPA”) was enacted for the
protection of the privacy rights of individuals in response to the developments
in the techniques used to capture, transmit, manipulate, record or store data
relating to individuals. The MU DPA came into operation in February 2009. Data
Protection Regulations were issued in 2009 by the Data Protection Office. It is
also responsible for ensuring compliance with the Data Protection Act and
bringing enforcement actions.
Furthermore, in the UK
they have the Data Protection Act;while in Mexico they have the Federal Data
Protection Act. Also, in Japan they have the Personal Data Protection Act while in
Canada they have the Personal Information Protection and Electronic Documents
Act (PIPEDA).
In the United States they
have a host of laws aimed at protecting personal information or data some of which
include the Right to Financial Privacy Act of 1978whichrequires a subpoena
or search warrant
for law enforcement
officials to obtain financial records, the
Telephone Consumer Protection Act of 1991whichprovides certain remedies from
repeat telephone calls by telemarketers; and the Driver’s Privacy Protection
Act of 1994, which restricts the states from disclosing or selling personal
information in their motor vehicle records.
It would therefore be of great
help if NCC (as a regulator with so much of our data) and other stakeholders could
push for data protection laws as is the case in other countries mentioned
above.
Moreover, it is even
doubtful if this directive by the NCC would be of much assistance in
investigating cybercrime cases as by merely maintaining a database of subscribers/users
one cannot tell which user browsed the internet for a fraudulent purpose.