DATA PRIVACY WITH TELECOMMUNICATION COMPANIES: A FARCE? (PART 1)
Data privacy has always been a background conversation, especially with the emergence of Social Media and quick connectivity. Personal data is consistently churned out every second, with insufficient regulations as to how it is being processed or used. In a research by DOMO, a data solutions company, over 2.5 quintillion bytes of data are created every day, and the numbers are projected to spike. These data can be used for a myriad of things, one of which is identifying a specific location — as was done in John’s case.
For context, the year is 2020, and John’s uncle’s apartment was raided by men of the Department of Secret Services (DSS). His uncle was used as bait to lure John. John was further arrested, tortured, and taken into custody without being notified of his crime; and as bad as that was, it was only the beginning of John’s troubles. He later got to know he was arrested and unlawfully detained because he operated a parody account using an ex-president’s identity (he used the profile picture of the ex-president but divested the account of ties to the president in the bio). More importantly, the crux of this narration is that the DSS were able to find John by locating his uncle’s house, using the information provided by John’s telecommunications provider. His telecoms provider had divulged five of John’s phone contacts to the DSS without his consent. One of the five phone contacts was his uncle, which the DSS used to lure John before he was arrested. Now, how’s that for a climax?
Although John’s story was quite devastating, there are more people with similar experiences that do not get the limelight. Their telecoms provider divulging their private data to external or third parties without their consent, especially where there was no legal obligation to do so. Telecoms are network provider-based companies that help to foster communication. Data privacy is all about protecting data (personal or not) from third parties without the owner’s consent. It involves the proper handling of data; from consent to data processing. In this light, divulging of personal data without the consent of the data subject is a breach of data privacy; and this is a leech everyone needs to be aware of in today’s world.
Every Nigerian has a right to their data being protected, and data with their Telecoms provider is not an exception. The Constitution specifying the fundamental human rights provides that “the privacy of citizens, correspondence, telephone conversations, etc is guaranteed and protected”. The National Information Technology Development Agency (NITDA) was recently established to regulate and develop the national digital economy policy for Nigeria and safeguard the rights of citizens to data privacy. The NITDA stipulated some rules to regulate the digital space with the primary legislation being the Nigeria Data Protection Rules (NDPR). It explains personal information/data to mean information relating to an identified or identifiable natural person. Such data can reveal the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. A person can be referenced by identifiers such as; a name, an identification number, a location data, an online identifier, a number, SIM (subscriber identity module) details, next of kin etc.
In a bid to regulate data protection, NITDA classified persons who hold data as data controllers; and defines them to be persons who either alone, jointly with other persons, in common with other persons or as a statutory body determines the purposes for and how personal data is processed or is to be processed. Data subjects are the identifiable natural persons whose data is being held. And to show the importance of data privacy, the NITDA also specifies a yearly audit for data controllers, and the audit to be done by the Data Protection Compliance Organizations (DPCOs) (an organization accredited by the NITDA). The DPCOs will verify that the data controller is putting measures in place to protect the data of its data subjects, and not performing activities capable of exposing the data subject to risk. More importantly, the DPCOs will ensure the data controller is compliant with the provisions of the NITDA with regards to data protection.
REALITIES OF DATA SUBJECTS & COMMENTARIES
Interestingly, as encompassing, and intentional as the Constitution and other primary regulations (NITDA and NDPR) are with data protection especially in the digital age, we still have instances of data privacy breaches by telecoms with no news of redress to the victims. In 2019, it was reported that the NITDA was investigating Banks, Telecoms, and FinTech’s for alleged breach of privacy rights. However, that was the last thing we heard about that. There were no reports of sanctioning, or reports on the results of the investigation done by the NITDA; neither were means provided to build trust and confidence in the data protection processes. In June 2020, the NITDA also communicated that they were investigating TrueCaller for breach of privacy rights of Nigerians using their service. It also communicated that there were instances of illegitimate provisions found, with implications that could be far-reaching, by exposing unsuspecting Nigerians to exploitation. However, after this communication, the reports were never released, neither were sanctions meted out. Actions like these are usually referred to as “all barking and no biting”. When data controllers (residents or not) see how loosely the NDPRs resolve breaches of data privacy, it gives them more laxity, more leeway to treat breaches with levity. It also reduces the level of trust data subjects have in these agencies, especially in a low-trust society like ours.
More people have come out to complain about this type of breaches. Recently, a Twitter user complained of how her personal information and call logs were divulged by a telecoms company to her parent. This is not synonymous with consent or legal backing, given the fact that the user in question is not a minor. Although these claims were not verified, more people (victims of other breaches) were encouraged to tell their stories relating to their experience with data breaches by telecoms provider.
To buttress this point further, TechCabal wrote an article where it was revealed that these Telecoms have so many agents who help with the SIM registration process, and many a time the data collected does not reach the telecoms provider or ends up in the wrong hands. Data released during SIM registration is not just personal data, but sensitive personal data which ought to be treated with the utmost care, caution, and privacy, not to mention having the data collected fall in the hands of unscrupulous individuals. The article further mentioned that the NCC further divulges some of these SIM registration details to other government agencies like the National Identity Management Commission (NIMC) without the consent of the data subjects, which is a blatant disrespect for the NDPR. Also, Nigerian Communications Communication (NCC) constantly reports invalid subscriber’s data annually, one can only imagine where and how the data collected (howbeit invalid) ends up.
To understand the severity of this problem, data has been dubbed the new oil in today’s world. Every progressive company needs data to build its products, academics need data to build concepts and brands need data for efficient marketing. In fact, there is an ongoing feud between Apple and Facebook with regards to data privacy issues. Considering all these, data subjects need to be aware — now more than ever — of their privacy rights, and more importantly, understanding the avenues of seeking redress upon a breach.
RIGHTS & MODES OF REDRESS
It is one thing to know the details of data privacy, however, it is more important to identify when there is a breach to exercise your rights for redress. Chapter 2 and 3 of the NDPR is quite comprehensive on the rights and avenues of redress, but we as Nigerians also need to be aware of these measures, to enable them to execute such rights. These rights range from:
· Data controller’s obligation to the data subject to inform the data subject of any form of processing to their data,
· Right to be informed of transmission of their data,
· Right to be informed of the mode and period of storage of personal data
· Right to grant consent for personal data to be shared with a person or entity
· Right to withdraw consent to process personal data,
· Right to complain to relevant authorities,
These rights, as encompassing as they may be, would be of no value without modes of redress or enforcement especially when there is a breach. The NDPR sets the modes of redress to include:
· Data subject’s right to approach a competent court of jurisdiction or
· An administrative redress panel set up by the NITDA.
More importantly, the NITDA needs to continually build trust amongst the populace by fostering data privacy discussions. The agency needs to help the populace understand the need to take their data protection seriously, and to remember that redress is always available.
The importance of data protection in these times cannot be overemphasized. Research already shows that humans are very willing to share their sensitive data for services. Most services today already request sensitive data before signing up. The availability of sensitive and personal data in hands of a criminal can be used to cause harm. The exposure of certain kinds of personal data to the public can put data subject in harm’s way. It can make them susceptible to hacking, phishing, etc. There is no better time to be aware of data protection and hold primary data controllers accountable than now!
Personal Finance tip: Ask yourself today, are you saving or investing? Saving is putting money aside, whilst investing is building wealth through compound interest. Saving would never lead you to financial independence. Investing will, and as much as you invest, you need to beware of the investment vehicles you use.