The Nigerian mobile telecommunications market has continued to grow in leaps and bounds creating opportunities for further investments. These investments have continued to increase exponentially in proportion to the increase in the subscribers’ base which currently stands at 96,110,538 connected lines. This has made the Nigerian telecommunications market the largest in the whole of Africa and the fastest growing from a developing nation. The service providers have continued to introduce innovative service offerings to their numerous customers. The latest addition to this is the proposed mobile number portability to be superintended by the Nigerian Communications Commission (NCC) which is supposed to go live on the network of all mobile service providers before the end of September 2010. This service will enable mobile subscribers to retain their mobile numbers when changing service providers.
No doubt, this will create more value for mobile subscribers who will not have to incur more costs when switching service providers.
This article highlights instances where competition and or consumer protection issues are likely undermine the rationale of NCC for mandating mobile number portability in the Nigerian telecommunications market. It also looks at the new role of the NCC as the sector regulator in stemming the tide of these issues.
MOBILE NUMBER PORTABILITY (MNP)
Mobile number portability is a process that enables a mobile subscriber to retain his mobile number when changing from one service provider to another. This is a tremendous improvement from the traditional method where customers were instead required to give up their numbers when switching providers. As a result of this, customers were saddled with the possibility of missing calls from people who do not yet know their new number, printing new contact cards, notifying all their important contacts about a change of their number, e.t.c. This inability to port numbers generally increased the reluctance of subscribers to change service providers, even when they were experiencing poor quality of service (QoS).
According to the NCC, the rationale for the introduction of MNP are the removal of barriers to the freedom of choice of the mobile subscribers in choosing their favorite service provider, ensuring further competition among service providers in service delivery, acts as an incentive for service providers to improve on their services and removal of barriers to market entry. This is the major policy emphasis of a liberalized telecommunications sector.
The international operational standard for implementing MNP is for a subscriber wishing to port his number to contact his new service provider who then arranges the porting process with the old service provider. This is known as the ‘recipient-led’ porting. The other method implementing the porting process is known as ‘donor-led’ where the customer wishing to port his number approaches his service provider (donor) for a port authorization code (PAC) which is given to his new service provider (recipient) for the activation of the porting service.
COMPETITION AND CONSUMER PROTECTION ISSUES
Sustaining open market competition and ensuring that telecommunications’ subscribers are protected in the Nigerian telecommunications market underscores the reason for implementing MNP. A key issue here usually concerns the cost incurred by subscribers when switching service providers as this can be a barrier to entry and or distortion of competition. Without regulatory prompting, service providers see no incentive in providing MNP, since they fear the depletion of their customer base arising from poor quality of service, thus MNP has a significant role to play in ensuring that not only are switching costs kept to a minimum, it can also provide a competitive edge to service provides who have in place, better service delivery mechanisms. By improving customer satisfaction, MNP is seen as a useful tool in encouraging and sustaining open competition in the telecommunications market.
Some of the pertinent competition and or consumer protection issues likely to undermine the benefits associated with the implementation of the MNP process are:
1. Switching costs
In a sufficiently competitive market, telecommunications subscribers will usually switch from a service provider that fails to provide adequate service to another one that provides better service. Doing this, subscribers will usually incur costs if they decide to change their service provider. While many of these costs are non-pecuniary, they may have a significant impact on the total call value of a subscriber or may pose a barrier to the late market entry of a competitor. Some of the costs incurred when switching to another service provider are: - the need for a compatible equipment in instances where a GSM service subscriber may wish migrate to the network of a CDMA service provider, in switching, the subscriber will usually acquire a new handset compatible with the CDMA network. The second source usually involves the transaction cost of the switching process as subscribers may be required to register and apply to port their numbers as the process may be charged for a fee. Another source of worry is the cost (usually time and money) spent in printing new stationary with your new numbers and informing your current contact list about this change of number.
When these costs are substantial, it’s likely to result to subscriber lock-in effect to networks of particular service providers even when competing brands offer lower prices and better service quality. In addition to this, some service providers may actually require that subscribers intending to port their numbers pay an exorbitant fee. In close proximity to this would be the penalty fee to be paid by post paid (contract) subscribers who may wish to terminate their contracts so as to switch to another service provider. As these subscribers have contractually bound themselves to the service providers for specified periods of time, they are liable to pay termination fees if they choose to terminate their contract at an earlier time.
When these fees border on the high, it tends to inhibit switching and may constrict the subscriber’s choice. This may also be a source of competition worry as new market entrants may not be able to attract customers away from incumbent service providers.
2. Port Duration
This is the time it takes from when a porting process is initiated till the time it ends. The NCC recommended timeframe is 2 working days based on the existing network capability in Nigeria. Despite this recommendation, the possibility still remains that service providers may use slow procedures in churning a subscriber so as to discourage them from switching. An incumbent service provider with a large subscriber base can actually manipulate the timeframe by either denying or prolonging the porting process, if this happens, then it would be contrary to NCC’s intention for the porting duration and be in direct conflict with section 12 of the Consumer Code of Practice Regulations 2007 which provides that: licensees shall provide services within any service supply time targets set out in the Commission’s Quality of Service Regulations…
3. Subscribers Win-back Strategies
MNP will introduce new strategies for service providers in retaining or winning back their subscribers. These strategies may take the form of marketing calls to subscribers of rival service providers offering discount or promoting selective offers with the main aim of poaching them. A standard feature of a winback strategy is that it is targeted at only a portion of the competitor’s customers who were once customers of the incumbent. As this strategies are a form of selective price discrimination towards the competitors customers, it may constitute anti-competitive behavior aimed at marginalizing new entrants. The post-Chicagoan school of economic thought posits that such selective discount offered to theses former customers is likely to have an adverse effect on the competition by suppressing long-term efficient entry into the market. This school of thought believes that the main purpose of any form of predatory pricing is to drive out the competition. The competition implication of winback strategies continues to be an important factor in any liberalized sector.
4. Tariff Transparency
Without MNP, subscribers are usually able to identify the service providers through their number prefixes. With MNP, this identification is lost since the number prefix does not automatically indicate the network ascribed to a given number. As a result, if calling prices differ between different networks (as is usually the case), subscribers may be unaware of the exact charges for placing calls to mobile networks, a similar scenario to this from an economic perspective is that the consumers will have no knowledge of the price of goods or service they wish to purchase.
Previous studies have indicated that service providers may have incentives for increasing rates for terminating calls on their networks based on the ignorance of the subscribers about the relevant prices. This study has also suggested that MNP may deteriorate the customers’ price information. Full tariff transparency is therefore lost and unless NCC as the regulator intervenes for the prices to be changed, callers may actually have to pay more than expected for certain calls.
THE WAY FORWARD
As rapid technological changes continue to shape the Nigerian Telecommunications market, the behavior of subscribers will continue to be impacted, presenting new challenges for the NCC. The main focus of this challenge will be to ensure that favorable market conditions exist which thrives on technological innovations, whilst still ensuring that the interests of subscribers are protected.
When competition is sustained, then the subscriber’s right to exercise his choice is unimpeded. As switching costs have an implication for the structure and competitiveness of the markets where telecommunications technology incompatibility in the mobile phone industry makes both physical capital and human investment into particular service unassignable. To ensure that consumer enjoy the benefits of migrating to the network of their choice service provider, NCC must play a role in ensuring that switching costs are kept to a minimum. Service providers must be deterred from even the slightest possibility of leveraging on the size of their (locked-in) subscribers by arbitrarily raising the price of their service.
The NCC recommended timeframe for porting should be religiously complied with and rigorously enforced so as not to discourage the churning of subscribers. An intentional contravention of this directive will amount to a breach of both the QoS and Competition Practices Regulations, making the defaulting service provider liable to enforcement measures from the NCC.
Even though, it is NCC’s intention not to implement restrictions to customers win-back by service providers, it must take cue from competition authorities in North American and European countries, where win back strategies have come under serious scrutiny. For instance, in 2004, the Kansas Corporation Commission enforced a win-back prohibition forbidding the incumbent from attempting to win back a customer within 30 days of the switching. NCC should toe the post-Chicagoan way by recognizing that win-back strategies under certain conditions may have the effect of lessening the competition.
The ability of customers to be able to predict calls they place must not be eviscerated by MNP. NCC recommends that this capability shall be provide in real time by a beep, a display of the tariff or service information on the subscriber’s terminal screen or voice recorded announcement before a call to a ported number is going to incur a different cost than it would have been charged before the number was ported. The regulatory best practice is to ensure that subscribers are well informed about prices, NCC must work diligently to ensure that service providers comply with this best practice.
The role of the NCC in Nigeria is not a static one, it continues to shift according to the dynamics of the telecommunications market, it is primarily focused on achieving a sustained competition that guarantees the protection for the rights of the subscribers. The implication flowing from this will be the attraction of more investments into the market.
Finally the goal of all liberalized markets is to ensure competition, once this is achieved, the right of the consumers to choose remains unrestricted. The NCC in all case must be ready to intervene if this competition comes under threat.
MNP does actually stimulate competition, if implemented properly will lead to a lowering of switching cost, resulting in added value to the existing services already been enjoyed by the Nigerian telecommunications subscribers.
Monday, June 28, 2010
Saturday, May 1, 2010
THE SCRAMBLE FOR BROADBAND INTERNET SERVICES IN NIGERIA: NEW TECHNOLOGY, NEW CHALLENGES, MORE GOVERNANCE.
In recent times, the rate at which business entities are investing heavily in the provision of broadband internet access has been impressive. The Glo-1 submarine cable, a multi-million dollar project from Glo Nigeria is a submarine cable of 100,000km with landing points in Nigeria, Ghana, Senegal, Mauritania, Morocco, Portugal, Spain and United Kingdom (UK) has a bandwidth capacity of about 640 gigabytes has been operational since the last quarter of 2009. Enter Main one cable system been rolled out by MainOne Ltd. is set to go live in June 2010. This 14,000km long submarine fibre optic cable stretches from Portugal to South Africa with landing points in Sexial in Portugal, Lagos in Nigeria, Accra in Ghana and South Africa will provide high speed internet capacity of 1.92 terabits. The boldest determination so far is the West Africa System (WACS) planned by a consortium of telecommunication companies. WACS will link South-Africa with UK along the western coast of Africa. The design capacity is projected to be at least 3.84 terabits.
While these ventures seem to be a welcome development as it will go a long way in not only providing high speed internet connectivity but will also increase the rate of internet penetration of a country that has been reported (internet world stats) to have 23, 982, 200 (16.1%) of its population access the internet in 2009, me continue to think in the face of this 20th century technological evolution whether Nigeria has lived up to its responsibility under the Internet Governance Forum established during the second World Summit on Information Society (WSIS) held in 2005 in Tunis.
No doubt the internet has changed the way we now live and has impacted tremendously into our lives, it has also spurn myriads of new challenges albeit issues relating to how it is used. Such issues include cybercrime, the protection of children online, internet privacy and copyright infringement amongst many others. All these issues have necessitated a proper implementation of the appropriate internet government solution to mitigate the risks associated with the use of the internet.
The WSIS proposed a working definition of internet governance as “Internet governance is the development and application by Governments, the private sector, and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet” In Nigeria, the emerging issues arising from increased internet usage are:
1. Cybercrime: The ubiquitous nature of the internet has enabled communication on a global scale across computer networks. This has favoured criminals in using the internet as a tool in the perpetration of criminal offences. Prominent examples of these are fraud, identity theft and phishing scams. For a developing nation like Nigeria, finding a response strategy and solution has become fundamental in the beneficial use of the internet. In recent times, Nigeria has come under international pressure to take actions over financial scams facilitated through email services. In 2006, National White Collar Crime Center reported that losses related to the popular Nigerian email fraud averaged about 5,100 USD each. Though Nigeria in response to this challenge ratified the convention on Cybercrime but is yet to enact the Draft Bill on Computer Security and Critical Information Infrastructure Protection Bill 2005.
2. Child Protection Online: The International Telecommunications Union (ITU) has come up with a global initiative with the objectives of identifying risks and vulnerabilities of children (and minors) in cyberspace, creating awareness for these, help in the development of practical tools that will help to minimize these risks and lastly to provide a forum for knowledge sharing for best practises. The child online protection initiative will guarantee that the child is not exposed to harmful or inappropriate content which includes a wide variety of materials such as pornography, violent content and the like. It is important that Nigeria tap into this initiative and adopt strategies to protect our children who will become the leaders tomorrow.
3. Internet Privacy: According to American privacy expert Steven Rambam, “Privacy is dead-get over it”. While a number of industry expert seem to agree with him, National governments are still work to guarantee the privacy of the individual in this age of information explosion. With the proliferation of the internet and its technologies, a lot of individuals are increasingly finding it difficult to control their personal information in cyberspace or decide on whom this information should be disclosed to. In this age of information explosion, personal information if not properly protected could be misused to the detriment of the data subject, this is constantly been manifested by online social and electronic commerce platform where personal information has been mishandled and compromised by the owner of such platforms or by individuals participating on such platforms. It becomes imperative for the Nigerian government to intervene in this instance to safeguard and enforce this fundamental human right.
4. Copyright Infringement: In the words of Harvard Law Professor Lawrence Lessig, “the fear is that cyberspace will become a place where copyright can be defeated”. Copyright is granted protection under both international and national laws, the internet has made it possible for works in which copyright subsists to be easily distributed across computer networks, thereby implicating the owners right of both distribution and communication to the public. Peer-to-peer (p2p) technologies have a role in the infringement of copyright, this technology connects an individual’s computer to another computer whereby information (mostly copyright works) is easily retrieved and distributed over the internet. No doubt, the high speed internet connectivity in Nigeria plays a prominent role in this phenomenon. Because of the near impossibility of identifying the alleged infringers, National governments and copyright owners have targeted Internet Service Providers (ISP) as facilitators of copyright infringement across their network. This has resulted into laws which provides safe harbours for ISPs and defines instances in which they will be exempted from copyright infringement liability under their national laws.
The growing awareness of the social, economic and legal dynamics of the internet has impacted on the Nigerian society and has brought to the front burner the problems associated with its increased usage and has crystallized into topical issues under the internet governance forum. For broadband services to benefit the Nigerian community, the stakeholders in Nigeria (including the Government and ISPs) has a constant and continuous role to play by intervening with policy and technological solutions that will shape the way the internet will be legitimately used in Nigeria leading to the achievement of the goals set under the Internet Governance Forum.
Conclusively the statement of John and Post that “the rise of an electronic medium that disregards geographical boundaries throws the law into disarray by creating entirely new phenomena that need to become the subject of clear legal rules that cannot be governed, satisfactorily, by any current territorially based sovereign” seems to come to mind in the Nigerian case.
While these ventures seem to be a welcome development as it will go a long way in not only providing high speed internet connectivity but will also increase the rate of internet penetration of a country that has been reported (internet world stats) to have 23, 982, 200 (16.1%) of its population access the internet in 2009, me continue to think in the face of this 20th century technological evolution whether Nigeria has lived up to its responsibility under the Internet Governance Forum established during the second World Summit on Information Society (WSIS) held in 2005 in Tunis.
No doubt the internet has changed the way we now live and has impacted tremendously into our lives, it has also spurn myriads of new challenges albeit issues relating to how it is used. Such issues include cybercrime, the protection of children online, internet privacy and copyright infringement amongst many others. All these issues have necessitated a proper implementation of the appropriate internet government solution to mitigate the risks associated with the use of the internet.
The WSIS proposed a working definition of internet governance as “Internet governance is the development and application by Governments, the private sector, and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet” In Nigeria, the emerging issues arising from increased internet usage are:
1. Cybercrime: The ubiquitous nature of the internet has enabled communication on a global scale across computer networks. This has favoured criminals in using the internet as a tool in the perpetration of criminal offences. Prominent examples of these are fraud, identity theft and phishing scams. For a developing nation like Nigeria, finding a response strategy and solution has become fundamental in the beneficial use of the internet. In recent times, Nigeria has come under international pressure to take actions over financial scams facilitated through email services. In 2006, National White Collar Crime Center reported that losses related to the popular Nigerian email fraud averaged about 5,100 USD each. Though Nigeria in response to this challenge ratified the convention on Cybercrime but is yet to enact the Draft Bill on Computer Security and Critical Information Infrastructure Protection Bill 2005.
2. Child Protection Online: The International Telecommunications Union (ITU) has come up with a global initiative with the objectives of identifying risks and vulnerabilities of children (and minors) in cyberspace, creating awareness for these, help in the development of practical tools that will help to minimize these risks and lastly to provide a forum for knowledge sharing for best practises. The child online protection initiative will guarantee that the child is not exposed to harmful or inappropriate content which includes a wide variety of materials such as pornography, violent content and the like. It is important that Nigeria tap into this initiative and adopt strategies to protect our children who will become the leaders tomorrow.
3. Internet Privacy: According to American privacy expert Steven Rambam, “Privacy is dead-get over it”. While a number of industry expert seem to agree with him, National governments are still work to guarantee the privacy of the individual in this age of information explosion. With the proliferation of the internet and its technologies, a lot of individuals are increasingly finding it difficult to control their personal information in cyberspace or decide on whom this information should be disclosed to. In this age of information explosion, personal information if not properly protected could be misused to the detriment of the data subject, this is constantly been manifested by online social and electronic commerce platform where personal information has been mishandled and compromised by the owner of such platforms or by individuals participating on such platforms. It becomes imperative for the Nigerian government to intervene in this instance to safeguard and enforce this fundamental human right.
4. Copyright Infringement: In the words of Harvard Law Professor Lawrence Lessig, “the fear is that cyberspace will become a place where copyright can be defeated”. Copyright is granted protection under both international and national laws, the internet has made it possible for works in which copyright subsists to be easily distributed across computer networks, thereby implicating the owners right of both distribution and communication to the public. Peer-to-peer (p2p) technologies have a role in the infringement of copyright, this technology connects an individual’s computer to another computer whereby information (mostly copyright works) is easily retrieved and distributed over the internet. No doubt, the high speed internet connectivity in Nigeria plays a prominent role in this phenomenon. Because of the near impossibility of identifying the alleged infringers, National governments and copyright owners have targeted Internet Service Providers (ISP) as facilitators of copyright infringement across their network. This has resulted into laws which provides safe harbours for ISPs and defines instances in which they will be exempted from copyright infringement liability under their national laws.
The growing awareness of the social, economic and legal dynamics of the internet has impacted on the Nigerian society and has brought to the front burner the problems associated with its increased usage and has crystallized into topical issues under the internet governance forum. For broadband services to benefit the Nigerian community, the stakeholders in Nigeria (including the Government and ISPs) has a constant and continuous role to play by intervening with policy and technological solutions that will shape the way the internet will be legitimately used in Nigeria leading to the achievement of the goals set under the Internet Governance Forum.
Conclusively the statement of John and Post that “the rise of an electronic medium that disregards geographical boundaries throws the law into disarray by creating entirely new phenomena that need to become the subject of clear legal rules that cannot be governed, satisfactorily, by any current territorially based sovereign” seems to come to mind in the Nigerian case.
DATA PROTECTION ISSUES AND LEGAL IMPLICATIONS IN NCC’S DIRECTIVE ON SIM CARD REGISTRATION
Towards the ending of year 2009, the Nigerian Telecommunications Regulator, Nigerian Communications Commission (NCC) in exercising the powers granted it under the Nigerian Communications Act (NCA) 2003 issued a directive which was published in the Thisday Newspaper of December 31, 2009 to the effect that as from the 1st of March 2010 (according to the to the online news service “Daily Independent,” this date has been postponed to May 1st 2010 ) all new Subscriber Identity Module (SIM) cards must be registered before activation, this will be followed by the subsequent registration of the SIM cards of existing SIM card holders at a later date.
This directive coming from the NCC was borne out of the need to have a credible database of SIM card holders in Nigeria that will be used to identify (for possible prosecution) criminal actors who perpetrate criminal activities through the use of mobile phones by exploiting the anonymity of an unregistered SIM Card.
This paper considers two issues; to identify & address the data protection & privacy issues that arises during the implementation of the SIM card registration process and the legal implications on the criminal model of crimes been perpetrated through the use of mobile phones. Discussing the technical framework for the implementation of this process is entirely outside the focus of this write-up.
Data Protection and the Concept of Privacy under Nigerian Law
The right to privacy is an inalienable human right that cannot be derogated from, neither can it be subsumed under any government law or policy. Though Nigeria presently has no legislative framework for Data Protection, the right to privacy can be traced to the Constitution of the Federal Republic of Nigeria (CFRN) 1999, in particular S. 37 provides “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”
The broad import of this particular statutory provision is to guarantee from interference and intrusion, the private affairs of the Nigerian person. This statement finds meaning in the definition of privacy as “The right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of [personal] information [emphasis mine].
When this constitutional right is juxtaposed with NCC’s directive to register SIM cards, one is wont to ask the nature of privacy and or data protection issues involved in the registration of these SIM cards.
SIM cards as the name implies is used to identify subscribers to mobile telecommunications services. It is a removable card that allows the user to transfer its subscribed services to another mobile device.
As there is a dearth of data protection laws in Nigeria, I intend to propose as a reference model the principles contained in the EU wide Data Protection Directive 95/46 EC, as a guide for the implementation of this SIM card registration process. Amongst other things, this directive has been internationally touted as setting the benchmark by which data protection laws are evaluated, the standards set are widely regarded as “high” and places an emphasis on human rights while its principles have been flexible in their approach.
Pursuant to this Directive, data or personal data means any information relating to an identifiable natural person (data subject), the directive also goes further in defining an identifiable natural person as one who can be identified, directly or indirectly, in particular by reference to an identification number… Therefore for data to be “personal”, two conditions must be met, first the data must relate or concern another natural person, secondly, the data must be used in the identification of the natural person. Where data does not refer to a natural person, it falls outside the scope of the EU Directive. As SIM cards contain both the unique serial and international numbers of the subscriber, it no doubt would come within the meaning of “personal data” as contemplated under the EU Directive since another individual can be able to connect the personal data to a natural person.
The capture of the subscribers photograph and biometrics (which undoubtedly is also personal data) as required under the implementation process will be deemed to be the processing and or collection of personal data. (In accordance with this EU Directive), data processing occurs when an operation or a set of operations is carried out upon personal data, whether or not by automatic means. These operations will include the collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure and destruction of personal data.
Since it is evident that due to the nature of the personal information stored in the SIM card database, accessing this database would therefore be implicating the privacy rights of SIM card holders, the question then becomes, under what circumstances will these personal data or information of Mobile telephony subscribers be collected, accessed or used legitimately? This is important in order not to run the risk of abusing stored data by those accessing it as data specifically provided for one purpose might be used entirely in a different context.
The EU Directive has a set of principles that must be adhered to when accessing the personal data of the private individual, it sets out the right of the private individual in regards to his personal data and establishes the general principles guiding the processing of personal data. These principles will be summarized below and related to the proposed SIM card registration in Nigeria:-
1. Data may only be processed where the private individual (data subject) has given consent: For SIM card holders, this consent must be specific and informed, it cannot be inferred from any circumstances nor can this consent be given on the basis of misrepresented facts.
2. Data may be processed when the processing is necessary for the entering into a contract with the private individual: This is fulfilled when the contract between potential SIM card holders and mobile telephony service providers contain clauses to the effect that their SIM cards would be registered, for the existing SIM card holders, it would be necessary to obtain their consent.
3. Data may be processed in order to comply with a legal obligation imposed on the entity in charge of processing the data: That is, the entity in charge of registering SIM cards in Nigeria must legitimately access this information only in so far as it complies with the legal obligation imposed on it.
4. Data may be processed when the processing is necessary to protect the vital interest of the private individuals: A broad meaning should be given to this paragraph in so far as the processing of the personal data would be necessary to protect the interest of SIM card holders.
5. Data may be processed when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or in a third party to whom the data are disclosed. To rely on this paragraph, the relevant question then becomes, would accessing the SIM card database be justified on the basis of public interest which would override the privacy rights of SIM card holders.
6. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. SIM card holders must be allowed access to this database at any time and to make the necessary correction of their personal data as contained in this database.
7. Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes: This is the main thrust of any good data protection policy. What is the main purpose of registering SIM cards in Nigeria? Legitimate processing requires that uses of the personal data must be known and publicly stated at the time of registration. A 2006 decision of a German court comes to mind here, where the demand by a public prosecutor investigating a criminal case to access personal data stored on a SIM card of an on-board unit in a truck was denied by the court. The court was of the opinion that the German Federal Toll Collect Act, on which the collecting of SIM card data is based, restricts the use of toll data to only the control of toll payments. In this regard, access to the SIM card database in Nigeria must be restricted to only the purpose(s) specified by the NCC i.e. cases of criminal activities perpetrated through the use of mobile telephones, to override such a purpose would require legal justification and authorization.
Legal Implication
NCC’s directive to register SIM cards will trigger some practical implications for criminals intending to sustain their desire for committing crimes through the use of mobile telephony services. Some criminals in order to sustain this desire and circumvent their identification will have to migrate to other criminal models that will continue to guarantee anonymity to them. These models will be considered under three heads in the following:
1. SIM card cloning: Occurs where the information contained in one SIM card is replicated for the purpose of making fraudulent calls, the billing for which would be incurred by the owner of the cloned SIM card rather than the perpetrator. To achieve cloning, the Electronic Serial Number (ESN) and Mobile Identification Number (MIN) has to be successfully retrieved from the target phone for transfer to the cloned phone. When this happens, calls can be made from the cloned phone as if it were the original phone. It is possible for criminal entities to exploit SIM card cloning technologies so as to beat the identification process inherent in SIM card registration.
2. Roaming services: Roaming has been defined as the ability for a cellular customer to automatically make and receive voice calls, send and receive data, or access other services, including home data services, when travelling outside the geographical coverage area of the home network, by means of using a visited network. Now consider this scenario, a criminal obtains an registered SIM card outside Nigeria from a service provider that offers roaming services within a Nigerian service provider’s network. It is obvious here that this criminal has successfully circumvented the NCC registration process by virtue of this roaming service and can still be able to perpetrate his criminal intentions through this service within Nigeria.
3. Internet/Satellite Telephony: With services like Skype and the scramble for broadband services in Nigeria, Internet telephony seems to have found a niche for itself, on the part of Satellite telephony, this particular service connects to satellites in orbit rather than terrestrial cell towers. All these services can be used to circumvent NCC’s registration process and perpetrate criminal activities.
From these criminal models, it is obvious that NCC’s intention may not be sufficient to address the purpose for registering SIM cards, the author believes that a system of identity management should be implemented in the mobile telephony sector. This will help to address issues of anonymity posed in the mobile telephony sector.
Conclusion
Even though NCC’s directive commences today May 1st 2010, it still presents some level of data protection issues that must be addressed. As national governments are becoming more aware of the importance of a good data protection framework, Nigeria must consciously strive to ensure that the personal data (in whatever form) of the Nigerian person is safeguarded. No doubt, it goes without saying that the common Nigerian person values his privacy and should not be exposed to situations where his personal data is arbitrarily processed or accessed, the glaring realities of the lack of the appropriate legislative solutions put in place to address data protection issues is already been manifested in an IT savvy Nigerian society. We need to re-engineer our legislative processes to accommodate the challenges presented by data protection, in the absence of the appropriate law, it becomes safe to place reliance on the principles enshrined under the EU model for data protection which still remains a role model for implementing data protection laws worldwide.
As per curbing the menace of criminal activities perpetrated through mobile phones, a system of identity management should be implemented and enforced in the mobile telephony sector (however this is achieved is entirely outside the scope of the author’s knowledge), this will ensure that anonymity in the mobile telephony sector is not exploited so as to commit criminal activities.
Why protect personal data? I am constrained again to reiterate that the right to privacy is inalienable, it can never be derogated from.
This directive coming from the NCC was borne out of the need to have a credible database of SIM card holders in Nigeria that will be used to identify (for possible prosecution) criminal actors who perpetrate criminal activities through the use of mobile phones by exploiting the anonymity of an unregistered SIM Card.
This paper considers two issues; to identify & address the data protection & privacy issues that arises during the implementation of the SIM card registration process and the legal implications on the criminal model of crimes been perpetrated through the use of mobile phones. Discussing the technical framework for the implementation of this process is entirely outside the focus of this write-up.
Data Protection and the Concept of Privacy under Nigerian Law
The right to privacy is an inalienable human right that cannot be derogated from, neither can it be subsumed under any government law or policy. Though Nigeria presently has no legislative framework for Data Protection, the right to privacy can be traced to the Constitution of the Federal Republic of Nigeria (CFRN) 1999, in particular S. 37 provides “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”
The broad import of this particular statutory provision is to guarantee from interference and intrusion, the private affairs of the Nigerian person. This statement finds meaning in the definition of privacy as “The right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of [personal] information [emphasis mine].
When this constitutional right is juxtaposed with NCC’s directive to register SIM cards, one is wont to ask the nature of privacy and or data protection issues involved in the registration of these SIM cards.
SIM cards as the name implies is used to identify subscribers to mobile telecommunications services. It is a removable card that allows the user to transfer its subscribed services to another mobile device.
As there is a dearth of data protection laws in Nigeria, I intend to propose as a reference model the principles contained in the EU wide Data Protection Directive 95/46 EC, as a guide for the implementation of this SIM card registration process. Amongst other things, this directive has been internationally touted as setting the benchmark by which data protection laws are evaluated, the standards set are widely regarded as “high” and places an emphasis on human rights while its principles have been flexible in their approach.
Pursuant to this Directive, data or personal data means any information relating to an identifiable natural person (data subject), the directive also goes further in defining an identifiable natural person as one who can be identified, directly or indirectly, in particular by reference to an identification number… Therefore for data to be “personal”, two conditions must be met, first the data must relate or concern another natural person, secondly, the data must be used in the identification of the natural person. Where data does not refer to a natural person, it falls outside the scope of the EU Directive. As SIM cards contain both the unique serial and international numbers of the subscriber, it no doubt would come within the meaning of “personal data” as contemplated under the EU Directive since another individual can be able to connect the personal data to a natural person.
The capture of the subscribers photograph and biometrics (which undoubtedly is also personal data) as required under the implementation process will be deemed to be the processing and or collection of personal data. (In accordance with this EU Directive), data processing occurs when an operation or a set of operations is carried out upon personal data, whether or not by automatic means. These operations will include the collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure and destruction of personal data.
Since it is evident that due to the nature of the personal information stored in the SIM card database, accessing this database would therefore be implicating the privacy rights of SIM card holders, the question then becomes, under what circumstances will these personal data or information of Mobile telephony subscribers be collected, accessed or used legitimately? This is important in order not to run the risk of abusing stored data by those accessing it as data specifically provided for one purpose might be used entirely in a different context.
The EU Directive has a set of principles that must be adhered to when accessing the personal data of the private individual, it sets out the right of the private individual in regards to his personal data and establishes the general principles guiding the processing of personal data. These principles will be summarized below and related to the proposed SIM card registration in Nigeria:-
1. Data may only be processed where the private individual (data subject) has given consent: For SIM card holders, this consent must be specific and informed, it cannot be inferred from any circumstances nor can this consent be given on the basis of misrepresented facts.
2. Data may be processed when the processing is necessary for the entering into a contract with the private individual: This is fulfilled when the contract between potential SIM card holders and mobile telephony service providers contain clauses to the effect that their SIM cards would be registered, for the existing SIM card holders, it would be necessary to obtain their consent.
3. Data may be processed in order to comply with a legal obligation imposed on the entity in charge of processing the data: That is, the entity in charge of registering SIM cards in Nigeria must legitimately access this information only in so far as it complies with the legal obligation imposed on it.
4. Data may be processed when the processing is necessary to protect the vital interest of the private individuals: A broad meaning should be given to this paragraph in so far as the processing of the personal data would be necessary to protect the interest of SIM card holders.
5. Data may be processed when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or in a third party to whom the data are disclosed. To rely on this paragraph, the relevant question then becomes, would accessing the SIM card database be justified on the basis of public interest which would override the privacy rights of SIM card holders.
6. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. SIM card holders must be allowed access to this database at any time and to make the necessary correction of their personal data as contained in this database.
7. Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes: This is the main thrust of any good data protection policy. What is the main purpose of registering SIM cards in Nigeria? Legitimate processing requires that uses of the personal data must be known and publicly stated at the time of registration. A 2006 decision of a German court comes to mind here, where the demand by a public prosecutor investigating a criminal case to access personal data stored on a SIM card of an on-board unit in a truck was denied by the court. The court was of the opinion that the German Federal Toll Collect Act, on which the collecting of SIM card data is based, restricts the use of toll data to only the control of toll payments. In this regard, access to the SIM card database in Nigeria must be restricted to only the purpose(s) specified by the NCC i.e. cases of criminal activities perpetrated through the use of mobile telephones, to override such a purpose would require legal justification and authorization.
Legal Implication
NCC’s directive to register SIM cards will trigger some practical implications for criminals intending to sustain their desire for committing crimes through the use of mobile telephony services. Some criminals in order to sustain this desire and circumvent their identification will have to migrate to other criminal models that will continue to guarantee anonymity to them. These models will be considered under three heads in the following:
1. SIM card cloning: Occurs where the information contained in one SIM card is replicated for the purpose of making fraudulent calls, the billing for which would be incurred by the owner of the cloned SIM card rather than the perpetrator. To achieve cloning, the Electronic Serial Number (ESN) and Mobile Identification Number (MIN) has to be successfully retrieved from the target phone for transfer to the cloned phone. When this happens, calls can be made from the cloned phone as if it were the original phone. It is possible for criminal entities to exploit SIM card cloning technologies so as to beat the identification process inherent in SIM card registration.
2. Roaming services: Roaming has been defined as the ability for a cellular customer to automatically make and receive voice calls, send and receive data, or access other services, including home data services, when travelling outside the geographical coverage area of the home network, by means of using a visited network. Now consider this scenario, a criminal obtains an registered SIM card outside Nigeria from a service provider that offers roaming services within a Nigerian service provider’s network. It is obvious here that this criminal has successfully circumvented the NCC registration process by virtue of this roaming service and can still be able to perpetrate his criminal intentions through this service within Nigeria.
3. Internet/Satellite Telephony: With services like Skype and the scramble for broadband services in Nigeria, Internet telephony seems to have found a niche for itself, on the part of Satellite telephony, this particular service connects to satellites in orbit rather than terrestrial cell towers. All these services can be used to circumvent NCC’s registration process and perpetrate criminal activities.
From these criminal models, it is obvious that NCC’s intention may not be sufficient to address the purpose for registering SIM cards, the author believes that a system of identity management should be implemented in the mobile telephony sector. This will help to address issues of anonymity posed in the mobile telephony sector.
Conclusion
Even though NCC’s directive commences today May 1st 2010, it still presents some level of data protection issues that must be addressed. As national governments are becoming more aware of the importance of a good data protection framework, Nigeria must consciously strive to ensure that the personal data (in whatever form) of the Nigerian person is safeguarded. No doubt, it goes without saying that the common Nigerian person values his privacy and should not be exposed to situations where his personal data is arbitrarily processed or accessed, the glaring realities of the lack of the appropriate legislative solutions put in place to address data protection issues is already been manifested in an IT savvy Nigerian society. We need to re-engineer our legislative processes to accommodate the challenges presented by data protection, in the absence of the appropriate law, it becomes safe to place reliance on the principles enshrined under the EU model for data protection which still remains a role model for implementing data protection laws worldwide.
As per curbing the menace of criminal activities perpetrated through mobile phones, a system of identity management should be implemented and enforced in the mobile telephony sector (however this is achieved is entirely outside the scope of the author’s knowledge), this will ensure that anonymity in the mobile telephony sector is not exploited so as to commit criminal activities.
Why protect personal data? I am constrained again to reiterate that the right to privacy is inalienable, it can never be derogated from.
Subscribe to:
Posts (Atom)