Telecoms sector mulls data regulation as defaulters risk N10m fine
The Nigerian Communications Commission (NCC) has mulled introducing data regulation for the telecommunications sector. Though, currently at a draft stage, NCC said the regulation would provide a regulatory framework for the protection and privacy of data in the Nigerian Communications Sector.
In the 25-page document, titled, ‘Data Protection (Communications Services) Regulations, 2023’, the Commission said it was coming up with the regulation based on the powers conferred upon it by section 70 of the Nigerian Communications Act, 2003 and all other powers enabling it in that behalf.
According to the NCC, any licensee that fails to comply with the provisions of the regulations shall be liable to an administrative fine of N10, 000,000.00 and where such an infraction is allowed to continue, such licensee shall be liable to a daily default penalty of N1, 000,000.00 until the infraction is either remedied or discontinued.
In the regulation, which is divided into 10 parts, the Commission said according to the provisions of the Enforcement Processes, Regulations, it shall exercise its powers to enforce any sanction imposed in the regulations.
The 10 parts include the objective, scope and application of these regulations; Processing of Communication Data; Safety of Communications Data; Consent; Calling and Called Line Identification; Use of Communications Services for Direct Marketing Purposes; Transfer of Communications Data; Sanctions, Enforcement and Compensation and Miscellaneous Provisions.
Meanwhile, NCC disclosed that the provisions of these Regulations shall apply to –licensees; subscribers; users other third parties directly or indirectly engaged with any of the above in respect of processing of communications data.
In processing communications data, the telecoms regulator said the basis for processing such data must be provided for under the Regulation, the Act, subsidiary legislations issued by it, or other relevant laws enacted by the National Assembly about communications services.
It added that the purpose for collecting such data must be specified, explicit and legitimate, provided that any further processing of such data must not be incompatible with the initial purpose, apart from the provision of Regulation 36(2), which shall be considered compatible with the initial purposes stipulated under the regulation.
NCC noted that without prejudice to the provisions of the Registration of Communications Subscribers Regulations, the processing of Biometrics Information to uniquely identify data subjects is prohibited, unless –(a) the processing is necessary and proportionate for security or authorisation purposes to serve a compelling public interest; and (b) the Data Subject has given consent, having been provided with a real choice and an alternative. (2) Notwithstanding sub-regulation (1), the transfer of Biometrics Information of data subjects outside the territorial jurisdiction of Nigeria is prohibited.
The document revealed that NCC wants every licensee to put in place technical and administrative measures to ensure the safety of its services and communications data.
According to the draft, a licensee is required to immediately notify its data subjects where their personal information has been leaked, to prevent secondary damage or there is occurrence of risk that threatens their network infrastructure or services.
Part of the draft, which focused on calling and called line identification, Section 18, explained that a licensee shall ensure, where available, that a subscriber originating a call has, subject to Regulations 20 and 21, a simple and free means to withhold his MSISDN from being visible to the called line.
MSISDN or Line means Mobile Station International Subscriber Directory Number or a subscriber’s phone number. It is a number uniquely identifying a subscription in a Global System for Mobile Communications or a Universal Mobile Telecommunications System mobile network.
According to Section 19(1), a licensee shall ensure, where available, that a calling subscriber has a simple and free means of preventing the visibility of the MSISDN of the calling subscriber on his line. (2)Where available, a licensee shall ensure that a called subscriber has a simple and free means to reject calls from a calling line before the establishment of such calls.
In Section 20 (1), the regulation said a subscriber originating a call to any national emergency numbers shall not be at liberty to withhold his MSISDN as referred to in Regulation 18.
Sub-section 2 said about calls from national emergency numbers, no person shall be entitled to prevent the visibility of the identity of the calling line on their line as referred to in Regulation 19(1).
In the draft, Section 21(1) said a subscriber shall be entitled to request the tracing of malicious or nuisance calls received on his line, where the identity of the calling line is hidden; in (2), upon receipt of the application, the licensee may override any action done to prevent the visibility of the identity of the calling line to the called line, so far as it appears necessary and expedient that the Licensee takes such step, whereas sub-Section (3), noted that about sub-regulations (1) and (2), nothing in these regulations shall preclude the licensee from holding and making available to any authorised agencies, who makes a written request duly signed by an authorized person, data containing the identification of a calling subscriber, which were obtained therein, for prevention, detection and investigation of a crime.
Section 22 said a licensee shall comply with any reasonable requests made by another licensee for Regulations 18, 19 and 21. In terms of Retention of Communications Data, Section 36(1), said no communications data shall be retained by a licensee longer than necessary, having due consideration to the provisions of the Cybercrimes Act as it relates to the retention of traffic data and subscriber information. Sub-section (2) said notwithstanding sub-regulation (1), a licensee may keep communications data beyond the stipulated retention period only for archiving, research or statistical purposes, provided approval is obtained in writing from the Commission.