Nov 29, 2016

Duty of service providers to reveal customer information

The right of individuals to protect their data is very sacred and fundamental. Section 37 of the 1999 Nigerian Constitution provides that; "the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected".
The Nigerian Communications Commission also provides that all licensees must take reasonable steps to protect customer information against "improper or accidental disclosure" and must ensure that such information is securely stored. It also provides that customer information must “not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations”.

 This right is however constantly at logger heads with government intrusion, as governments and security agencies are always looking for ways to collect, intercept and interpret user data for security and administrative reasons. 

An international illustration was the legal battle between mobile phone giant, Apple and the U.S government, when Apple refused to help F.B.I investigators gain access to an iPhone used by Syed Rizwan Farook in the December, 2015, mass shooting in San Bernardino, Calif. Apple argued, that such access could create a permanent way to bypass iPhone password protection for law enforcement officials or even the spy agencies of other countries[i]

Sadly, if the above scenario were to play out in Nigeria, the outcome may not have been as eventful as the Apple case, as service providers in Nigeria usually cooperate with directives from security agencies to give out customer user information and data. This is as a result of the provisions of the Cybercrimes Act, 2015 which mandates the service providers to do so. 

Does this mean all user data are not protected? Certainly not. User information is protected in-line with the fundamental right to privacy under the Nigerian Constitution. However, does this mean all user data is accessible by security agencies in Nigeria? The answer is yes. 

By virtue of Section 38 of the Cybercrimes Act, 2015, service providers are mandated to keep all traffic data and subscriber information as may be prescribed by relevant authority, for a period of 2 years. Furthermore, service providers shall, at the request of the relevant authority or any law enforcement agency preserve, hold or retain any traffic data, subscriber information, non­-content information, and content data; and release any such information upon request.  It is worthy of note that the law prescribes that any person who contravenes the above mentioned law shall be liable to 3 years imprisonment or  fine of up to N7,000,000 (Seven Million Naira) or both. 

Section 39, also empowers security agencies by virtue of a court order, to request that electronic communications of service users be intercepted, collected or recorded. The above makes it clear that security agencies most likely have unbridled access to customer information in Nigeria and if Mr. Syed Rizwan Farook had been in Nigeria, the service providers will most likely have handed his information on a platter to the FBI. 

As seen in Section 40 of the Cybercrimes Act, service providers have a duty to disclose information requested by any law enforcement agency or otherwise render assistance howsoever in any inquiry or proceeding under this Act. Such duties include - 

(a) the identification, apprehension and prosecution of offenders; 

(b) the identification, tracking and tracing of proceeds of any offence or any property, equipment or device used in the commission of any offence; or

(c) the freezing, removal, erasure or cancellation of the services of the offender which enables the offender to either commit the offence, hide or preserve the proceeds of any offence or any property, equipment or device used in the commission of the offence. 

Any service provider who contravenes these provisions commits an offence and shall be liable on conviction to a fine of not more than N10,000,000.00. Also, each director, manager or officer of the service provider shall be liable on conviction to imprisonment for a term of not more than 3 years or a fine of not more than N7,000,000.00 or to both such fine and imprisonment. With such stringent statutory provisions of the law, hardly will any service provider put up a fight in Nigeria as Apple did in the US. 

In Conclusion, the court held in FRN V. DANIEL, (2011) LPELR-4152(CA); that –
"Undoubtedly, by virtue of the provision of section 37 of the 1999 constitution, the privacy of every Nigerian Citizen, the home, correspondence, telephonic and other telegraphic communications are cherishingly guaranteed and protected. However, notwithstanding the provision of section 37 (supra), section 45(1) of the 1999 constitution has provided in unequivocal terms that nothing in sections 37, 38, 39, 40 and 41 thereof shall invalidate what appears to be reasonably justifiable in a democratic society -
(a) in the interest of defence, public safety, public order, public morality or public health; or
(b) for the purpose of protecting the rights and freedom of other persons.”

Adedunmade Onibokun, Esq.
Adedunmade is the Principal Partner of Adedunmade Onibokun & Co., a corporate commercial law firm located in Lagos, Nigeria. He can be reached via and

[i] [i] New York Times. (2016). Breaking Down Apple’s iPhone Fight With the U.S. Government. Available: Last accessed 29th November, 2016.


  1. The FBI-Apple encryption dispute in the United States was strictly speaking NOT about Apple providing the FBI with “customer user information and data”. Instead it was about Apple assisting the FBI to unlock an iPhone which was password protected. If it were about providing “customer user information and data” the FBI would have come under the Communications Assistance for Law Enforcement Act ( and/or the Stored Communications Act ( and not the All Writs Act ( as it did in the Apple case under reference.

    The FBI's specific demands, as outlined in court documents ( were that the FBI wanted Apple to alter what is known as a SIF - System Information File. In this context, the FBI was basically referring to the software that ran on the iPhone in question. The FBI wanted Apple to create a new SIF to place on Farook's iPhone that will allow it to carry out several functions normal iPhones do not allow.
    The FBI wanted to be able to:
    1. Prevent the phone from erasing itself. If certain security settings are enabled, after 10 failed attempts at entering a passcode, an iPhone can erase the personal data on the device. The FBI didn't want this to happen on Farook's phone.
    2. Automate the process for trying out passcode combinations. Farook used a four-digit passcode, for which there are 10,000 possible combinations. The FBI didn't want to have to guess them all manually, and so it wanted Apple to allow the passcode to be tried electronically. This meant the FBI could simply instruct a computer to try every passcode, something that would take just minutes, possibly seconds...
    3. …and without unnecessary delay. The iPhone prevents you from entering a passcode for longer and longer periods of time each time you get it wrong. The FBI wanted this barrier removed.

    The question that follows therefore, is whether under Nigerian law a law enforcement agent can compel a service provider (by section 58 of the Cybercrimes Act, service provider means “(i)any public or private entity that provides to users of its services the ability to Communicate by means of a computer system, electronic communication devices, mobile networks; and (ii) any other entity that processes or stores computer data on behalf of such Communication service or users of such service) or phone manufacturer e.g. Infinix, to assist in it unlocking the phone of a suspect e.g. “yahoo yahoo boy”? The answer appears to be in the affirmative with regards to offences under the Cybercrimes Act as it is provided under section 40 of the Act that it shall be the duty of every service provider in Nigeria to comply with all the provisions of this Act and disclose information requested by any law enforcement agency or OTHERWISE RENDER ASSISTANCE HOWSOEVER in any inquiry or proceeding under the Act.

    What if the alleged offence which the law enforcement agency is investigating or the inquiry or proceeding is not under Cybercrimes Act, is there a law in Nigeria which could be used to compel service providers or phone or electronic device manufacturers to compel them to assist the law enforcement agency in unlocking a password protected device?

  2. You described all the details very interestingly.