Nov 29, 2016

Duty of service providers to reveal customer information

The right of individuals to protect their data is very sacred and fundamental. Section 37 of the 1999 Nigerian Constitution provides that; "the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected".
The Nigerian Communications Commission also provides that all licensees must take reasonable steps to protect customer information against "improper or accidental disclosure" and must ensure that such information is securely stored. It also provides that customer information must “not be transferred to any party except as otherwise permitted or required by other applicable laws or regulations”.

 This right is however constantly at logger heads with government intrusion, as governments and security agencies are always looking for ways to collect, intercept and interpret user data for security and administrative reasons. 

An international illustration was the legal battle between mobile phone giant, Apple and the U.S government, when Apple refused to help F.B.I investigators gain access to an iPhone used by Syed Rizwan Farook in the December, 2015, mass shooting in San Bernardino, Calif. Apple argued, that such access could create a permanent way to bypass iPhone password protection for law enforcement officials or even the spy agencies of other countries[i]

Sadly, if the above scenario were to play out in Nigeria, the outcome may not have been as eventful as the Apple case, as service providers in Nigeria usually cooperate with directives from security agencies to give out customer user information and data. This is as a result of the provisions of the Cybercrimes Act, 2015 which mandates the service providers to do so. 

Does this mean all user data are not protected? Certainly not. User information is protected in-line with the fundamental right to privacy under the Nigerian Constitution. However, does this mean all user data is accessible by security agencies in Nigeria? The answer is yes. 

By virtue of Section 38 of the Cybercrimes Act, 2015, service providers are mandated to keep all traffic data and subscriber information as may be prescribed by relevant authority, for a period of 2 years. Furthermore, service providers shall, at the request of the relevant authority or any law enforcement agency preserve, hold or retain any traffic data, subscriber information, non­-content information, and content data; and release any such information upon request.  It is worthy of note that the law prescribes that any person who contravenes the above mentioned law shall be liable to 3 years imprisonment or  fine of up to N7,000,000 (Seven Million Naira) or both. 

Section 39, also empowers security agencies by virtue of a court order, to request that electronic communications of service users be intercepted, collected or recorded. The above makes it clear that security agencies most likely have unbridled access to customer information in Nigeria and if Mr. Syed Rizwan Farook had been in Nigeria, the service providers will most likely have handed his information on a platter to the FBI. 

As seen in Section 40 of the Cybercrimes Act, service providers have a duty to disclose information requested by any law enforcement agency or otherwise render assistance howsoever in any inquiry or proceeding under this Act. Such duties include - 

(a) the identification, apprehension and prosecution of offenders; 

(b) the identification, tracking and tracing of proceeds of any offence or any property, equipment or device used in the commission of any offence; or

(c) the freezing, removal, erasure or cancellation of the services of the offender which enables the offender to either commit the offence, hide or preserve the proceeds of any offence or any property, equipment or device used in the commission of the offence. 

Any service provider who contravenes these provisions commits an offence and shall be liable on conviction to a fine of not more than N10,000,000.00. Also, each director, manager or officer of the service provider shall be liable on conviction to imprisonment for a term of not more than 3 years or a fine of not more than N7,000,000.00 or to both such fine and imprisonment. With such stringent statutory provisions of the law, hardly will any service provider put up a fight in Nigeria as Apple did in the US. 

In Conclusion, the court held in FRN V. DANIEL, (2011) LPELR-4152(CA); that –
"Undoubtedly, by virtue of the provision of section 37 of the 1999 constitution, the privacy of every Nigerian Citizen, the home, correspondence, telephonic and other telegraphic communications are cherishingly guaranteed and protected. However, notwithstanding the provision of section 37 (supra), section 45(1) of the 1999 constitution has provided in unequivocal terms that nothing in sections 37, 38, 39, 40 and 41 thereof shall invalidate what appears to be reasonably justifiable in a democratic society -
(a) in the interest of defence, public safety, public order, public morality or public health; or
(b) for the purpose of protecting the rights and freedom of other persons.”

Adedunmade Onibokun, Esq.
Adedunmade is the Principal Partner of Adedunmade Onibokun & Co., a corporate commercial law firm located in Lagos, Nigeria. He can be reached via and

[i] [i] New York Times. (2016). Breaking Down Apple’s iPhone Fight With the U.S. Government. Available: Last accessed 29th November, 2016.