Towards the ending of year 2009, the Nigerian Telecommunications Regulator, Nigerian Communications Commission (NCC) in exercising the powers granted it under the Nigerian Communications Act (NCA) 2003 issued a directive which was published in the Thisday Newspaper of December 31, 2009 to the effect that as from the 1st of March 2010 (according to the to the online news service “Daily Independent,” this date has been postponed to May 1st 2010 ) all new Subscriber Identity Module (SIM) cards must be registered before activation, this will be followed by the subsequent registration of the SIM cards of existing SIM card holders at a later date.
This directive coming from the NCC was borne out of the need to have a credible database of SIM card holders in Nigeria that will be used to identify (for possible prosecution) criminal actors who perpetrate criminal activities through the use of mobile phones by exploiting the anonymity of an unregistered SIM Card.
This paper essays two issues; to identify & address the data protection & privacy issues that arise during the implementation of the SIM card registration process and the legal implication(s) of NCC’s directive on the criminal model for perpetrating crimes through the use of mobile phones. Discussing the technical framework for the implementation of this process is entirely outside the focus of this write-up.
Data Protection and the Concept of Privacy under Nigerian Law
The right to privacy is an inalienable human right that cannot be derogated from, neither can it be subsumed under any government law or policy. Though Nigeria presently has no legislative framework for Data Protection, the right to privacy can be traced to the Constitution of the Federal Republic of Nigeria (CFRN) 1999, in particular S. 37 provides “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”
The broad import of this particular statutory provision is to guarantee from interference and intrusion, the private affairs of the Nigerian person. This statement finds meaning in the definition of privacy as “The right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of [personal] information [emphasis mine].
When this constitutional right is juxtaposed with NCC’s directive to register SIM cards, one is wont to ask the nature of privacy and or data protection issues involved in the registration of these SIM cards.
SIM cards as the name implies is used to identify subscribers to mobile telecommunications services. It is a removable card that allows the user to transfer its subscribed services to another mobile device.
As there is a dearth of data protection laws in Nigeria, I intend to propose as a reference model the principles contained in the EU wide Data Protection Directive 95/46 EC, as a guide for the implementation of this SIM card registration process. Amongst other things, this directive has been internationally touted as setting the benchmark by which data protection laws are evaluated, the standards set are widely regarded as “high” and places an emphasis on human rights while its principles have been flexible in their approach.
Pursuant to this Directive, data or personal data means any information relating to an identifiable natural person (data subject), the directive also goes further in defining an identifiable natural person as one who can be identified, directly or indirectly, in particular by reference to an identification number… Therefore for data to be “personal”, two conditions must be met, first the data must relate or concern another natural person, secondly, the data must be used in the identification of the natural person. Where the data does not refer to a natural person, it falls outside the scope of the EU Directive. Since SIM cards contain both the unique serial and international numbers of the subscriber, a registered SIM card would therefore meet the requirement of “personal data” as contemplated under the Directive since another individual can be able to connect the personal data to the owner of the SIM card.
The registration process would require the presentation of any of the following identification documents; e-passports, company ID cards with tax/pension number, student ID cards from recognized institutions, Drivers’ License from the Federal Road Safety Commission and will also include the capture of the subscribers photograph and biometrics (which undoubtedly is also personal data). The collection of all these information would be deemed to be data processing (pursuant to the EU Directive), data processing occurs when an operation or a set of operations is carried out upon personal data, whether or not by automatic means. These operations will include the collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure and destruction of personal data.
Since it is evident that due to the nature of the personal information stored in the SIM card database, accessing this database would therefore be implicating the privacy rights of SIM card holders, the question then becomes, under what circumstances will these personal data or information of Mobile telephony subscribers be collected, accessed or used legitimately? This is important in order not to run afoul of the SIM card holder’s constitutional right to privacy by illegitimately accessing the information stored in the SIM card database as information specifically provided for one purpose might be used entirely in a different context.
The EU Directive has a set of principles that must be adhered to when accessing the personal data of the private individual, it sets out the right of the private individual in regards to his personal data and establishes the general principles guiding the processing of personal data.
These principles will be summarized below and related to the proposed SIM card registration in Nigeria:-
1. Data may only be processed where the private individual (data subject) has given consent: For SIM card holders, this consent must be specific and informed, it cannot be inferred from any circumstances nor can this consent be given on the basis of misrepresented facts.
2. Data may be processed when the processing is necessary for the entering into a contract with the private individual: This is fulfilled when the contract between potential SIM card holders and mobile telephony service providers contain clauses to the effect that their SIM cards would be registered, for the existing SIM card holders, it would be necessary to obtain their consent.
3. Data may be processed in order to comply with a legal obligation imposed on the entity in charge of processing the data: That is, the entity in charge of registering SIM cards in Nigeria must legitimately access this information only in so far as it complies with the legal obligation imposed on it.
4. Data may be processed when the processing is necessary to protect the vital interest of the private individuals: A broad meaning should be given to this paragraph in so far as the processing of the personal data would be necessary to protect the interest of SIM card holders.
5. Data may be processed when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or in a third party to whom the data are disclosed. To rely on this paragraph, the relevant question then becomes, would accessing the SIM card database be justified on the basis of public interest which would override the privacy rights of SIM card holders.
6. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. SIM card holders must be allowed access to this database at any time and to make the necessary correction of their personal data as contained in this database.
7. Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes: This is the main thrust of any good data protection policy. What is the main purpose of registering SIM cards in Nigeria? Legitimate processing requires that uses of the personal data must be known and publicly stated at the time of registration. A 2006 decision of a German court comes to mind here, where the demand by a public prosecutor investigating a criminal case to access personal data stored on a SIM card of an on-board unit in a truck was denied by the court. The court was of the opinion that the German Federal Toll Collect Act, on which the collecting of SIM card data is based, restricts the use of toll data to only the control of toll payments. In this regard, access to the SIM card database in Nigeria must be restricted to only the purpose(s) specified by the NCC i.e. cases of criminal activities perpetrated through the use of mobile telephones, to override such a purpose would require legal justification and authorization.
NCC’s directive to register SIM cards will trigger some practical implications for criminals intending to sustain their desire for committing crimes through the use of mobile telephony services. Some criminals in order to sustain this desire and circumvent their identification will have to migrate to other criminal models that will continue to guarantee anonymity to them. These models will be considered under three heads in the following:
1. SIM card cloning: Occurs where the information contained in one SIM card is replicated for the purpose of making fraudulent calls, the billing for which would be incurred by the owner of the cloned SIM card rather than the perpetrator. To achieve cloning, the Electronic Serial Number (ESN) and Mobile Identification Number (MIN) has to be successfully retrieved from the target phone for transfer to the cloned phone. When this happens, calls can be made from the cloned phone as if it were originating from the original phone. It is possible for criminal entities to exploit SIM card cloning technologies so as to beat the identification process inherent in SIM card registration.
2. Roaming services: Roaming has been defined as the ability for a cellular customer to automatically make and receive voice calls, send and receive data, or access other services, including home data services, when travelling outside the geographical coverage area of their home network, by means of using a visited network. Now consider this scenario, a criminal obtains an unregistered SIM card outside Nigeria from a service provider that offers roaming services within a Nigerian service provider’s network. It is obvious here that this criminal has successfully circumvented the NCC registration process by virtue of this roaming service and can still be able to perpetrate his criminal intentions through this service within Nigeria.
3. Internet/Satellite Telephony: With Voice over internet protocol (VoIP) services like Skype and the scramble for broadband services in Nigeria, Internet telephony seems to have found a niche for itself in the Nigerian society, on the part of Satellite telephony, this particular service connects to satellites in orbit rather than terrestrial cell towers. All these services can be used to circumvent NCC’s registration process and perpetrate criminal activities.
It is obvious from these criminal models that the SIM card registration process may not necessarily provide the cure for its intended purpose, the author believes that NCC would surely need to look beyond the registration process in order to curb this menace, it is suggested that a system of identity management be implemented in mobile telephone networks so as to identify at all times active users within the network. This will help to address issues of anonymity posed in the mobile telephony sector and complement the purpose of registering SIM cards.
Even though NCC’s directive is yet to be implemented until May 1st 2010, it still presents some level of data protection issues that must be addressed. As national governments are becoming more aware of the importance of a good data protection framework, Nigeria must consciously strive to ensure that the personal data (in whatever form) of the Nigerian person is safeguarded. No doubt, it goes without saying that the common Nigerian person values his privacy and should not be exposed to situations where his personal data is arbitrarily processed or accessed, the glaring realities of the lack of the appropriate legislative solutions put in place to address data protection issues is already been manifested in an IT savvy Nigerian society. Nigeria needs to re-engineer its legislative processes to accommodate the challenges presented by data protection, in the absence of the appropriate law, it would be safe to place reliance on the principles enshrined under the EU model for data protection which still remains a role model for implementing data protection laws worldwide.
As per curbing the menace of criminal activities perpetrated through mobile phones, a system of identity management should be implemented and enforced in the mobile telephony sector, this will ensure that anonymity in the mobile telephony sector is not exploited so as to commit criminal activities.
Why protect personal data? I am constrained again to reiterate that the right to privacy is inalienable, it can never be derogated from.
Chukwuyere Ebere Izuogu, LL.M (Hannover) [email protected]