Editor's Note: This article was co-written by guest writers Tomiwa Ilori and Adeboye Adegoke. Ilori is a researcher, policy analyst for the Center for Human Rights at the University of Pretoria, South Africa; Adegoke is a digital rights advocate, policy analyst and program director at the Pan-African digital rights organization Paradigm Initiative.
Check out Global Voices' special coverage on the global impact of COVID-19.
On April 5, 2020, the Nigerian Governors Forum partnered with MTN Nigeria, a national provider of internet and telecommunications services, to provide various services to combat COVID-19. With the information of the subscribers, the objective is to carry out a tracking of cases, implement palliative measures and services and cover other needs related to COVID-19.
The forum is made up of 36 Nigerian state governors with a vision that “actively and effectively promotes inclusion, democratic values, good governance and sustainable development.”
This movement raised concerns about shared information, privacy and the protection of human rights. How can Nigerian citizens minimize risks and optimize outcomes while complying with applicable laws?
Adversity sheds light on innovation
COVID-19 was presented as a challenge to societies that were forced to find innovative solutions that were legally plausible to combat the spread of the coronavirus. Optimizing government access to citizens' information presents a series of challenges for governments, private companies and civil society groups.
As of December 2019, more than 184 million people, of the more than 200 million living in the country, used active mobile connections in their daily lives. As far as fighting COVID-19 is concerned, the potential scope is somewhat far from the point of view of preventive education and case tracking measures.
However, these measures depend on the Government's ability to access subscribers' central databases. The Mobile Phone Subscriber Registration regulations of 2011 provide a framework for the registration of subscriber information and establish a database for that purpose. This regulation is the legal framework for the mandatory registration of mobile phone subscribers, despite the insecurity, misuse and the many risks of misuse associated with mandatory registration.
The Nigerian Communications Commission (NCC), the regulatory agency for the telecommunications sector in Nigeria, is empowered to legislate in a complementary manner, including creating regulations to extend the goals.
Regulation 2 (b) establishes that “the Central Database must be housed within the Commission and must provide a platform for the central processing and storage of subscriber information.”
These databases contain personal information of subscribers, including “biometric data and other personal data of subscribers that licensees or Independent Registration Agents record and store.”
Information used especially to combat the spread of COVID-19 will be personal information that was not originally shared or stored for this purpose.
While regulations allow the use of this information through the NCC's Code of Consumer Practice (2007), this should involve fair and legitimate use and accuracy of information that respects the rights of other consumers.
Perhaps the most relevant of these regulatory details is how licensees, especially service providers, can ensure liability under regulation 35 (2). It states that subscribers should receive notifications about the information collected and the purposes for which it is used; they should be given options about collecting, using, and disclosing that information; and have access to that information and the security measures in force for their protection.
While the legal landscape of data protection in Nigeria is highly puzzled, considering the way in which key government agencies appear to duplicate data protection policies, both of the aforementioned regulations appear to be directly related to access to data from subscribers in the fight against the COVID-19 pandemic.
This duplication of policies is largely due to the lack of comprehensive and multi-stakeholder-based primary data protection legislation in Nigeria.
In April 2020, the Global System for Mobile Communications (GSMA) also highlighted the principles contained in the regulations mentioned above in its mobile privacy principles during the COVID-19 pandemic.
Establishing oversight for accountability
One of the most practical ways to implement these regulations is to establish a special multi-stakeholder committee. Despite the provisions of regulation 5 of the Mobile Phone Subscriber Registry regulations – the central database is owned by the Nigerian Government – Nigerian citizens place their trust in the Government, which in no way is exonerated from any complaint for misuse that may arise.
A committee that oversees accountability and law enforcement to the letter within a practical time frame could help citizens protect their privacy while fighting the coronavirus.
These are some of the points to consider:
Representation: The committee should be comprised of multi-stakeholder members within the information and communication technology sector, including government agencies, civil societies, the private sector, research and development stakeholders, legislators, etc. This creates the possibility of including responsibility within State policies on access to information for citizens and of combating COVID-19.
Compliance and implementation: The bulk of this committee's responsibilities would be to comply with current laws while implementing other laws on access to subscriber information. Subscriber consent is crucial. However, most Nigerians are not immediately available to give their consent under current circumstances. To mitigate the negative effects, it is important to designate more inclusive and accessible tools, such as USSD codes with options (yes / no) that can be used to secure the consent of subscribers. USSD, Supplemental Unstructured Data Service, is an interactive, menu-driven technology available on almost all cell phones. The codes allow users to access confirmation and consultation of services, only by dialing numbers.
Furthermore, to prepare for possible side effects caused by the inability to obtain subscriber consent, the committee should ensure that regular audits are published on the use of subscriber information in the most reputable digital newspapers.
Compensation: This committee could create various mechanisms to resort to compensation in the event that subscribers feel disadvantaged. There must be systems in place to deal with these claims related to data collection, its uses and disclosure.
Proactive disclosure: An important step towards accountability is transparency and, to this end, the committee must inform the public about its scope, its powers and its functions. In addition, you must disclose information about data use, security measures and available means of compensation. The committee may also determine the period of time allotted for the use of the information.
There is an urgent need to combat COVID-19 by all available legal means. However, it is not necessary that these means harm the protection of human rights, which includes the right to privacy.
Using the central database for measures related to COVID-19 requires the best plans to mitigate the risks of private data breaches.
The government's recent call for data protection legislation seems belated, but it is welcome in light of the current challenges presented by COVID-19. This is an opportunity for Nigeria's information and communication technology sector to use a multilateral approach to harmonize the various laws for a more unified front for the fight against COVID-19 and for future emergencies.
While the options suggested above do not preclude other legally plausible approaches, it demonstrates how the protection of human rights is not mutually exclusive in public emergencies.