NITDA Must Tackle International Companies Breaching NDPR
THE NEW NIGERI AN DATA Protection Regulation addresses both local and international companies. Yet, some international companies in Nigeria flout these laws.
Some of these international companies engage in the dangerous extraction of Nigerian customers’ data. They are numerous. However, for this article, I think it’s good to point out two companies that Nigerians (data subjects) have complained about.
The first is the Infinix phone—a Hong kong phone manufacturer with a large market in Nigeria. Their privacy policy is one of the most complex privacy policies I have ever read. They make a dangerous claim when they assert that they may store any information provided by data subjects and gather information from other sources. As if that’s not enough, their explanation about their processing and use of information is unclear.
To put it simply, Infinix does not consider the rights and freedoms of data subjects and they need to be called to order by NITDA— the Nigerian Data Protection Authority. If Infinix is not checked immediately, it would continue to produce products that negatively affect Nigerians.
The second company is Truecaller, a Swedish based firm that created a software which allows one to identify an individual solely through a telephone number. Truecaller has been known to breach data protection laws in other parts of the world. For example, in 2017, 2018, and 2019, they were called in England for their bad practice. It’s no surprise then that the Swedish company has spread its unscrupulous acts to Nigeria. Kudos to NITDA for calling them out with regards to breaching the Nigerian Data Protection Regulation. I hope the investigations yield positive results.
These are not the only international companies breaking the local laws in Nigeria, there are others too. And, what’s worse, local companies do too.
How many companies have been fined? How many companies have been exposed? How companies have been told to change their processes by NITDA? Existing data shows that companies see the regulation as mere words on paper.
So, what can NITDA do to ensure compliance?
First, NITDA must ensure that companies that violate the regulation are investigated immediately. Create a generous awareness about these companies and employ punitive measures against these companies. In some cases, extra measures can be taken. For example, NITDA can send their compliance teams into companies to audit their systems.
Second, there are 200 million people in Nigeria. Less than ten percent of the population know their right when it comes to data privacy. NITDA should be using all avenues to inform Nigerians about their data privacy rights. There should also be a complaint department in NITDA where people can report their grievances about companies that trample on their rights. data subjects.
Companies that manage data on a large scale should work with NITDA to ensure that they are managing data well and when in doubt they can ask for guidance on the best solution. Companies should ask NITDA for guidance about confusing clauses in the regulation. NITDA needs to reach out to these companies through various means: lectures, whitepapers, newspaper articles, and blogs that further explains how companies can demonstrate compliance.
NITDA must guide Data Protection Compliance Organisations (DPCOs) as they carry out their auditing jobs and ensure they are helping companies comply with complying with the regulation.
With these steps, NITDA can ensure that these international companies do not breach the new Nigerian Data Protection Regulation and also guard the freedom and individual rights of Nigerian citizens.
*Dr. Irene is Data Protection Consultant and writes in from London.