Nigeria: Cell phone data and the protection of personal information provided to cell phone companies; ability of non-state actors to access cell phone data, including through the police (2019–March 2021) [NGA200499.E]

Research Directorate, Immigration and Refugee Board of Canada

1. Overview of Telecommunications in Nigeria

According to the World Bank, Nigeria's population was 200,963,599 in 2019 (World Bank [2019]). The Bertelsmann Stiftung's Transformation Index (BTI) 2020, which "assesses the transformation toward democracy and market economy as well as the quality of governance in 137 countries," indicates that at the end of 2018, "active mobile phone subscriptions exceeded 150 million" (Bertelsmann Stiftung 2020, 2, 15). A 2018 report on Nigeria's digital economy by the Global System for Mobile Communications GSM Association (GSMA), an organization that "represents the interests of mobile operators worldwide" (GSMA n.d.), indicates that as of September 2018 there were 97.5 million unique mobile subscribers, 53 million smartphone connections, and 151 million total mobile connections, with mobile penetration at 49 percent (GSMA 27 Nov. 2018, 2). According to subscriber data from the Nigerian Communications Commission (NCC) [1], as of July 2020 there were 198,961,361 active mobile lines and 285,259,320 connected mobile lines (Nigeria [2020]).

2. Protection of Cell Phone Data

A July 2020 report on digital rights in Nigeria by Paradigm Initiative (PIN), an Africa-based "social enterprise that builds an [information and communications technology]-enabled support system and advocates [for] digital rights in order to improve livelihoods for under-served youth" (PIN n.d.), notes that "[t]here is as yet no act that explicitly addresses the subject of digital rights and privacy" (PIN July 2020, 12). In an interview with the Research Directorate, a lawyer at a Nigerian law firm, who specializes in data protection, similarly noted that there is "no direct law" that protects data and that pieces of different laws combine to give protection (Lawyer 5 Mar. 2021). In correspondence with the Research Directorate, a PhD candidate at the Leibniz University Hanover in Germany, who researches data security and data privacy and has written on data protection in Nigeria, noted that as of March 2021 "there is no overarching federal-level or state-level legislation" for the implementation of the right to privacy (PhD Candidate 5 Mar. 2021).

Article 37 of Nigeria's constitution provides the following regarding data privacy rights in Nigeria: "The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected" (Nigeria 1999).

Nigeria's Child's Right Act, 2003 [2] provides the following regarding the privacy rights of children: "Every child is entitled to his privacy, family life, home, correspondence, telephone conversation and telegraphic communications…" (Nigeria 2003a, Art. 8(1)).

The Nigerian Communications Commission (Registration of Telephone Subscribers) Regulations, 2011 provides the following on data privacy and the protection of subscribers:

9.—

  1. In furtherance of the rights guaranteed by section 37 of the Constitution of the Federal Republic of Nigeria, 1999 and subject to any guidelines issued by the Commission including terms and conditions that may from time to time be issued either by the Commission or a licensee, any subscriber whose personal information is stored in the Central Database or a licensee's database, shall be entitled to view the said information and to request updates and amendments thereto.
  2. The subscriber information contained in the Central Database shall be held on a strictly confidential basis and no person or entity shall be allowed access to any subscriber information on the Central Database except as provided in these Regulations.
  3. Licensees, Independent Registration Agents and Subscriber Registration Solution Providers shall not under any circumstances retain, duplicate, deal in or make copies of any Subscriber Information or store in whatever form any copies of the subscriber information for any purpose other than as stipulated in these Regulations or in an Act of the National Assembly.
  4. Licensees, Independent Registration Agents, Subscriber Registration Solution Providers and the Commission shall each take all reasonable precautions in accordance with international practises to preserve the integrity and prevent any corruption, loss or unauthorised disclosure of subscriber information obtained pursuant to these Regulations and shall take steps to restrict unauthorized use of the Subscriber Information by their employees who may be involved in the capturing or processing of such subscriber information.
  5. Licensees shall utilise personal information retained pursuant to these Regulations, solely for their operations and in accordance with the provisions of Part VI of the General Consumer Code of Practice for Telecommunications Services and any other instruments of the Commission or any act of the National Assembly regulating the specific purposes for which the personal information may be used.
  6. Licensees, Independent Registration Agents and Subscriber Registration Solution Providers shall not retain the Biometrics of any subscriber after transmission thereof to the Central Database.

10.—

  1. Release of Personal Information to Security Agents shall be in accordance with the provisions of the Act, these Regulations and any guidelines or instrument issued from time to time by the Commission and in a format to be determined by the Commission.
  2. Subscriber information shall not be released to a licensee, Security Agency or any other person, where such release of Subscriber Information would constitute a breach of the Constitution or any other Act of the National Assembly, for the time being in force in Nigeria or where such release of subscriber information would constitute a threat to national security.
  3. Licensees shall not release personal information of a subscriber to any third party without obtaining the prior written consent of the subscriber.
  4. No subscriber information shall be transferred outside the Federal Republic of Nigeria without the prior written consent of the Commission.
  5. For the purpose of sub-regulation (3) of this regulation, the term "third party" shall exclude Security Agencies as defined in these Regulations. (Nigeria 2011, bold in original)

According to sources, Nigeria's National Information Technology Development Agency (NITDA) issued the Nigeria Data Protection Regulation (NDPR) [3] in 2019 (PwC Nigeria Dec. 2020, 2; S.P.A. Ajibade & Co. 12 Feb. 2020; PhD Candidate 5 Mar. 2021). A February 2020 article on data privacy under Nigerian law by Francis Ololuo, an associate intern in the intellectual property and technology law department at the Nigerian law firm S.P.A. Ajibade & Co., notes that the NDPR is a "major law specifically aimed at addressing data privacy and protection in Nigeria" (S.P.A. Ajibade & Co. 12 Feb. 2020). The lawyer noted that the NDPR "is the most direct regulation in Nigeria that talks about data protection " (Lawyer 5 Mar. 2021). However, the same source stated that "the problem with this regulation is that it is not exactly a law. It sets parameters [for] how data administrations are to manage certain information" (Lawyer 5 Mar. 2021). A December 2020 report by PricewaterhouseCoopers (PwC) Nigeria on the NDPR notes that "there are conflicting positions as to the efficacy and enforceability of the NDPR considering that it is not an Act of the National Assembly and the NDPR is limited in form and scope to adequately protect the personal data of Nigerians" (PwC Nigeria Dec. 2020, 2).

According to sources, in March 2019 President Buhari refused to sign the Digital Rights and Freedom Bill (Pulse.ng 21 Mar. 2019; Premium Times 20 Mar. 2019; Techpoint.africa 27 Mar. 2019). A March 2019 article by Pulse.ng, a Nigerian online news platform (Pulse.ng n.d.), indicates that the Digital Rights and Freedom Bill, which was passed by Nigeria's National Assembly on 5 February 2019, seeks to protect the rights and freedoms of users of digital platforms, digital media, and the internet in Nigeria (Pulse.ng 21 Mar. 2021).

The PWC Nigeria report indicates that there is a draft Data Protection Bill, 2020 [4] before the National Assembly that would replace the NDPR if passed (PwC Nigeria Dec. 2020, 2). The same source notes that the "objective of the Bill is to create a regulatory framework for the protection and processing of personal data and to safeguard the rights and freedoms of data subjects which are guaranteed under the Nigerian Constitution" (PwC Nigeria Dec. 2020, 3).

According to the NCC's website, consumers can complain to the NCC about "exploitation and invasion of privacy" (Nigeria 8 Nov. 2020). The same source indicates that consumers of telecom services "who are dissatisfied with services rendered to them by any of the [s]ervice [p]roviders have a right to seek redress of the situation" by first reporting the issue to their service provider, and then, if they are not satisfied with the provider's response, reporting it to the NCC (Nigeria 8 Nov. 2020). The NCC's website notes that telecom service consumers can report a complaint by completing a complaint form on the NCC's website, by writing a letter to the NCC, or by calling the NCC's contact centre (Nigeria 8 Nov. 2020).

The lawyer stated that "data protection is still fragile, and implementation nationally is not complete. Generally, there is some level of data privacy nationally. It is not fully enforced" (Lawyer 5 Mar. 2021). A January 2020 BiometricUpdate.com article written by Yemi Adeniran, a managing partner at Digiterhub [5], notes that there are "[e]nforcement [g]aps" within Nigeria's data protection regulations (Adeniran 20 Jan. 2021). The same source indicates that a number of factors contribute to gaps in NDPR enforcement, including the following:

  • breach reporting obligations not being taken seriously by organizations under the NDPR;
  • "loosely defined" service level agreements between data controllers and processors;
  • organizations "failing to implement regulatory data privacy controls";
  • "[l]ack of clarity" on the definition of a data breach or data loss;
  • "[i]nadequate" awareness and training on data privacy and protection principles;
  • "weak or no[n-]existent" incident response planning (detection and reporting) by organizations; and
  • absence of a template or protocol to report data leaks or data loss (Adeniran 20 Jan. 2021).

Adeniran observes that the NDPR and the draft Data Protection Act, 2020 empower the regulator to monitor compliance and impose fines; however, "there is a need to provide clarity in terms of additional guidelines on how enforcement would be conducted and the range of fines and penalties by category" (Adeniran 20 Jan. 2021).

3. Government Access to Cell Phone Data

The Lawful Interception of Communications Regulations, 2019 provides the following on the lawful interception of communications by law enforcement agencies:

12.—

  1. Pursuant to the provisions of section 148 (1) (c) of the Act, an application for a warrant under these Regulations shall be made to the Judge by any of the following Agencies—
    1. the Office of the National Security Adviser represented by the National Security Adviser or his designee, who shall not be below the equivalent of an Assistant Commissioner of Police; and the
    2. the State Security Services represented by the Director or his designee, who shall not be below the equivalent of an Assistant Commissioner of Police.
  2. Where a Warrant is required pursuant to any international mutual assistance agreement of which Nigeria is a party, the application or a warrant shall be made through the Attorney-General of the Federation, provided that the applicant shows evidence of authority from the relevant country or jurisdiction.
  3. An application for a warrant shall—
    1. be in writing ;
    2. contain full particulars of all the facts and circumstances alleged by the Authorised Agency in support of the application for the issuance of a Warrant ;
    3. come under any of the grounds mentioned in regulation 7(3) of these Regulations that is relevant for the issuance of a warrant ;
    4. state any other relevant details as may be necessary for the consideration of the issuance of the warrant ; and
    5. be supported by an affidavit on oath stating that interception of such communication is the only means of obtaining the relevant information for which the Warrant is required.
  4. Notwithstanding the provisions of these Regulations, an Authorised Agency may initiate interception of Communications without a warrant in the event of—
    1. immediate danger of death or serious injury to any person ;
    2. activities that threaten the national security ; or
    3. activities having characteristics of organised crime ;

provided that the Authorised Agency shall apply for a Warrant to the Judge within 48 hours after the interception has occurred or began to occur before issuance of a Warrant for such interception and where the application is not made, or denied within 48 hours, the interception shall terminate immediately and further interception shall be treated as unlawful. (Nigeria 2019a, bold and italics in original)

The Nigerian Communications Commission (Registration of Telephone Subscribers) Regulations, 2011 provides the following on the creation of a Central Database of cell phone subscribers:

4.—

  1. The Commission shall establish and maintain a database of all registered subscribers' information to be known as "the Central Database".
  2. The Central Database shall be domiciled within the Commission and shall provide a platform for the central processing and storage of subscribers information.
  3. The Central Database shall be segregated across Network Services in such a manner as to ensure easy access to data by authorised persons in respect of subscribers' information of the different licenses.

5.—

  1. The Central Database shall be the property of the Government of the Federal Republic of Nigeria.
  2. The management, care and control of the Central Database shall be vested in the Commission subject to the provision of these Regulations.

6.—

  1. Licensees and independent registration agents shall, on a monthly basis or at such regular intervals as the Commission may from time to time specify, transmit all subscriber Information captured and registered within the preceding month or such other period as may be stipulated by the Commission, to the Central Database. (Nigeria 2011, bold in original)

The PIN report indicates that cell phone users are required to register their biometric information with cell phone providers and that Subscriber Identity Module (SIM) cards and phone numbers are linked to an individual's fingerprints and identity documents (PIN July 2020, 6). For additional information on the requirements and procedures to obtain a SIM card, see Response to Information Request NGA106245 of February 2019.

A March 2018 report by Front Line Defenders [6] for the UN's Universal Periodic Review (UPR) of human rights in Nigeria states that "[t]he Government has conducted mass surveillance of citizens' telecommunications, which has included intercepting private communications" (Front Line Defenders 29 Mar. 2018, 5). A December 2020 report by the Citizen Lab [7] indicates that Nigeria's government is "likely" a customer of Circles, "a surveillance firm that reportedly exploits weaknesses in the global mobile phone system to snoop on calls, texts, and the location of phones around the globe" (The Citizen Lab 1 Dec. 2020). The same source notes that the Citizen Lab's scanning "identified two Circles systems in Nigeria" (The Citizen Lab 1 Dec. 2020).

4. Ability of the Police to Access Cell Phone Data

Article 146(2) of the Nigerian Communications Act, 2003 provides the following regarding the mandate for network service providers to assist the authorities in preventing crime and protecting national security:

A licensee shall, upon written request by the Commission or any other authority, assist the Commission or other authority as far as reasonably necessary in preventing the commission or attempted commission of an offence under any written law in operation in Nigeria or otherwise in enforcing the laws of Nigeria, including the protection of the public revenue and preservation of national security. (Nigeria 2003b)

The Nigerian Communications (Enforcement Process, etc.) Regulations, 2019 was issued by the NCC and, together with the Nigerian Communications Act, 2003, governs the NCC's "[m]onitoring and enforcement processes and procedures" (Nigeria 2019b, Part I). The Nigerian Communications (Enforcement Process, etc.) Regulations, 2019 provides the following on call records data:

8.—

  1. Every licensee shall keep records of Call Data in accordance with the Cybercrime[s] (Prohibition, Prevention[,] etc) Act 2015 and the Consumer Code of Practice Regulations.
  2. Every licensee shall—
    1. make available basic information that may be required by any relevant authority pursuant to section 146 of the Act upon presentation to the licensee a written request from such Relevant Authority and without any further assurance, duly signed by a police officer not below the rank of Assistant Commissioner of Police or its equivalent in any of the Relevant Authorities;
    2. subject to sub-regulation (1) of this regulation, provide such non-basic information as may be required by any relevant authority, pursuant to section 146 of the Act, upon the presentation to the licensee by the relevant authority of the court order by a Judge or Magistrate in the form or manner specified in Form C1 of the First Schedule to these Regulations ; and
    3. The provisions of sub-regulations (1) and (2) of this regulation, shall not apply to the Commission with respect to the exercise of its powers under or pursuant to section 146 of the Act. (Nigeria 2019b, bold in original)

The Nigerian Communications Commission (Registration of Telephone Subscribers) Regulations, 2011 provides the following on access to the subscriber information Central Database by security agencies:

8.—

  1. Notwithstanding the provisions of these Regulations restricting access to Subscriber Information on the Central Database and subject to the provisions of any Act of the National Assembly, subscriber information on the Central Database shall be provided only to Security Agencies; provided that a prior written request is received by the Commission from an official of the requesting Security Agency who is not below the rank of an Assistant Commissioner of Police or a co-ordinate rank in any other Security Agency.
  2. The written notice by the Security Agency pursuant to sub-regulation (1) of this regulation shall indicate the rank of the official of the requesting Security Agency and the purpose for which the information is required. (Nigeria 2011, bold in original)

The lawyer noted that police can access personal information that has been provided to cell phone companies with a court order, "but in practice they can access it without one" (Lawyer 5 Mar. 2021). A February 2020 article by the Committee to Protect Journalists (CPJ), "an independent, nonprofit organization that promotes press freedom worldwide" (CPJ n.d.), reports that, since 2017, there have been "at least three cases" where police across Nigeria "used phone records to lure and then arrest journalists" (CPJ 13 Feb. 2020). According to two journalists interviewed by CPJ, the police "claimed" to have obtained call records from their cell phone network providers (CPJ 13 Feb. 2020).

5. Ability of Non-State Actors to Access Cell Phone Data

Information on the ability of non-state actors to access cell phone data was scarce among the sources consulted by the Research Directorate within the time constraints of this Response.

The lawyer indicated that "most data administrators in Nigeria self-regulate" and that "most" apply the EU's General Data Protection Regulation (GDPR) [8] and the NDPR (Lawyer 5 Mar. 2021). The same source noted that "it is not commonplace for non-state actors to access personal information, but it is possible" (Lawyer 5 Mar. 2021). However, the lawyer stated that "the legal framework and self-regulation protect against this" (Lawyer 5 Mar. 2021).

The PIN report indicates that stolen private data is available on the dark web, which exists on "overlay networks that use the internet but require specific software, configurations, or authorisation to access" (PIN July 2020, 7). A 2020 INTERPOL report on African online organized crime cites data collected on the dark web between 2016 and 2020 by a web crawler as stating that "high volumes of personal information of Nigerian and South African origins were found to be leaked on the dark web" and that the targets of these leaks included companies that provide mobile telecommunication services (INTERPOL July 2020, 50).

The PIN report notes that commercial use of private data is "widespread and the data is easy to obtain," adding that "[a] simple search on Nigeria's popular discussion platform Nairaland delivers offers of lists of valid and active private phone numbers that are available for rent or purchase" (PIN July 2020, 7). The PhD candidate indicated that "non-state actors process personal information provided to the cell phone companies (at least for commercial purposes – adverts, marketing, etc.)" (PhD Candidate 5 Mar. 2021).

This Response was prepared after researching publicly accessible information currently available to the Research Directorate within time constraints. This Response is not, and does not purport to be, conclusive as to the merit of any particular claim for refugee protection. Please find below the list of sources consulted in researching this Information Request.

Notes

[1] According to its website, the Nigerian Communications Commission (NCC) is the "independent National Regulatory Authority for the telecommunications industry in Nigeria" (Nigeria n.d.).

[2] An overview of family law in Nigeria, prepared by Efe Etomi, a partner at Chief Rotimi Williams' Chambers (FRA Law) whose areas of practice include civil litigation relating to family law disputes, and Elvis Asia, a managing partner at FRA Law, whose areas of practice also include civil litigation relating to family law disputes and published by Thomson Reuters Practical Law, an online legal service that provides peer-reviewed resources (Thomson Reuters n.d.), notes that the Child's Right Act has been adopted by 25 states, including Lagos, Enugu, Plateau, Edo, Ekiti, and Rivers (Etomi and Asia 1 Oct. 2020, 2, 22-23).

[3] The Nigeria Data Protection Regulation (NDPR) is available online (Nigeria 2019c).

[4] The draft Data Protection Bill, 2020 is "[a]n Act to establish the Data Protection Commission charged with the responsibility for the protection of personal data, rights of data subjects, regulation of the processing of personal data and for related matters" (Nigeria 2020, 1).

[5] Digiterhub is an IT risk assessment and digital security services provider with offices in the UK and Nigeria (Digiterhub n.d.).

[6] Front Line Defenders, a Dublin-based organization with an additional office in Brussels and field staff in Africa, Asia, the Middle East and the Americas, aims to protect human rights defenders by offering training, an emergency phone line, and emergency support for human rights defenders in immediate danger (Front Line Defenders n.d.).

[7] The Citizen Lab is "an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security" (The Citizen Lab n.d.).

[8] The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) is the EU's data protection law, which was adopted on 27 April 2016 and came into effect on 25 May 2018 (EU 2016, Art. 1, 99).

References

Adeniran, Yemi. 20 January 2021. "Data Protection in Nigeria – Enforcement in Post COVID-19 Digital Economy." BiometricUpdate.com, Industry Insights. [Accessed 18 Mar. 2021]

Bertelsmann Stiftung. 2020. "Nigeria Country Report." Bertelsmann Stiftung's Transformation Index (BTI) 2020. [Accessed 18 Mar. 2021]

The Citizen Lab, Munk School of Global Affairs & Public Policy, University of Toronto. 1 December 2020. Bill Marczak et al. "Running in Circles: Uncovering the Clients of Cyberespionage Firm Circles." [Accessed 3 Mar. 2021]

The Citizen Lab, Munk School of Global Affairs & Public Policy, University of Toronto. N.d. "About the Citizen Lab." [Accessed 22 Mar. 2021]

Committee to Protect Journalists (CPJ). 13 February 2020. Jonathan Rozen. "How Nigeria's Police Used Telecom Surveillance to Lure and Arrest Journalists." [Accessed 19 Mar. 2021]

Committee to Protect Journalists (CPJ). N.d. "What We Do." [Accessed 22 Mar. 2021]

Digiterhub. N.d. "About Us." [Accessed 22 Mar. 2021]

Etomi, Efe and Elvis Asia. 1 October 2020. "Family Law in Nigeria: Overview." Thomson Reuters Practical Law. [Accessed 30 Mar. 2021]

European Union (EU). 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95/46/EC (General Data Protection Regulation). [Accessed 26 Mar. 2021]

Front Line Defenders. 29 March 2018. UPR Submission – Nigeria 2018: Submission to the 31st Session of the Universal Period Review, November 2018. [Accessed 19 Mar. 2021]

Front Line Defenders. N.d. "About Us." [Accessed 22 Mar. 2021]

GSM Association (GSMA). 27 November 2018. Spotlight on Nigeria: Delivering a Digital Future. [Accessed 18 Mar. 2021]

GSM Association (GSMA). N.d. "About Us." [Accessed 19 Mar. 2021]

The International Criminal Police Organization (INTERPOL). July 2020. Online African Organized Crime from Surface to Darkweb. [Accessed 29 Mar. 2021]

Lawyer, Nigerian law firm. 5 March 2021. Interview with the Research Directorate.

Nigeria. 8 November 2020. Nigerian Communications Commission (NCC). "Procedure for Lodging Consumer Complaints." [Accessed 3 Mar. 2021]

Nigeria. 2020. Data Protection Bill, 2020. [Accessed 26 Mar. 2021]

Nigeria. [2020]. Nigerian Communications Commission (NCC). "Subscriber Statistics." [Accessed 19 Mar. 2021]

Nigeria. 2019a. Lawful Interception of Communications Regulations, 2019. [Accessed 30 Mar. 2021]

Nigeria. 2019b. Nigerian Communications (Enforcement, Process, etc.) Regulations, 2019. [Accessed 19 Mar. 2021]

Nigeria. 2019c. Nigeria Data Protection Regulation 2019. [Accessed 26 Mar. 2021]

Nigeria. 2011. Nigerian Communications Commission (Registration of Telephone Subscribers) Regulations, 2011. [Accessed 22 Mar. 2021]

Nigeria. 2003a. Child's Right Act. [Accessed 19 Mar. 2021]

Nigeria. 2003b. Nigerian Communications Act, 2003. [Accessed 19 Mar. 2021]

Nigeria. 1999. Constitution of the Federal Republic of Nigeria. [Accessed 18 Mar. 2021]

Nigeria. N.d. Nigerian Communications Commission (NCC). "About the NCC." [Accessed 30 Mar. 2021]

Paradigm Initiative (PIN). July 2020. Adeboye Adegoke. Digital Rights and Privacy in Nigeria. [Accessed 19 Mar. 2021]

Paradigm Initiative (PIN). N.d. "About Us." [Accessed 22 Mar. 2021]

PhD Candidate, Leibniz University Hanover. 5 March 2021. Correspondence with the Research Directorate.

Premium Times. 20 March 2019. Kemi Busari. "Buhari Declines Assent to Digital Rights Bill, Four Others." [Accessed 22 Mar. 2021]

PricewaterhouseCoopers (PwC) Nigeria. December 2020. The NDPR and the Data Protection Bill 2020. [Accessed 26 Feb. 2021]

Pulse.ng. 21 March 2019. Aderemi Ojekunle. "President Buhari Has Rejected a Bill Seeking to Protect the Rights of Internet Users in Nigeria From Infringement." [Accessed 22 Mar. 2021]

Pulse.ng. N.d. "About Us." [Accessed 29 Mar. 2021]

S.P.A. Ajibade & Co. 12 February 2020. Francis Ololuo. "Data Privacy and Protection Under the Nigerian Law." [Accessed 29 Mar. 2021]

Techpoint.africa. 27 March 2019. Victor Ekwealor. "Nigeria's President Refused to Sign Its Digital Rights Bill, What Happens Now?" [Accessed 22 Mar. 2021]

Thomson Reuters. N.d. Practical Law. "About Us: About Practical Law." [Accessed 30 Mar. 2021]

World Bank. [2019]. "Population, Total – Nigeria." [Accessed 25 Mar. 2021]

Additional Sources Consulted

Oral sources: Collaboration on International ICT Policy in East and Southern Africa; Cyber Security Experts Association of Nigeria; Digiterhub; Information Security Society of Africa – Nigeria; Nigeria – Nigerian Communications Commission; Nigerian lawyer who has written on data privacy and protection; senior lecturer in the department of private and property law at a university in Nigeria who researches cyberspace law and communication technology law; senior lecturer of commercial and industrial law who has written on telecommunication and consumer protection.

Internet sites, including: The Africa Report; Africa Research Bulletin; Al Jazeera; Amnesty International; Australia – Department of Foreign Affairs and Trade; BBC; Brookings Institution; Centre for Democracy and Development; Collaboration on International ICT Policy for East and Southern Africa; Cyber Security Experts Association of Nigeria; Deloitte; ecoi.net; The Economist; EU – European Asylum Support Office; Financial Times; Freedom House; Global Information Society Watch; The Guardian; The Guardian [Nigeria]; Human Rights Watch; Kaspersky Lab; KPMG International Limited; Legit; The New York Times; Nigeria CommunicationsWeek; Privacy International; Technext.ng; UK – Home Office; UN – Refworld; University of Pennsylvania – The Africa Center; Vanguard; The Washington Post; World Wide Web Foundation.