On 4 January 2018, this paper published in this column an article titled “The Application of EU’s General Data Protection Regulations to Organizations Located in Nigeria”, (hereinafter referred to as “the earlier article”) which I authored. In the earlier article, I explained, what the General Data Protection Regulations (GDPR) is, the principles and grounds for processing personal data under the GDPR, how organizations located in Nigeria may come within the scope of the GDPR, and the obligations imposed by the GDPR and the penalties for non-compliance with these obligations. Finally, I concluded by offering a practical advice on how compliance with the GDPR may be commenced by such organizations.
Since the earlier article was written, I have received several enquiries regarding the GDPR which would be coming into force from 25 May 2018, and its application to specific organizations in Nigeria. In particular, most enquirers have asked to know whether the GDPR, would apply to mobile network operators (MNOs) operating in Nigeria.
In this article, I respond to this question. I start first by defining “personal data” and “data processing” within the meaning of the GDPR. Next, I identify personal data in the context of telecommunications services and activities of MNOs operating in Nigeria that constitutes data processing within the meaning of the GDPR. Finally, I explain the circumstance under which the GDPR would apply to MNOs operating in Nigeria.
“Personal data” and “data processing” under the GDPR
Article 4 (1) defines “personal data” to mean “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. It is argued that a person becomes identified where there is sufficient information either to contact him or to recognise him by picking him out in some way from others and know who he is. “Identifiable” in this definition does not necessarily mean that the natural person has being identified or that his identity is ascertained, it is sufficient if it is possible to do so, hence the reference to the suffix “-able”. Finally, because anonymous information (information which does not relate to an identified or identifiable natural person) has being stripped of all identifiers, it does not constitute personal information within the meaning of the GDPR. Therefore, under the GDPR, for data to be “personal”, two cumulative conditions must be satisfied. Firstly, the data must relate to or concern a natural person; secondly, the data must facilitate the identification of that person.
Data processing is defined in Article 4 (2) as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. It is pertinent to note that both data processing by automated and manual means would come inside this definition
Personal data in the context of telecommunications services
In the context of telecommunications services, the following constitute personal data; traffic data; (geo)location data, browsing/search history, click stream data, internet protocol (IP) address, email address and telephone number.
Activities of MNOs in Nigeria that constitutes data processing under the GDPR
The collection of the personal names and biometrics (finger prints and facial image) of users of mobile telecommunications services pursuant to the provision of the Nigerian Communications Commission (Registration of Telephone Subscribers) Regulations 2011 (the Regulations), constitutes data processing under the GDPR. It is also pertinent to note that in Nigeria an MNO can be both a data processor and a data controller (Refer to the earlier article for the definition of these terms under the GDPR). An MNO acts as a processor when it collects/stores the personal names of users of its services, on behalf of the Nigerian Communications Commission (the Commission, which in this case acts as a data controller) pursuant to the Regulations, while it acts as a data controller when it requires its distributors/partners to obtain the personal data of individuals who intend to subscribe to its services and, through the agreements with the distributor/partner, directs how this personal data may be processed within the scope of providing this telecommunications services.
Circumstances under which the GDPR applies to MNOs in Nigeria
As stated in the earlier article, Article 3 of the GDPR sets out the territorial scope of the GDPR. In this regard, organizations located in Nigeria acting as data controllers and/or data processors would be subject to the GDPR if; the organization maintains an “establishment” in the EU and processes personal data “in the context of the activities of [that] establishment, regardless of whether the processing takes place in the EU or not” (Article 3 (1)); the organization processes personal data with respect to “the offering of goods or services, irrespective of whether a payment is required, to data subjects in the [EU]” (Article 3 (2) (a); and lastly if the organization processes personal data in context of the monitoring of the behaviour of data subjects in the EU as far as their behaviour takes place within the EU (Article 3 (2) (b)).
While I have not investigated this issue in detail, I am presently of the view that Article 3 (2) (a) – (b) are unlikely to apply to any MNO operating in Nigeria. However, Article 3 (1) is likely to apply to any MNO offering international roaming services in an EU member state. For instance, Airtel Nigeria offers roaming services in Belgium and Spain (member states of the EU), while MTN offers roaming services in several EU member states including Austria, Belgium and Denmark. According to Article 3 (1) any organization that maintains an “establishment” in the EU and processes personal data “in the context of the activities of [that] establishment would invariably be subject to the GDPR. Stated differently, for Article 3 (1) to apply to organisations in Nigeria including MNOs, the organization must (I) maintain an establishment in the EU, and (II) process personal data in the context of the activities of that establishment. It should be noted that requirements (I) and (II) are cumulative requirements and each of them must be satisfied.
“Establishment” in the context of the territorial application of the GDPR implies “the effective and real exercise of activity through stable arrangements” (Recital 22). Thus, while an organization located in Nigeria with a branch or subsidiary in the EU would be caught by Article 3 (1) if it processes personal data in the context of that establishment, however the legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor for the purpose of determining establishment (Recital 22).
As illustrated in Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (C-230/14), the Court of Justice of the EU (CJEU) explained the nature of an establishment in the context of EU data protection law. In this case, the Hungarian data protection authority (DPA) referred to the CJEU the question of whether EU data protection law (as domesticated by Hungary) applies to a data controller whose company is registered in Slovakia, but who, in this case, runs a property dealing website concerning properties situated in Hungary. The CJEU in answering this question considered whether the operations in Hungary amounted to an “establishment” under EU data protection law (of Hungary), and the powers of the DPA in one country over the activities of a data controller established in another country, and held that if a company has stable arrangements in a territory, through which it conducts real and effective activity in the context of which personal data is processed, then it is established in that jurisdiction for the purpose of EU data protection law. Therefore, in my considered view, an international roaming agreement entered into between any MNO operating in Nigeria and another MNO operating in an EU member state constitutes a “stable arrangement” for the purpose of determining establishment under the GDPR. This is because the international roaming agreement provides a seamless extension of coverage for an MNO operating in Nigeria, and thus enables it to conduct “effective and real exercise of [commercial] activity” in any EU member state where it has entered into an agreement with an MNO.
Finally, the last limb of Article 3 (1), that is requirement II, is satisfied where for example, the personal information of the customer of an MNO operating in Nigeria, is processed for the purpose of ascertaining the proper charges that should be paid for roaming services provided in an EU member state. For this purpose, it is irrelevant whether the processing takes place in the EU or not, or whether the customer whose personal data is being processed (data subject) is an EU citizen or not.
In this article, I have shown how MNOs would be subject to the GPDR in circumstances where they have entered into an international roaming agreement with an MNO operating in an EU member state. Unless, an MNO does not intend to offer roaming services in an EU member state, the logical path now is to commence steps to mitigate exposure to liability under the GDPR and comply with the obligations of both data processors and data controllers under the GDPR as stated in the earlier article.
Chukwuyere Ebere Izuogu