Many African states have established data localization regimes in order to control the management of data generated within their territories. Such regimes have introduced measures to govern the physical storage and cross-border transfer of data generated within their territories. However, concerns are expressed that such regimes will ‘fragment’ the global Internet.
Nigeria is one African state that has developed data localization regimes, with the aim to achieve economic and national security objectives. The legal basis and justification for their establishment is found in the Constitution. This brief reviews Nigeria’s data localization regimes and considers challenges in their implementation.
Defining data localization
Data localization is the storage of data within a particular geographic location. Data localization regimes are state regulations which require that certain kinds of data should be stored within the country where they originated. For example, a data localization regime that applies to the telecommunications industry may require the personal data of subscribers to be physically stored within the jurisdiction of a state and not transferred to a foreign state except under certain prescribed conditions. Data localization regimes may impose obligations that include: (a) conditional localization, which requires the local storage of certain classes of data subject to prescribed conditions; (b) unconditional local storage of certain classes of data, such as personal data; and (c) unconditional mirroring requirements of certain classes of data, such as personal data (Burman and Sharma 2021).
Data localization is rooted in the concept of data sovereignty, which extends the jurisdiction of a state over data concerning its citizens or data collected and processed by organizations located within its territory. One common objective of data localization is to promote law enforcement and national security by ensuring that relevant government agencies have timely access to data for investigative, prosecutorial, and intelligence reasons. Another common objective is to ensure the privacy of citizens’ data against surveillance by foreign companies and governments. Data localization regimes have also been established to promote economic development objectives through the imposition of local content requirements on the management of certain classes of data collected within a state’s territory. In this vein, Nigeria has established a range of data localization regimes that impose local content measures on the management and storage of certain classes of data.
‘Local content measures’ refer to domestic measures that compel public and private organizations within a state’s territory to make use of products or services with a local origin (Orji 2020: 56). Such requirements usually seek to promote economic objectives including: economic diversification, reduction of import dependency, promotion of indigenous participation in economic sectors, facilitation of technology transfers, and protection of emerging industries (Orji 2018a). The idea that data are a commodity that must be controlled to maximize economic benefits has contributed to the proliferation of local content requirements with respect to the management and storage of data.
Legal basis for Nigeria’s data localization regimes
Nigeria has the largest number of telecommunications and Internet users in Africa, with about 205 million mobile subscribers and 150 million Internet subscribers. Also, according to World Bank figures, 4 in 10 Nigerians live below the national poverty line.
To improve Nigeria’s standard of living and promote economic and national security, the Constitution of the Federal Republic of Nigeria (1999) declares that ‘the security and welfare of the people shall be the primary purpose of government’. Section 16 of the Constitution also provides that the State shall promote national prosperity and a self-reliant economy; and control the national economy in such manner as to secure the maximum welfare of every citizen. These constitutional mandates provide the legal basis for the government’s establishment of measures, including national economic policies and laws aimed at promoting the economic and national security of Nigerians. In the exercise of these constitutional mandates, the Nigerian Government has established requirements for the localization of data in Nigeria.
Overview of Nigeria’s data localization regimes
Five data localization measures in Nigeria are worth highlighting. The first is contained in the Central Bank of Nigeria Guidelines on Point of Sale (POS) Card Acceptance Services of 2011. This regulation prohibits all domestic POS (point of sale) and ATM (Automated Teller Machine) transactions from being routed outside Nigeria. Paragraph 4.4.8 of the Guidelines provide that: ‘All domestic transactions including but not limited to POS and ATM transactions in Nigeria must be switched using the services of a local switch and shall not under any circumstance be routed outside Nigeria for switching between Nigerian Issuers and Acquirers’. The implementation of the Guidelines has seen the licensing of several payment switching companies in Nigeria, such as Interswitch, Flutterwave, Appzone, TeamApt, eTranzact and Unified Payments.[1]
A second relevant measure are the Guidelines for Nigerian Content Development in ICT issued in 2013. This regime seeks to enhance local content in the Nigerian ICT industry through the development and utilization of indigenous capacity for activities in the industry, with a view to promoting technology transfer and local manufacturing of ICT products (Orji 2018b). The Guidelines mandate telecommunications/ICT companies operating in Nigeria to host all subscriber and consumer data locally within the country, to host their websites on the .ng country code top level domain, and to migrate their Internet peering arrangements to locally available services such as the Internet Exchange Point of Nigeria. The Guidelines further impose obligations on all government ministries, departments, and agencies to host their web services on the gov.ng domain and also to migrate their Internet peering arrangements to locally available services (Guidelines for Nigerian Content Development in ICT 2013). The implementation of the Guidelines has seen telecommunications operators in Nigeria establish data centres to house consumer data within the country and also provide data storage services for other firms.
Third, the Guidelines for Nigerian Content Development in ICT of August 2019 establish data localization mandates that require data and information management companies and government institutions to host all ‘sovereign data’ locally within the country and not for any reason to host sovereign data outside the country without express approval from the National Information Technology Development Agency (NITDA). However, these guidelines do not provide a definition of ‘sovereign data’, leaving the scope of this concept open to speculation and varying interpretations.
Fourth, the National Digital Economy Policy and Strategy (2020–2030) seeks to promote indigenous content development and adoption in the ICT sector. While the policy does not establish data localization mandates, it specifically aims ‘to support the proliferation of Data centers across the country’ and mandates the Government to promote the development and deployment of robust and scalable data center infrastructure.
Finally, the National Policy for the Promotion of Indigenous Content in the Nigerian Telecommunications Sector (2021) seeks to promote local participation in the country’s telecommunications industry in areas including the manufacture of telecommunications equipment, the provision of support services, skills transfer, and research, and development. While the policy does not prescribe any data localization mandates, it emphasizes the position of the Nigerian government to promote data localization, declaring that:
As such, the policy seeks to reduce reliance on foreign data centres for the storage of data generated within the country.
Challenges of Nigeria’s data localization regimes
Generally, policies that impose local content requirements on data storage or management qualify as policies affecting trade in services. Under the General Agreement on Trade in Services of the World Trade Organization (WTO), member states such as Nigeria have obligations to facilitate cross-border trade in services and eliminate measures that restrict trade in services. Such measures include national requirements that discriminate against the domestic usage of services originating in another WTO member state (Walden 2012; GATS 1995). In practice, however, Nigeria’s obligations are limited to its Schedule of Specific Commitments, which do not extend to data localization (WTO 1995). Therefore, Nigeria is entitled to apply local content requirements such as data localization regimes within its telecommunications/ICT sector.
However, the implementation of Nigeria’s data localization regime is fraught with challenges, such as lack of clarity in application, costs of compliance, the uncertainty of the scope of ‘sovereign data’, unstable power supply, data outage, and cybersecurity concerns. To date no government report has addressed the implementation of Nigeria’s data localization regimes. Also, the costs of ensuring effective enforcement of data localization regimes are enormous, given the existence of several organizations that engage in the collection and processing of data. Lack of clarity with respect to what constitutes ‘sovereign data’ creates regulatory uncertainty on the classes of data that organizations are required to store within the country and also makes it impossible for NITDA to enforce ‘sovereign data’ localization mandates, and further leaves room for speculation with respect to compliance.
Regarding power supplies, it is estimated that only 60% of the Nigerian population have access to electricity. As a result, businesses must generate most of their electricity from private supplies, usually with costly generators running on diesel or petrol. ICT and telecommunication operators in Nigeria privately generate most of the electricity that powers their base stations and other network facilities. It is estimated that operators in Nigeria spend over 80 percent of their operating costs on power generation.Therefore, the poor state of power supply in Nigeria seriously challenges the implementation of existing data localization regimes.
Data outage and cybersecurity issues also complicate the actualization of Nigeria’s data localization regimes. In December 2020, Nigeria’s National Identity Management Commission (NIMC) database went down as a result of increased user traffic that followed the government’s directive that all Nigerians should link their telephone subscriber identification details to their national identities on the NIMC platform. The NIMC database went offline again for several days in February 2022, causing telecommunication companies, banks, immigration services, and other services to lose several millions of Naira due to their inability to verify customer identities stored on the NIMC database.[2] The government has denied allegations that these incidents involved data breaches. However, this state of affairs raises issues regarding the integrity and availability of data stored in the NIMC’s database.
Concluding remarks
The idea that data are a commodity that must be controlled to maximize economic benefits has opened opportunities for states to impose local content requirements on the management and storage of data. Nigeria seeks to achieve economic development objectives through localization mandates. However, despite the laudable objectives of Nigeria’s data localization regimes, their full implementation may not be practicable in the face of the highlighted challenges.
[1] Chimgozirim Nwokoma, ‘Here is why Nigeria’s biggest Fintechs are getting a switching and processing license', Techpoint, (26 September 2022), available at techpoint.africa/2022/09/26/payment-switching-processing-licence-nigeria.
[2] Bankole Abe, ‘Nigerians react as NIMC portal suffers downtime’, ICIR Nigeria (7 February, 2022), available at https://www.icirnigeria.org/nigerians-react-as-nimc-portal-suffers-downtime/; Oluwadara Idowu Kuola, ‘NIN: SIM retrieval, passport processing affected as NIMC portal suffers downtime’, Technext (7 February 2021), available at https://technext.ng/2022/02/07/nimc-blames-service-partner-for-downtime-telco-banking-services-affected/.
References
Burman, Anirudh and Sharma, Upasana (2021). How Would Data Localization Benefit India, Carnegie India Working Paper, Washington D.C.: Carnegie Endowment for International Peace.
GATS (1994). TS 58(1996) Cm 3276; 33ILM 44, General Agreement on Trade in Services.
Guidelines for Nigerian Content Development in ICT (2013). Paragraph 12.1.
Orji, Uchenna Jerome (2018a). ‘Promoting Technology Transfers in Nigeria’s Extractive Industries: A Review of the Legal Regime, the Challenges and Proposals for Responses’, Journal of World Trade and Investment, 19(2): 248–292.
Orji, Uchenna Jerome (2018b). Telecommunications Law and Regulation in Nigeria, Newcastle upon Tyne: Cambridge Scholars Publishing.
Orji, Uchenna Jerome (2020). ‘The Nigerian Oil and Gas Industry Content Development Act and GATT Treaty Obligations: On a Path of Harmony or Discord?’, Latin American Journal of Trade Policy, 3(7): 56–80,
Walden, Ian (2012). ‘International Regulatory Law’, in Ian Walden (ed.), Telecommunications Law and Regulation, Oxford: Oxford University Press, 786–797;
WTO (1995). GATS – Nigeria: Schedule of Specific Commitments (GATS/SC/65), 15 April.
About the Author
Dr Uchenna Jerome Orji is an Attorney admitted to the Nigerian Bar. He is the author of Cybersecurity Law and Regulation (2012), International Telecommunications Law and Policy(2018), andTelecommunications Law and Regulation in Nigeria(2018). Uchenna is a Fellow of the African Center for Cyber Law and Cybercrime Prevention (ACCP) and has worked as a legal expert for national and international organizations on the governance of ICTs. He is currently an Assistant Professor of Law at the American University of Nigeria and the Chair of the Department of Private and Business Law.
Contact: jeromuch@yahoo.com - uchenna.orji@aun.edu.ng