The Nigerian Patriot ACT is Coming: Compliments of NITDA


Femi Oyesanya



Imagine a possible technology future in Nigeria. Imagine that the Data Retention Law section of the proposed Draft Nigerian Cybercrime Act, under the leadership of the National Technology Development “Go-slow” Agency, (National Information Technology Development Agency) passes into Law, Electronic Computer Privacy as we know it today in Nigeria will change, and pose serious Individual Privacy and Personal Liberty issues.


Specifically, the Data Retention Law states “All service providers under this Act shall have the responsibility of keeping all transactional records of operations generated in their systems and networks for a minimum period of 5 years”.  The vagueness, and the lack of clear definition of “Transactional records” makes the Data Retention section of the Draft Nigerian Cybercrime Act, worse than the very controversial USA PATRIOT ACT.

Service providers, as defined by the Draft Act are,  


“Internet Service Providers, Cyber cafés, Communications Service Providers, Application Service Providers, any individual or body corporate that deploys information and communication technology resources in Nigeria”.

Communication Service Providers are defined as “a person who owns or operates a telephone system in this state that includes equipment or facilities for the conveyance, transmission, or reception of communications and who receives compensation from persons who use that system”


So, what are the privacy implications?   Well, since the word transactional records was not defined within the Draft Nigerian Cybercrime Act, the implication is that, a potential possibility exists for transactional records to

become termed as a subset of Personal records, Financial Records, Internet Browsing records, Email Records, Telephone records, and every potential electronic record held in a permanent storage area or memory of a Nigerian Service Provider Network.  These Records, according to the Draft Nigerian Cybercrime Act, will be held for a period of 5 years, thus compiling a large data set of individual personal communication. This is dangerous!


Impact of the Law on Nigerian ISP’s

There are also serious technology development cost implications that will be created as a result of the Draft Nigerian Cybercrime Act.  As is, if allowed to pass into law, the Law will increase the overall storage and archiving cost of a Nigeria ISP by a very high margin. Depending on the volume of transactions processed by a particular ISP, compliance with the law will require massive backup facilities, and an overall increase in the operational costs of data retention.


Impact of the Law on Nigerian Internet Subscribers

Customers subscribing to telecommunication and computer services offering by a Nigerian Service Provider such as: Cybercafe, telephone companies, and Individual users will have to assume increases in operational costs that the Law imposed on the Service Provider.  As the volume of Data retention increases, the Nigerian ISP’s and other Service Providers will have no choice but to pass the increases in operational costs down to the consumer.


Impact of the Law on Personal Privacy

If allowed to pass into law, the Data Retention section of the Nigerian Cybercrime Act will also affect fundamental issues of individual and collective association privacy.   Since the government will now require, every Service Providers to hold all forms of digital transmission record; voice, data, and video in retention for 5 years, the law implies that all telephone conversations, every key stroke that a Nigerian Computer user types, and every other possible form of electronic data processing will be archived somewhere.


Here are some examples: All Email transactions that Nigerians send to each other, financial information routed

from one Nigerian Bank to the other passing through a public ISP Network, all electronic form of political activity, all electronic form of Nigerian Student Activity, Labor Union electronic communications, Political dissent electronic communication, etc, the list is endless.


Nigerians will need to start looking behind their backs, getting digital privacy stricken. Government digital surveillance would have infested every facet of their livelihood.  We all know that political thugry is still very common.  With the law in effect, electronic political thugry will have a field day.  One political opponent wishing to destroy the other might use electronic records of the other for political blackmail.  Even, government will not escape this new danger; any electronic record processed by any technocrat, passing through the Public Internet will be held at an ISP archival storage somewhere.   National data in-security and data privacy issues will soon become at-risk wholesale issues. 


In conclusion, and knowing that the Law is still a Daft, the mere inclusion of the Data Retention Law in a Draft Nigerian Cybercrime Act is an indication that the people at NITDA are not cognizant of page 45 of the Nigerian IT Policy, which defined one of the objectives of NITDA, as to “Ensure the protection of individual and collective privacy, security, and confidentiality of information”.  Hence, NITDA must be held accountable, this portion of the Draft Nigerian Cybercrime Bill must be refined or deleted. The definition of what constitutes Service Provider transactional record needs to be clearly defined. Any inclusion of any law within the body of the Nigerian Cybercrime Act must totally align with the strategic content of the Nigerian IT Policy, which clearly affirms a need to protect individual data privacy. For now, Political Activism needs to be set in motion, to begin advocacy against this particular section of the bill, before it sneaks past the Nigerian Congress. Chief Gani Fawehinmi must please note these developments. Those Nigerians and Non-Governmental Organizations interested in national electronic privacy issues, please use the following Email Address to inquire about the bill.

NITDA’s Director Email: or

NCWG  Email:      

The portion of the Draft Cybercrime Act, titled:


“Retention for Records Retention by Service Provider”,

states: All service providers under this Act shall have the responsibility of keeping all transactional records of operations generated in their systems and networks for a minimum period of 5 years”