Nigerian regulators are going after Truecaller, the Sweden-based phone number identification app, for “potential breach of privacy rights of Nigerians.”
Nigeria’s National Information Technology Development Agency claims Truecaller’s privacy policy contains “illegitimate provisions” that contravene Nigeria’s Data Protection Regulation (NDPR). It also alleges Truecaller “collects far more information than it needs to provide its primary service” and has urged Nigerians to delist themselves from the service.
NITDA’s investigation into Truecaller follows several years of the app’s activity in Africa’s largest mobile market amid growing usage. The app’s caller ID service, which helps users identify names of callers with unsaved numbers, has garnered 2.9 million active users in Nigeria.
With Truecaller users granting it access to their contacts list among a range of other permissions, the Stockholm-headquartered has aggregated a database of contact details from millions of users raising questions about its methods. As such, when a Truecaller user receives a call from an unsaved number, the app can match that number with a name from its vast database. In exchange for free use, the app leverages its vast user base for mobile advertising.
Truecaller has grown rapidly in markets like India and now has over 150 million daily active users worldwide and a million premium users who pay for additional features. In India, the app has been popularly adopted for spotting and managing users’ high spate of spam calls while in Nigeria a common use case sees Truecaller used to detect prospective fraudsters amid the country’s low-trust environment. Nigeria’s spam culture has also seen attempts by regulatory bodies to stop unsolicited promotional spam texts and calls from telecoms operators face hiccups.
Truecaller remains subject of controversy especially given the ethical question on how it pulls in the contact details of non-Truecaller users to its database. There are now guides online on how users can delist from Truecaller’s database.
Bigger questions
But NITDA’s investigation of Truecaller also raises troubling questions about Nigeria’s own nascent data privacy laws. While NITDA is a government agency established by law to implement and regulate information technology, the NDPR data protection regulations have not been passed as a bill through Nigeria’s national assembly.
“The regulation is secondary in that they didn’t do the real work of passing a bill through the National Assembly so that Nigeria can get a real data protection law with coordinated data protection mechanisms,” says Gbenga Sesan, a prominent digital rights advocate. “It’s tough to enforce secondary legislation because agencies, or even companies, will challenge it in court. For example, best practice expects that data protection laws or regulation be managed by a data protection agency which NITDA is not.”
As it turns out, a data protection bill which has been passed by Nigeria’s senate and submitted for presidential assent since May remains unsigned. It’s a reflection of wider realities across African countries many of which remain in need of stronger bills of data rights.
Perhaps as an indication of its limitations, Sesan says the application of NDPR as a stop-gap measure is not broad enough. “If serious, they should start with the Central Bank, the Independent National Electoral Commission, Nigerian Communications Commission, Nigerian Immigration Service and all other government agencies that collect and have lost or abused data,” Sesan says.
For its part, Truecaller says it’s reviewing NITDA’s comments and will prepare a response but ultimately, Sesan expects NITDA’s investigation to fizzle out. ”This is probably another press posturing that will go nowhere,” Sesan says. “The best this dog can do is bark, it has zero bite.”
.Quartz Africa Weekly Brief