‘Data Colonialism’: Comments on National Information Technology Development Agency (NITDA)’s Advisory on WhatsApp’s New Privacy Policy in Nigeria

Introduction At the beginning of the year, precisely on 4th January 2021, WhatsApp introduced a

Introduction

At the beginning of the year, precisely on 4th January 2021, WhatsApp introduced a new privacy policy (the New Policy) to share more commercial user data with its parent company, Facebook and indicating its intention to enforce same on 8th February 2021. The New Policy sparked widespread outcry from WhatsApp users; prompting WhatsApp on 12th January 2021, to clarify that they do not share personal chat messages with Facebook. Instead, the update includes changes related to messaging a business on WhatsApp, which is optional, and provides further transparency about how Whatsapp collect and use data.[1] 

The explanation did not assuage the feelings of the users who felt ‘betrayed’. Some users started migrating to alternative platforms like Telegram and Signal (the latter endorsed by Elon Musk).[2] The impending foreseeable mass exodus of users, coupled with the trenchant criticisms, made WhatsApp to retract and delayed the implementation of the New Policy until 15th May 2021.[3]

Particularly striking is the fact that the New Policy is discriminatory in nature as it grants the right to opt-out to only users in the European Union. Consequently, many privacy/cyber-security experts, and entrepreneurs have come out to urge people to migrate to alternative platforms.[4] Given that the New Policy has now been implemented, NITDA, Nigeria’s data privacy regulator, on 17th May 2021, issued an advisory opinion (the NITDA Advisory) to Nigerians on requisite responsive actions.[5]

Summary of NITDA’s Advisory

NITDA is empowered under section 6(f) NITDA Act 2007 to provide advisory opinions to Nigerians. Thus, the NITDA Advisory resulting from the meeting it had with Facebook, (WhatsApp’s parent) in conjunction with the African Network of Data Protection Authorities following the implementation of the New Policy.[6] Essentially, NITDA advised as follows:

  1. “Nigerians may wish to note that there are other available platforms with similar functionalities which they may wish to explore. Choice of platforms should consider data sharing practices, privacy, ease of use among others; and
  2. Limit the sharing of sensitive personal information on private messaging and social media platforms as the initial promise of privacy and security is now being overridden on the bases of business exigency.”[7]

“Data WhatsApp Shares with Facebook”

The Facebook team confirmed that WhatsApp will share data with Facebook which was quoted in the NITDA Advisory: “As part of the Facebook companies, WhatsApp receives information from and shares information with the other Facebook Companies. We may use the information we receive from them and they may use the information we share with them, to help operate, provide, improve, understand, customise support and market our services and their offerings, including the Facebook company products…”

Therefore, WhatsApp shares the following information with Facebook Company:

  1. Account registration information;
  2. Details on how users interact with others;
  3. Mobile device information;
  4. Internet protocol address;
  5. Location data;

The NITDA Advisory stated that the Facebook Team confirmed that private messages shared on WhasApp consumer version are encrypted and not seen by Facebook.  However, “the metadata (data about the usage of the service), which happens to be personal data is shared with the other members of the Facebook group”.

Privacy Costs: NITDA’S Belated Response

Whilst NITDA’s engagement with Facebook in collaboration with its sister African regulatory bodies in April 2021 is commendable, the purpose of the NITDA Advisory would have been better served if it was issued before the New Policy’s effective date of 15th May 2021. The NITDA Advisory was issued on 17th May 2021, two clear days after the 15th May 2021 effective date of the New Policy.   Prior to its issuance, some Nigerians might have taken steps to accept the New Policy, effectively putting them in a position of crying over spilt milk. This is unlike South Africa’s regulators who met as early as 13th January to analyse the New Policy and how it affects South African citizens and took steps to alert their citizens on the implications.[8] Also South Africa and other countries like United States and India have requested WhatsApp to stop the New Policy.[9] 

Also, the fact that the NITDA Advisory was only publicised on the NITDA’s website and Twitter account is rather underwhelming. One would have expected a more rigorous publicity campaign, utilising additional online channels, and also including newspaper, radio and television advertisements during prime time slots. Airtime especially on Federal and State Government radio and television networks would have helped with greater diffusion.

The likelihood  that a large chunk of Nigerian Whatsapp users never got wind, or will become further belatedly aware,  of the NITDA Advisory is very high, because only a fraction of them are on Twitter[10] and  they are may still not see the NITDA Advisory for one reason or the other. And if they are no aware, of course they would not even have any motivation for checking NITDA’s website on the issue. The entire reactive approach is inconsistent with NITDA’s own recognition of data privacy and protection being serious national issues, as mentioned in the NITDA Advisory. Clearly regulatory nimbleness and proactivity cannot be over-emphasised, in the data privacy space.

Conclusion

The New Policy appears to be operative on a “take it or leave it” model, which runs contrary to the provisions of the Nigerian Data Protection Regulation 2019 (NDPR), that consent must at all material times, be freely given.[11] The consequence of refusing to accept the New Policy is to shut the WhatsApp door against such ‘recalcitrant’ user. On one hand, the choice of having to do away with WhatsApp may be pyrrhic, when quantified in terms of the contacts and transactions that may be lost thereby.

On the other, the apparent double standard of the New Policy means that the citizens of European countries could opt-out of the New Policy, without losing their WhatsApp. The fascinating excuse for this is that Europe already has a robust data privacy protection regime vide the General Data Protection Regulation 2018 (GDPR).[12]  This sends a wrong, if not condescending, signal about the privacy regimes of other countries.

The foregoing development underlines the need to hasten the development of a unified data protection framework for Africa,[13]  and for Nigeria to swiftly pass the Nigerian Data Protection Bill 2019 towards making our data protection regulation framework, more robust.

Nonetheless, it is apt to close with the concluding paragraphs of the NITDA Advisory, thus:

“Nigeria’s engagement with Facebook continues. We have given them our opinion on areas to improve compliance with the NDPR. We have also raised concerns as to the marked difference between the privacy standard applicable in Europe, under the GDPR and the rest of the world.

Given the foregoing and other emerging issues around international technology companies, NITDA, with stakeholders, is exploring all options to ensure Nigerians do not become victims of digital colonialism. Our national security, dignity and individual privacy are cherished considerations we must not lose. Because of this, we shall work with the Federal Ministry of Communications and Digital Economy to organize a hackathon for Nigerians to pitch solutions that can provide services that will provide functional alternatives to existing global social platforms.”[14]