Data Privacy Regime in Nigeria: The Gaming Industry in Focus

By Solomon Nwabueze 

INTROCUCTION

Technology is on the rise as this is the 4^th industrial revolution, and as such many industries are gradually becoming more digital and tech-compliant thereby driving the location of their businesses online. This has led to a tremendous thrive in several of these industries including the gaming industry.

According to reports, over ₦730 billion is generated annually by the gaming industry in Nigeria, particularly sports betting. This growth is largely attributable to Nigeria’s intense love and passion for sports, particularly football, and technological advancements, which are reflected in the rise in GSM subscription and mobile penetration, among other things. It is also our humble observation and submission that the increased rate of unemployment in the nation is also a contributory factor to the growth of the industry.

Following such tremendous growth and contribution to the revenue of the nation, further statistics has shown that over 60 million Nigerians, aged 18 to 40, are involved in sports betting (a form of online gaming) with the operators paying taxes to the Government and engaging young people who would have been jobless. Thus, this has made the gaming industry one of the major drivers of the Nigerian economy, by contributing to the Gross Domestic Product (GDP) and revenue of the nation as well as providing employment to several jobless youths. Despite however the wonderful and laudable contributions of the gaming industry in Nigeria and amidst its rapid expansion lay several implications and concerns for data privacy and protection. Since the gaming industry is largely online and requires the use of the computer system connected to the internet for a wide range of activities including controlling gaming devices as well as obtaining and storing data of players, there is need for protection and safe keeping of these data to avoid breach.

As more people participate in the gaming industry, several personal information are shared across various sites and online platforms which need to be protected and safeguarded, thereby giving rise to the issue of data privacy. The implications of this for consumer data security cannot be over emphasized, as immense amount of financial and personal information are collected from consumers, bettors are often required to create accounts with financial and banking information that have passwords and security questions, and hackers target these companies either for the theft of betted money in wallets or for confidential account data; a violation which is a breach of data privacy and which will affect both the players and the operators alike. Thus, in this research article, we shall be examining the data privacy regime in Nigeria whilst beaming our search light on the gaming industry.

MEANING OF DATA PRIVACY

Data Privacy, also called information privacy, deals with the ability an organization or individual has to determine what data can be shared with third parties. It has further been observed to mean that branch of data management that deals with handling personal data in compliance with data protection laws, regulations and general privacy best practices. This denotes that when we make reference to data privacy, we are simply referring to privacy of data in a technical sense, which emphasizes the handling of personal data in accordance with prescribed laws and regulations, in such manner as to be able to determine what can be shared with third parties. This can be determined by an organization or the individual so concerned. Thus, Data Privacy encompasses the right of individuals and organizations to keep private personal data in order to prevent it from falling into the hands of an unauthorized party.

Closely associated and related to Data Privacy is ‘Privacy of citizens’. In the case of Digital Rights Lawyers Initiative v. National Identity Management Commission, the trial court rightly held that the right to privacy of citizens as guaranteed under the section (Section 37 of the 1999 Constitution of the Federal Republic of Nigeria) includes the right to protection of personal information and personal data. This in our humble opinion covers the meaning of data privacy.

DATA PRIVACY IN NIGERIA

Data Privacy was a concept that remained a grey area in Nigeria for quite a long time. However, following technological advancements and innovations as well as recent campaigns, symposiums, webinars, seminars, etc being organized by several Data Privacy and Protection Organizations, Non-Governmental Organizations, Government agencies like National Data Protection Bureau and Nigeria Information Technology Development Association, the concept of Data Privacy have begun to receive its deserved and desired attention.

The foundation of Data Privacy in Nigeria could be said to be strongly hinged on the provisions of the 1999 Constitution of the Federal Republic of Nigeria (CFRN) to the effect that: “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.” Some scholars have however been careful to note that this section doesn’t really cover electronic or personal data, thus leading to a clamor for a more comprehensive and reliable regulation to ensure data privacy and protection. It is this clamor and quest that led to the enactment of the Nigeria Data Protection Regulation (NDPR) in 2019 which regulation is substantially the same with the European General Data Protection Regulation (GDPR). Data Privacy in Nigeria has had a rough and uncheckered trajectory as a result of a reactive legislature, political dawdling and high level of ignorance and illiteracy amongst the citizens. Despite however these impediments, the concept has continued to thrive and grow like a tender plant shooting out from a dry and hard ground. Thus, there are several legislations on this concept which we shall readily classify as primary and secondary. Primary, referring to legislations solely on the concept of data privacy and protection whereas secondary refers to legislations which ordinarily make reference to the concept as it affects their primary aim.

It is pertinent at this point to take a cursory examination of some legislation in Nigeria which ensure and enhance the privacy of the data of citizens.

The Nigeria Data Protection Regulation, 2019 (NDPR, 2019)

The NDPR was issued in 2019 by the National Information Technology Development Agency (NITDA) basically to fill the vacuum of not having a Data Protection Act in Nigeria, and as such has been criticized by many scholars as not being comprehensive and thorough in its quest and zest to ensure data privacy and enhance its protection in Nigeria. This notwithstanding, the NDPR has made some laudable impacts and achievements within the data privacy sector. It expounded the concept of data protection under the Constitution, and made provision for the rights of data subjects, the obligations of data controllers and data processors, transfer of data to a foreign territory amongst others. This means that as at the time of writing this article, there is no other starting point for underscoring Nigeria’s data protection landscape other than the NDPR. It is however worthy of note that on the 4^th of October, the Nigeria Data Protection Bureau (NDPB) released the draft Data Protection Bill, 2022 which if enacted will definitely go a long way in remedying the defects inherent in the NDPR as already contemplated by its provisions. Despite its lackluster and incomprehensive provisions, it has facilitated the enforcement of punishment and imposition of fines for data breach by its enforcement arm – NITDA. Avery recent example is the fining of Soko Lending Company limited the sum of ₦10 million for various violations of its provisions. This is however the first fine issued under the NDPR, which makes one wonder how in this age of tech innovations and continuous breach of personal data on several organizations sites, the NDPR since 2019 has only fined one company.

The 1999 Constitution of the Federal Republic of Nigeria (1999 CFRN)

As earlier stated, the 199 CFRN is more or less the foundation and gravamen upon which every other enactment or legislation on the subject of data privacy and protection derive its validity. This is by virtue of the provision of Section 37 of the Constitution. Thus, it suffices to be stated that data privacy and protection are mere extensions of a citizen’s constitutional/fundamental rights to privacy. This position was also stressed by the trial court in the case of Digital Rights Lawyers Initiative v. National Identity Management Commission.

Child Rights Act, 2003

This is one of the legislations which make ancillary provisions on the subject of data privacy as it relates to the rights of a child. It is noteworthy that the Nigerian child is defined as a person under the age of 18 years by the Act. In furtherance of its provisions in respect of data privacy, the Act prohibits the dissemination of a fostered and adopted child’s information to any member of the public except by an order of the court. Furthermore, the Act provides that with respect to a child offender, the personal information of the child shall not be published. This is the reason why the name of a child offender is usually concealed when the matter goes on trial and even when the case is being reported, thereby enhancing the protection of the data of such a child in contemplation of the provisions of the Constitution.

Freedom of Information Act, 2011

This Act facilitates public access to public records and information, and has been a key in fostering transparency, accountability and good governance amongst our public office holders. However, it is worthy of note that the Act obliges public and Government institutions and organizations to refuse freedom of information request which seeks access to information that is personal except the individual’s consent is secured or otherwise where the information is already within public purview. Where however, public interest clearly outweighs the privacy right of the individual, this right will be jettisoned. Furthermore, by virtue of Section 16 of the Act, a public institution is also authorized to deny a freedom of information request that seeks to access information which is subject to various forms of professional privileges conferred by law e.g Lawyer-client privilege, Health worker-client privilege, etc.

Cyber Crime Act, 2015

The Act was specifically enacted to prohibit and prevent crimes in the cyber/online space and also appears to give an expansive and elaborate interpretation to the constitutional right to privacy under Section 37 of the Constitution. Accordingly, law enforcement agencies have a duty under the Act to safeguard the confidentiality of information collected, retained and/or processed for the purpose of law enforcement. Furthermore, it imposes an obligation on mobile networks service providers to accord respect to an individual’s/consumer’s right to privacy as enshrined in the constitution and as such take steps in accordance to global best practices to ensure the confidentiality and safety of data processed.

National Health Act, 2014

By virtue of the preamble to the Act, it was enacted to provide a framework for the regulation, development and management of a national health system and to further set standards for rendering health services in the federation. According to the provisions of the Act, the information about a health user’s health status or treatment is considered confidential and as such cannot be disclosed to third parties without the consent of the health user or by the order of court. Furthermore, the Act imposes a duty on health service providers to set up internal control measures to ensure the security and integrity of health user information and to prevent unauthorized access to such information. Finally, by virtue of Section 29(2) of the Act, failure to comply with the provisions of the Act on data protection is a criminal act and punishable by imprisonment and/or fine.

THE GAMING INDUSTRY IN NIGERIA

Gaming generally refers to the practice or activity of playing games either with or without stakes or in other words betting. It is mostly online and often involves placing stakes. In other words it can simply refer to the playing of video or computer games offline or online and online gaming which involves placing stakes.

The gaming industry in Nigeria has evolved over the years being largely prohibited before the 2000s. The regulatory efforts to prohibit unlawful gambling were expressed in the Gaming Machines (Prohibition) Act, 1997 which banned the importation, ownership and operation of any gambling machines or gaming house and other related matters. In a bid however by the Federal Government to recognize some forms of gambling, the Criminal Code Act was enacted which prohibits any form of “unlawful gaming”. This effort to legalize gaming in Nigeria led to the enactment of the earliest form of gaming law in Nigeria – Lagos State Lottery Law, 2004 which regulated gaming related activities in Lagos State. Thereafter, the Federal Government enacted the National Lottery Act, 2005 and the National Lottery Regulations, 2007, and as such gaming in Nigeria became legal as long as it is licensed.

Gaming in Nigeria is broadly classified as “lottery”, and has recently begun to receive and garner wide acclamation and reception owing to the massive and teeming youth population across the nation. This is further facilitated by ease of access to smart mobile phones and by extension the internet, high level cum rate of unemployment and also passion for sporting activities. It has further been reported that as this growth process in the gaming industry is taking place, by the end of last year (2021), 23% of Nigeria’s population was involved in playing games, while the industry recorded $185 million in the same year. According to experts, the growth recorded in the accessibility of smart phones in Nigeria is a reason for the popularity of smart phone gaming. Furthermore, according to a report by the BBC, more than one hundred million people have access to the internet now. Resultantly, Nigeria has seen a massive boom in online gaming. This online gaming is where people can use the internet to stream video games and play with their friends or other users from across the globe. Thus, ranging from online multiplayer games, gambling, sports betting, smart phone gaming, etc, Nigerians (mostly the youths) have actively been involved in the gaming industry as a result of rapid advancement in technology. Some popular smart phone games in Nigeria include: The King of Avalon, Call of duty, clash of kings, candy crush, FIFA (most played soccer game on play station console) etc. Also, some popular online gaming sites in Nigeria include: Betway, BetNaija, sportPesa, 22bet, etc. The gaming industry since its boom, has contributed largely to the GDP of the nation, and it is our humble opinion that in light of its recent contributions to the economic growth and development of the nation, it should be leveraged as well as given adequate attention by removing any hitch or bottleneck that may hinder its further growth and development especially in the area of data privacy and cyber security.

PRIVACY RIGHTS IN THE NIGERIAN GAMING INDUSTRY

The need for privacy rights in the gaming industry arose in response to the vast amount of personal data ranging from name, credit card number, address, e-mail address, etc. which are being required by game developers or online gaming sites (data controllers) for a more exciting gaming experience by gamers (data subjects).

Privacy and security of data must be considered germane throughout the initial design of gaming products and services as the industry continues to change and discover new ways to connect. This is to ensure that gamers do not fall prey to hackers, cyber attackers or scammers who manipulate personal data for unscrupulous benefits.

Following the advent of technology, various sectors and industries have experienced a global revitalization and shift in the conduct of their affairs and activities. This is also inclusive of the gaming industry. Thus, these advancements have led to the requirement of uploading individual’s personal data on gaming websites thereby giving rise to the need for data protection. In view of the fact therefore that game developers and online gaming sites are data controllers, it means that Bet9ja (a foremost online gaming site in Nigeria), betway, sportybet, etc are also data controllers, and are therefore obligated by virtue of Article 2.6 of the Nigeria Data Protection Regulation, 2019 to apply data security measures that gurantee the protection of the personal data they process or intend to process thereby establishing the right to privacy of their data subjects who are the gamers. It is worthy of note that sometime in June, 2022, the Federal Government investigated Bet9ja for privacy breach which led to the use of personal data of gamers to open accounts. This has therefore resulted in the deployment of stringent cyber security measures to tighten the security of personal data of gamers thereby ensuring that their right to privacy is ensured. Some measures deployed include: setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling personal data, etc. This is also the reason why almost all games have privacy policies which gives the gamers information on how their data is being collected and used, thereby guaranteeing their privacy right. It is however unfortunate that most gamers do not take their time to peruse through the contents of the policy.

COMPLIANCE REQUIREMENTS FOR GAMING OPERATORS IN NIGERIA

Compliance to prescribed regulations generally aid public institutions, companies and organizations to avoid fines and lawsuits, and also aid the government of any nation to realize its desired goal or end which is the protection of its citizens. The Nigeria Data Protection Bureau had earlier in October, 2022 issued a compliance notice to public institutions that receive and process data of individuals requiring them to comply with the requirements contained therein or risk the payment of fine. However, by November, the bureau decried that there has been low compliance, and further expressed that the automation of data processing has made data protection imperative in the health and gaming sectors. It seems that public institutions, organizations and companies are yet to understand how imperative data privacy and protection is in all sectors.

There are several compliance requirements for gaming operators under the NDPR, 2019 and under the National Lottery Act of 2005, and we shall be itemizing them briefly as follows:

• Obtaining License for operation: By virtue of the National Lottery Regulatory Act, 2005, before a sports betting company can promote or pursue its business in Nigeria, it must have applied to the National Lottery Regulation Commission to be incorporated as a sports betting company in Nigeria. It is after this application is made that it can then, pursuant to the guidelines of the NLRC, make further applications to be granted an operating license. Without this license, any business being transacted by any “sports betting” company is deemed illegal in Nigeria. 

• Display and clarity of Privacy Policy: By virtue of the provisions of the NDPR, 2019, every medium through which personal data is being collected or processed (including game apps and sites) shall display a simple and conspicuous policy that the class of data subject can understand. The policy shall in addition to any other relevant information contain the following:

1. what constitutes the Data Subject’s consent;
2. description of collectable personal information;
3. purpose of collection of personal data;
4. technical methods used to collect and store personal information, cookies, JWT, web tokens, etc;
5. access (if any) of third parties to personal data and purpose of access;
6. a highlight of the principles stated in Part 2;
7. available remedies in the event of violation of the privacy policy;
8. the time for remedy; and
9. Provided that no limitation clause shall avail any data controller who acts in breach of the principles set out in this regulation.

• Designation of a Data Protection Officer: Every organization or institution involved in data collection and control (Data Controller) which in this case is the gaming operators in Nigeria, shall designate a data protection officer for the purpose of ensuring adherence to the provisions of this regulation, relevant primary instruments and data protection directives of the data controller; provided that the Data Controller may outsource data protection to a verifiably competent firm or person. 

• Engagement of a Data Compliance Organization (DPCO): In order to facilitate, monitor, audit, conduct trainings and consult in respect of data protection, data controllers who is in this case the gaming operators in Nigeria, shall employ the services of DPCOs who shall be subject to the regulations and directives of NITDA.

• By the provisions also of Article 4.1(6) of the NDPR, 2019, where a gaming operator processes the personal data of more than 1000 in a period of 6 months, a soft copy of the summary of the audit containing information stated in Article 4.1(5) of the regulations shall be submitted to the agency.

• A gaming operator who processed the personal data of more than 2000 data subjects in a period of 12 months shall on annual basis, not later than 15^th March of the following year, submit a summary of its data protection audit to the Agency. This audit shall contain information as specified in Article 4.1(5). 

DATA PRIVACY CONCERNS IN THE GAMING INDUSTRY

The gaming industry has been inundated and fraught with a lot of privacy right issues, mostly as a result of failure of gaming operators (data controllers) to comply with the requirements that should enhance and boost the privacy of gamers (data subjects) coupled with carelessness on the part of gamers who do not safeguard and secure their personal security details. It is worthy of note that the gaming industry in Europe has received and experienced its fair share of cyber attacks including the 2011 and 2015 breaches that affected millions of Xbox play station gamers. The unauthorized users gained access to gamers’ names, addresses, email addresses, usernames, passwords and security questions. This enabled them to access multiple accounts of gamers.

Furthermore, it has been generally observed that data is the “oil” of the 21^st century and as such is ridden with a lot of value. This is because, to an advertising or sales company, data enables it to correctly predict what a person likes or dislikes, thereby keeping him on top of the game as regards demand and supply. It also means that when personal data of individuals is stolen or breached, it can be sold in the black market to companies who need them in order to boost their sales or productivity.

Moving on, a research report by Akamai Technologies reveals that the Indian gaming industry was victim to 12 billion cyber attacks during the period – November 2017 to March 2019. These numbers have been growing ever since, risking the online safety and security of gamers. Suffice to say that adequate data protection and privacy goes beyond display of privacy policing and filing of compliance audit returns with the bureau. In a report therefore by the Federal Government in November, 2022, there have been breaches in the banking, telecoms and gaming sectors, and the data of over 60 million Nigerian youths in the Nigerian gaming industries are at stake. As long as we keep evolving as a nation and globally, especially in the gaming sector/industry, we’ll keep experiencing new threats. However, the current threat being fought against is that of data privacy wherein cyber attackers disguise themselves as gamers, only to hack into game systems to steal personal data of gamers. This, more often than not results in hacking gamers’ personal bank accounts as a result of their credit card information on gaming sites.

RECOMMENDATION/CONCLUSION

Emerging technologies have embraced us with its attendant benefits and ills. Thus, while it has led to a leap in the economy by virtue of the gaming industry, it has also created the menace of an increment in the rate of ongoing cyber attacks and crimes which are the aftermaths of personal data breaches. However, it is our humble suggestion and opinion that since one of the reasons why personal data of gamers are often required is for online payments in order to gain more exciting gaming experience, block chain could be leveraged and used to create immutable ledgers that safeguard user data through Non-Fungible Token (NFT) transactions. This will greatly reduce the exposure of the personal data of gamers and further enhance and ensure data privacy in the gaming industry in Nigeria.

Solomon Nwabueze writes from Lagos, Nigeria and can be reached at sncnwabueze@gmail.com