MTN Nigeria has refuted claims it is sharing identifiable customer data with third parties as part of efforts to curb the spread of COVID-19.
Digital rights campaigners, including Paradigm Initiative, have expressed concern over consumer privacy.
On 6 April 2020 the GSMA released COVID-19 privacy guidelines, which includes to help counter misinformation and raise awareness of data sharing.
The Nigerian Governors Forum (NGF) is understood to have collaborated with telcos regarding response to the COVID-19 pandemic, and according to a Paradigm Initiative report, MTN entered into a data-sharing partnership with the state governors to mine and provide its users’ data “to profile States vulnerability to the spread of the coronavirus.”
Paradigm Initiative Nigeria stated that regardless of the intention, the reported sharing or potential sharing of users’ personal data by MTN with the NGF will constitute a breach of users’ trust and a violation of their right to the privacy of their data – especially if the data being shared is personally identifiable.
The online rights organisation insisted that MTN has no power to use, distribute or grant third-party access for the processing of users’ data as information such as travel history, current location, and others are private and not commodity.
The organisation’s legal officer, Adeboro Odunlami said: “MTN and other network mobile operators must stay within bounds of industry ethics including the principles surrounding data sharing and data protection in conducting any CSR initiative (if this is the claim) in this austere time. We stated in the press release that the mobile network operator could share non-personally identifiable data; that is, data that cannot be used on its own to trace or identify a person/data subject. We are not certain that MTN is sharing personally identifiable data and we stated as much in the press release, but this also raises another duty of MTN to be transparent with its subscribers on its relationship with the NGF and the kinds of data being shared.”
Odunlami referred to the role of the Nigeria Data Protection Regulation (NDPR) and National Information Technology Development Agency regarding data privacy legislation.
He said: “While we yet advocate for a proper Data Protection Law and more expansive legislation around subjects like this, I believe the NDPR can provide a bit of guidance on this. To be honest, Nigeria needs to do better in protecting data subjects and providing laid down laws and regulations that define processes of such nature.”
Tobechukwu Okigbo, Chief Corporate Services Officer at MTN Nigeria, said the company’s contribution to the Nigeria Centre for Disease Control as well as to federal and state governments through the NGF has been “to ensure they can stay connected, have the data they need to target response including a bespoke vulnerability assessment for each state, and can continue to deliver governance remotely during this period.”
Okigbo insisted that this does not involve sharing of identifiable user data.
“In doing this, it is important to note that we are not breaching any privacy regulation, because we are not offering customer data to the NGF. The analysis will be done using completely anonymised data. The data will be external, aggregated, non-identifiable with no single subscriber information, which is fully in compliance with GSMA standards on COVID-19 use cases and the NDPR.”