The Nigerian Cybercrime Act 2015 is a novel piece of legislation, this is because it is the first Nigerian Federal Law which was created specifically to deal with the criminal threats and issues we face in the Digital Age.
Although the massive gains, which have occasioned the passage of the law, need to be highlighted and celebrated, we also need to ensure that we point out its failings. This is in a bid to ensure the development of the law, to make it better.
Cybercrime Act and the registration of Cybercafés
The Cybercrime Act has made it mandatory for every operator of a cybercafé in Nigeria, to register its business with the Computer Professional’s Registration Council (CPRC), and the Cybercafé operators have to maintain a register of users.
This requirement is flawed on a number of grounds:
- It puts an unnecessarily onerous responsibility on these businesses. The reason for the registration is to create a database of these operators and to have a way of monitoring the users of these services who may want to perpetrate illegal activities. Not only must they register to the CPRC and potentially pay a registration fee, but they must also set up registers and ensure they maintain these registers.
- The registration of Cybercafés is not within the mandate of the CPRC. Its mandate is ‘to provide a regulated and standard-driven environment for IT education and practice in Nigeria’. They deal with IT education and standards in computer products. There’s unfortunately no evidence to suggest that this organisation is capable of dealing with this additional responsibility, which the Cybercrime Act 2015 has handed to it. For instance, do they have enough branches to accept walk-in registrations? If the registration will be done online, do they have a system set up that can verify the registration details that would be supplied online? These are just a few of the issues with giving the CPRC the mandate to deal with the registration.
- The mandatory sign-in register by cybercafés creates a potential security risk for private citizens. Mandating that users of cybercafes must sign-in and therefore provide their personal information to these businesses, can open them to the risk of their details being sold to commercial entities for profit, or potentially for more nefarious activities. If the Act is to insist on a process like this, it needs to recognise this risk and create appropriate safeguards.
Mandatory winding up and forfeiture of assets
The Cybercrime Act 2015 has also created a controversial provision where if a body corporate is charged and found guilty of an offence under the Act, then a court may make an order for it to wind up its assets and the assets of the company will be forfeited to the Federal Government.
To say this provision is a bit heavy-handed is a bit of an understatement; one of the principles of criminal law and penal theory is that the punishment should be commensurate to the crime. Any law that states that an added penalty for conviction of an offence is that all the assets of the company will be forfeited (without regard to creditors and shareholders) to the Federal Government is definitely not one that encourages investment.
Lawful interception of communication
The Cybercrime Act 2015 also provides that under certain circumstances, a Judge may order service providers to ‘intercept, collect, record, permit or assist competent authorities with the collection or recording of content data and/or traffic…’ The issue with this is that the law seems to sneak in a very contentious and potentially unconstitutional provision as a mere section under a Law. Something as important as interception of communication needs to be dealt with as a Law in its own right.
The interception of communication is in direct conflict with Section 37 of the 1999 Constitution, which provides that ‘The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.’ For anything to even attempt to derogate from this constitutional right, it must be a pretty serious crime that is being investigated.
Unfortunately, the Cybercrime Act does not qualify the type of alleged crimes that can trigger a request for interception of communication; the reality then is that the request can be made for an offence that is a ‘minor offence’. It is unlikely that the Constitution anticipated a law that could derogate from its effect by ‘minor offences’.
Cyber security Fund
The Law establishes the National Cyber security Fund and creates a levy of ‘0.005 of all electronic transactions’ of:
- GSM Service providers and all telecommunication companies;
- Internet Service Providers;
- Banks and other Financial Institutions;
- Insurance Companies;
- Nigerian Stock Exchange
The problem with this fund is that it is very ambiguous, it doesn’t specify what ‘0.005’ means, is it a percentage of the transactions? of profit? of income? We do not know.
Also, this is an added cost and tax on these businesses. Businesses who have an annual turnover of One Hundred Million Naira (N100, 000,000) are already supposed to pay a levy of one per cent (1%) of their annual profit before tax to the National Information Technology Development Fund.
Cancellation of International Passports
The Act states that any individual who is convicted of an offence under the Act ‘shall have his International passport cancelled’.
This would appear to be a violation of the constitutional right of freedom of movement of Nigerians as laid out in Section 41, and as decided in the case of Director of SSS v Agbakogba. Further, the Passport (Miscellaneous Provisions) Act gives the power to cancel a passport only in cases where:
- the passport is obtained by fraud;
- the passport has expired;
- a person unlawfully holds more than one passport at the same time;
- it is in the public interest so to do.
In the case of the Cybercrime Act, any cancellation of a passport under the basis of the conviction of an offence would have to be justified as ‘in the public interest’. Since all offences under the Act could presumably lead to a cancellation of a passport, the absurdity would be that a minor offence like ‘cybersquatting’ would lead to the individual having his/her passport cancelled.
This provision is clearly a bit heavy-handed and as mentioned above, potentially unconstitutional.
We intend to look at other aspects of the Cybercrime Act 2015 in future posts, and if you would like to read them, you may subscribe to our newsletter here.
Thank you for reading this post, if you have found it useful please share with your network using one of the share buttons below. If you have any suggestions or feedback, please send us an email at firstname.lastname@example.org
We hope you have found this information helpful. Please note that this information is provided for general informational purposes only and is not intended to be legal advice. No lawyer-client relationship is formed nor should any such relationship be implied. This answer is not intended to substitute for the advice of a qualified lawyer. If you require legal advice, please consult with a qualified lawyer. If you would like to find out more about a consultation, you may click on the button below.