Need for enforcement of data residency and domiciliation policies in Nigeria
Majority of the content accessed in Africa by local users is hosted overseas. Similar to emails which make a circuitous journey outside the continent, usually to Europe, America or even Asia and back, African content is not really delivered from Africa. Due to infrastructure and cost reasons, content owners in Africa have traditionally hosted their content outside the shores of the continent.
This creates several challenges: the process of routing traffic outside the continent costs more as Internet service providers face higher transit costs to deliver the content to local users by shipping from offshore. It also delays content delivery to the region, further compromising the user experience. A study commissioned by the Internet Society in Rwanda discovered that a local content developer achieved a savings of only USD 111 per annum on hosting overseas, but this cost Rwandan ISPs about USD 13,500 in transit costs to deliver the content to local users.
Discussions around data residency and data sovereignty have soared recently, with Nigeria’s National Information Technology Development Agency (NITDA) making a bold pronouncement on Nigerian content hosted within the country. Such regulations have been popular globally and were originally triggered by the dominance of US companies on the Internet and the Patriot Act, amplified by the Snowden allegations. More recently, corporate and national anti-competitive practices aimed at gaining industrial or other competitive advantages such as cyber-attacks and data sniffing, data hostage and bad debt have further escalated the need to protect data as a national asset.
Several countries have quickly implemented national residency, localization or domiciliation laws to enforce the retention of data in the country of origination with most European countries, Russia, China, Malaysia and Indonesia enacting Data Domiciliation regulations. Brazil and Vietnam insist on a local copy of all data involving nationals even as the Australian government has imposed restraints on health data leaving the country. These governments have cited foreign surveillance and increasing cyber security threats as an argument for data residency and localization.
Unfortunately, Africa has not been proactive in terms of data domiciliation as other climes. Though some countries in Africa have data protection legislative bills in place, enforcement of local laws has been a problem over the years. Perhaps the dearth of data centers on the continent made such enforcement difficult. With the emergence of indigenous Data Centers within the country in recent years including Galaxy Backbone, MainOne and Rack Center with more to come, Nigeria has no excuse not to enforce data residency laws for Nigerian data.
With full enforcement, the impact of local data centers, locally-hosted content and the investment in the Internet Exchange Point of Nigeria (IXPN) on internet experience in Nigeria will be enormous. By their presence in-country, these local data centers guarantee lower bandwidth costs, quicker access to content providers and carriers, local peering and lower latency for local markets. The recent effort at entrenching data residency by the IT regulatory agency, NITDA which made local hosting of government websites a mandatory requirement is therefore commendable but it needs to be enforced.
While this is a good start for Nigeria, there are obvious opportunities that the regulator should be going after. The homegrown digital payment platform adopted by the Federal Government for its Treasury Single Account (TSA) Policy is hosted outside the country. As at December 2016, the software had helped the government recover N4.3trillion of its cash assets idling in Deposit Money Banks. It also processes $30 billion transactions yearly and serves 500+ microfinance banks and 1000+ merchants, billers, multinationals, SMEs and governments at various levels. Likewise The Immigration Services hosts its database for passport registration outside the country.
These databases contain critical information about too many Nigerians to reside in foreign data centers. Hosting such critical data outside the country is extremely dangerous. It is time to commence enforcement of data protection and privacy legislations to ensure that beyond websites, critical Nigerian data across pivotal sectors as Finance, Oil and Gas, Healthcare, and Government agencies reside in Nigeria.
Local data centers support National Security because they are governed by local laws. They also reduce capital flight and create jobs for Nigerians. Asides the attendant FOREX costs of hosting critical data offshore, data residency in Nigeria guarantee better quality support trumping time differences, language barriers and currency restrictions for all Nigerians.
Regulators need to go beyond lip-service to data residency issues and should enforce compliance. With the recent technology developments locally, the spate of global cyber-attacks, it is expedient for Nigeria to implement local data domiciliation laws in a manner that will limit data breach, limit capital outflows from the country and encourage Nigerians content developers and global investors who want to access the Nigerian market to look inwards.
Ahilari, an ICT expert writes from Abuja