Act Amendment Raises Queries about Legal Status of ONSA
The February 2024 amendment to the Cybercrimes Act of 2015 has stirred serious national controversy and citizens’ outcry especially about its financial implications. The amendment to the Cybercrimes Act was contained in a bill sponsored by Senator Shehu Buba (Bauchi; APC). The bill passed in the Senate on 21st December 2023 and in the House of Representatives on 14th February 2024. The national outcry arises from several factors:
- The speed of passage of the amendment
- The secrecy surrounding the process of passage of the amendment, including the absence of public participation
- The apparent focus of the amendment on taxation
President Bola Tinubu assented to the bill in February 2024.
On Friday, May 3, 2024, the Office of the National Security Adviser (NSA) called for the full implementation of the Cybercrimes Amendment Act 2024, particularly the operationalisation of the National Cybersecurity Fund. Subsequently, the Central Bank of Nigeria (CBN) issued a circular directing banks and other financial institutions on the collection of what it termed the ‘cybercrimes levy’ and that was what drew the attention of Nigerians to this amendment to the Cybercrimes Act. This development has raised questions about the furtive passage of bills by the National Assembly, particularly bills that have a direct impact on Nigerians.
The House of Representatives has called for a halt to the implementation of the cybercrimes levy provision, while the Chairman of the Senate Committee on National Security and Intelligence, Senator Shehu Buba, who sponsored the bill stated that the levy is not targeted at individuals but at the businesses specified in the Act. However, he did not explain what constitutes transactions by those businesses.
One of the key changes made by the amendment Act is the insertion of an enabling provision for the administration of the National Cybersecurity Fund by the Office of the National Security Adviser (NSA), with the (0.005) 0.5% levy on all electronic transactions by specified businesses being one of several sources of revenue for the Fund. The Office of the NSA being a position and not an organisation has been empowered to administer, keep proper records of account and ensure compliance monitoring mechanism for the Fund. The question has arisen as to whether an entity that is neither a constitutional nor statutory body can assume the powers to manage levies collected under the Act. There is also the question whether revenues collected at the Federal level should not first be paid into the Consolidated Revenue Fund of the Federation to be spent only after the National Assembly has appropriated same through a budget.
There have been lingering questions about the status of the Office of the NSA. Although the National Security Adviser is mentioned in Paragraph 25, Item K, Part 1 of the Third Schedule to the Nigerian Constitution as a member of the National Security Council, the ‘Office of the National Security Adviser’ is not a creation of law. Section 4 of the National Securities Agencies Act provides for the appointment of a Coordinator on National Security as a principal staff in the office of the President for the purpose of coordinating intelligence activities of the National Security Agencies. These provisions do not establish an Office of the NSA as a legal entity. There have been debates over what the actual powers of the NSA should be. Ordinarily, the assumption is that the NSA co-ordinates the work of security agencies in the country. Funding for the Office of the NSA is usually included as a budget item under the Presidency.
The controversy over the cybersecurity level has hinged mostly over the burdensomeness on citizens who are already overtaxed and in unprecedented suffering from inflation, rising cost of living and weakened financial abilities.
Section 44 of the Cybercrimes Act 2015 before its amendment, provided as follows:
- There is established a Fund, which shall be known as the National Cyber security Fund (in this Act referred to as “The Fund”).
- There shall be paid and credited into the Fund established under subsection (1) of this section and domiciled in the Central Bank of Nigeria:
(a) A levy of 0.005 of all electronic transactions by the businesses specified in the second schedule to this Act.
The new amendment to section 44 (2)(a) now states as follows:
A levy of 0.5% (0.005) equivalent to a half percent of all electronic transactions value by the business specified in the Second Schedule to this Act
The new subsections (6) and (8) provide as follows:
(6)The Office of the National Security Adviser shall administer, keep proper records of the accounts and shall ensure compliance monitoring mechanism.
(8) A business specified in the Second Schedule to this Act that fails to remit the levy under section 44 (2)(a) of this Act commits an offence and is liable on conviction to a fine of not less than 2% of the annual turnover of the defaulting business and failure to comply shall lead to closure or withdrawal of the business operational licence.
The businesses referred to in section 44 (2) (a) of Act include the following:
(a) GSM Service providers and all telecommunication companies;
(b) Internet
Service Providers;
(c) Banks and other Financial Institutions;
(d) Insurance Companies;
(e) Nigerian Stock Exchange.
The cybersecurity levy is not an entirely new provision. The amendment to subsection (2)(a) was the addition of the word ‘value’ to the word ‘transactions’ and also by the addition of ‘0.5% (0.005) equivalent to half percent’ to emphasis the proportion of the levy.
The amendment has expanded the powers of the Office of the NSA in subsection (6) by adding administration and ensuring compliance monitoring mechanism of the National Cybersecurity Fund to the responsibilities of the NSA. Previously, the only responsibility of the Office of the NSA under the former subsection (6) was keeping the records of the accounts the Fund.
The new subsection (8) criminalises failure to remit the levy by specified businesses.
Also, section 44(4) provides that the levy shall be remitted by the specified businesses into the National Cybersecurity Fund domiciled in the Central Bank of Nigeria (CBN).
Section 44(5) which provides that up to 40 % of the National Cybersecurity Fund may be a
allocated for programmes relating to countering violent extremism does not appear to align with the purpose of the Act.
Senator Shehu Baba (APC; Bauchi) who sponsored the bill in the Senate stated that the bill sought to amend section 44 of the Act to insert some consequential omissions from the Act and address all anomalies that hindered the effective implementation of the Act. It would appear that while the amendment affected some other sections of the Act by introducing new words to enhance the meaning of the provisions of those sections, section 44 which places a levy on transactions by specified businesses was amended to give the ONSA powers to enforce the provision of the section.
Other amendments to the Act include the following:
Section 17(1) (b) was amended to correct the word ‘geniuses’ to ‘genuineness’ and subsection 17(2) was amended to read thus:
- The following transactions shall be excluded from the categories of contractual transactions or declarations that are valid by virtue of electronic signature except where they are legally verified in Certified True Copies:
This implies that the Certified True Copies of transactions or declarations listed under this subsection which were not be considered valid by use of electronic signatures can now be considered valid.
Section 21(1) is amended to read thus:
- Any person or institution, who operates a computer system or a network, whether public or private, must immediately inform the National Computer Emergency Response Team (CERT) Coordination Center through their respective sectoral CERTs or sectoral Security Operations Centres (SOC) of any attacks, intrusions and other disruptions liable to hinder the functioning of another computer system or network, so that the National CERT can take the necessary measures to tackle the issues.
The amendment to 21 (3) changes the timeline that a person or institution is required to report an incident on a computer system or network from ‘7 days of its occurrence’ to ‘72 hours of its detection’.
The purview of section 22 is expanded to include persons who are engaged in the services of public and private organisations as those who may be liable for the offence of identity theft and impersonation. In the Principal Act, only persons engaged in the services of financial institutions could be held liable for this offence.
Section 24(1) (a) and (b) which define the offence of cyberstalking have been amended to read thus:
Any person who knowingly or intentionally sends a message or other matter by means of computer systems or network that –
- is pornographic
- he or she knows to be false, for the purpose of causing a breakdown of law and order, posing a threat to life, or causing such message to be sent,
This provision in the Principal Act defined cyberstalking as follows:
Before this amendment, these provisions defined cyberstalking to include materials that were grossly offensive, indecent, obscene, of menacing character or sent to cause annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, hatred, ill will and needless anxiety.
The amendment has narrowed down the definition of the offence of cyberstalking. This means that some acts that previously constituted cyberstalking will not be considered as such moving forward. It is important to note that section 24 has often been used by security agents as the basis to arrest journalists and other persons who speak or make publications criticising public officials. Individuals and businesses have also invoked this provision to instigate the prosecution of their critics.
In section 27(2), the scope of persons who may be liable for the offence of perpetrating fraud using computer systems or network has been expanded by the amendment from an employee of ‘a financial institution’ to an employee of ‘any private or public organisation’.
In section 30(1) and (2), the offence of manipulating an ATM machine or Point of Sales terminal and the offence of connivance by the employee of a financial institution to perpetrate fraud using an ATM or Point of Sales device has been expanded by this amendment to include ‘any other payment technology means’.
The amendment to section 37(1) (a) requires financial institutions to verify the identity of their customers by asking them to present a ‘National Identification Number issued by the National Identity Management Commission and other valid’ documents bearing their personal details, before issuing them ATM cards, credit/debit cards and other related electronic devices.
The amendment to section 38(1) which provides for retention of traffic data and subscriber information records by communication service providers for a period of two years, now stipulates that such records are to be retained in accordance with the provisions of ‘the Nigeria Data Protection Act.’ It also streamlines the records to be retained to ‘specific’ traffic data and subscriber information.
This amendment recognises the recently enacted Nigeria Data Protection Act which is the key legislation on data protection in the country.
Section 41(1), which provides for the responsibilities of the Office of the NSA as the coordinating body for all security and enforcement agencies under this Act, is amended to include two more responsibilities as follows:
- ensure the establishment of sectoral Computer Emergency Response Teams (CERT) and sectoral Security Operation Centres (SOC) that shall feed into the national CERT;
- ensure that all public and private organisations integrate and route their internet and data traffic to the sectoral SOCs thereby protecting the national cyberspace;
The amendment deletes section 48(4) which provided one of the punitive measures for offences under the Act. It provided for the cancellation of the international passport of a person convicted of an offence under the Act and for the withholding of a foreigner’s passport until he or she has served their sentence or paid any fines imposed on them.
While most of the amendments introduce new words that enhance or modify the meaning of the affected provisions of the Act, the amendment of section 44 enables the implementation of the cybercrime levy and even stipulates a punishment if the specified businesses fail to comply. However, the Amendment Act contains some cross-referencing errors.
See the Cybercrimes Amendment Act 2024 here: https://placng.org/i/documents/cybercrimes-prohibition-prevention-etc-amendment-act-2024/