Truecaller privacy policy finally gets NITDA attention

The National Information Technology Development Agency (NITDA)—the agency that coordinates the development of information technology in Nigeria—is investigating Truecaller for an alleged breach of privacy rights.

Truecaller is an application that enables smartphone users to identify incoming callers and block spam calls and messages. As of 2007, more than six million Nigerians were using the app.

With the recent milestone of 500 million downloads and 150 million daily active users globally, rest assured that not less than seven million Nigerians are now using Truecaller app.

According to NITDA, the privacy policy of Truecaller does not comply with the global data protection regulation and particularly, the Nigeria Data Protection Regulation (NDPR), which was promulgated in January 2019.

The agency, saddled with the implementation of Nigerian information technology policy, identifies Article 1.1, 1.2 and 3 of Truecaller's privacy policy as examples of how the service contravenes the NDPR.

1.1 USER PROFILE
When You create a user profile in the Services and confirm being the holder of a certain number, Truecaller will collect the information provided by You. In order to create a user profile, You must register Your first name, last name and phone number. Additional information that may be provided at Your option include, but is not limited to, photo, gender, street address and zip code, country of residence, email address, professional website, Facebook page, Twitter address and a short status message. Truecaller may supplement the information provided by You with information from third parties and add it to the information provided by You e.g. demographic information and additional contact information that is publicly available.

By supplementing the personal data of Nigerians without consent or accuracy, NITDA says Truecaller exposes Nigerians to privacy invasion and provides a leeway for unscrupulous people to use the identities of Nigerians to perpetuate fraud.

1.2 INSTALLATION AND USE
When You install and use the Services, Truecaller will collect personal information from You and any devices You may use in Your interaction with our Services. This information may include e.g.: geo-location; Your IP address; device ID or unique identifier; device manufacturer and type; device and hardware settings; SIM card usage; applications installed on your device; ID for advertising; ad data, operating system; web browser; operator; IMSI; connection information; screen resolution; usage statistics; default communication applications; access to device address book; device log and event information; logs, keywords and meta data of incoming and outgoing calls and messages; version of the Services You use and other information based on Your interaction with our Services such as how the Services are being accessed (via another service, web site or a search engine); the pages You visit and features you use on the Services; the services and websites You engage with from the Services; content viewed by You, content You have commented on or sent to us and information about the ads You see and/or engage with; the search terms You use; order information and other usage activity and data logged by Truecaller’s servers from time to time. Truecaller may collect some of this information automatically through use of cookies and You can learn more about our use of cookies in our Cookie Policy.

Some information, including, but not limited to, usage information and other information that may arise from Your interaction with the Services, cannot be used to identify You, whether in combination with other information or otherwise and will not constitute personal information for the purposes of this Policy.

According to Article 2.3(2) d&e of the NDPR, which states: when assessing whether consent is freely given, utmost account shall be taken of whether, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary (or excessive) for the performance of that contract and e) where data may be transferred to a third party for any reason whatsoever.

NITDA submits that Truecaller collects more information than it needs to carry out its primary service. The primary service of Truecaller is caller-identification and blocking of spam.

  1. SHARING AND DISCLOSURE OF PERSONAL INFORMATION
    Truecaller may also share personal information with third party advertisers, agencies and networks. Such third parties may use this information for analytical and marketing purposes e.g. to provide measurement services and targeted ads and for improvement of products and services.

NITDA states that this provision of Truecaller's privacy policy violates the NDPR and the global best practice of informing users about the possible third-party processors' information may be shared and for what purpose.

Although investigating Truecaller is dutiful of NITDA, the question to be answered is why now and what is the possible outcome of its investigation?

Why Truecaller, Why Now and What's Next?

Truecaller was founded in 2009 by Nami Zarringhalam and Alan Mamedi in Stockholm, Sweden.

The app was made available to Nigerians via the Google Playstore in 2012. Five years later, it launched a Developers Programme in Nigeria, tagged 'Truecaller SDK'.  The goal of the Truecaller SDK is to enable third-party app developers and businesses to verify end-users with a one-touch and password free experience using Truecaller profile.

Before now, Nigerians were already aware of Truecaller's sharp practices in the collection and use of personal information. But there was no data protection regulation then. And in line with the maxim, "whenever someone wakes up is their morning", this could mark the beginning of a crackdown on services flouting the NDPR.

It is also noteworthy that NITDA just got a new boss, Kachifu Abdullahi, in August. He replaced Isa Ali Pantami, who is now Minister of Communications.

Should this investigation produce any result like suspension of Truecaller services in Nigeria or a fine, it might count as a good point for Mr Abdullahi, who is considered to be 'unqualified' to lead the agency by some people.

In the meantime, NITDA advises Nigerians to use Article 4 of the privacy policy of Truecaller.

  1. DELISTING OF CONTACT INFORMATION AND OPT-OUT OF AD TARGETING
    If a User chooses to disable the Enhanced Search Functionality, the Contact Information made available by that User is disabled and will thereafter not be available for search in the Truecaller database. If any persons do not wish to have their names and phone numbers made available through the Enhanced Search or Name Search functionalities, they can exclude themselves from further queries by notifying Truecaller via its website at www.truecaller.com or as set forth in the contact details below. You acknowledge and agree that Truecaller may keep and process personal information related to such request in order to be able to honor the request.
    > You can limit or opt-out of the collection and use of Your information for ad targeting by third parties via Your device settings.

Truecaller's privacy policy is not different from other companies, such as Google and Facebook, that provide free service. Because if you're not paying for the product or service, you (your personal information) are product being sold. Moreover, not many Nigerians care about internet governance.