Privacy and Data Protection in E-Commerce
E-commerce businesses collect a lot of data, including personal information such as names, addresses, and credit card numbers. This data is valuable to businesses, but it can also be a target for hackers and other criminals. As a result, e-commerce businesses need to take steps to protect their customers’ data privacy.
Collection, use, and storage of personal data in online transactions
Following international standards on privacy and data protection, these laws typically have broad provisions and principles specific to the collection, storage and use of personal information, including:
• Purpose limitation: The collection and use of personal data should be limited to purposes: (1) which are stated in law and thus can be known (at least in theory) to the individual at the time of the data collection; or (2) for which the individual has given consent.
• Proportionality and minimization: The data collected must be proportionate to the purpose of the ID system to avoid unnecessary data collection and “function creep,” both of which can create privacy risks.
• Lawfulness: The collection and use of personal data should be done on a lawful basis, e.g., involving consent, contractual necessity, compliance with legal obligation, protection of vital interests, public interest and/or legitimate interest.
• Fairness and transparency: The collection and use of personal data should be done fairly and transparently.
• Accuracy: Personal data should be accurate and up-to-date, and inaccuracies should be expediently corrected.
• Storage limitations: Personal data—including transaction metadata—should not be kept longer than is necessary for the purposes for which it is collected and processed. With respect to transaction metadata, people can be given an option for how long such data are retained.
Consent requirements and data subject rights
Consent: means any freely given, specific, informed, and unambiguous indication, whether by a written or oral statement or affirmative action, of an individual’s agreement to the processing of personal data relating to them or to another individual on whose behalf they have the permission to provide such consent. Thus, consent requirements for a data subject must be freely given and specific. In general, personal information should be lawfully obtained (usually through freely given consent) for a specific purpose, and not be used for unauthorized surveillance or profiling by governments or third parties or used for unconnected purposes without consent (unless otherwise required under the law). Finally, users should have certain rights over data about them, including the ability to obtain and correct erroneous data about them, and to have mechanisms to seek redress to secure these rights.
Data Subject Rights:
• The Right to be informed
• The Right of Access
• The Right to Rectification
• The Right to Object to Processing
• The right to restrict processing
• The Right to Data Profitability
• The Right to be Forgotten
• Right in relation to automated decision-making and profiling
Cybersecurity and data breach notification obligations
There is an obligation on a data processor, on becoming aware of a breach to do the following:
• notify the data controller or processor that engaged it, describing the nature of the personal data breach including where possible, the categories and approximate number of data subject and records concerned;
• respond to all information requests from the data controller or processor that engaged it;
• within 72 (seventy-two) hours of becoming aware of a breach, if the breach is likely to result in a risk to the rights and freedoms of individuals, the data controller is obligated to notify the Commission. The data controller will immediately communicate the breach in plain and clear language including advice about measures the data subject could take to mitigate the effect of the breach. If it is not feasible, public communication in one or more widely used media sources in which the data subject will likely be informed can be used.
Taxation and Regulatory Compliance
Tax obligations for e-commerce businesses
As an online business operating in Nigeria, it is crucial to be aware of your tax obligations. Some of the Tax Obligations are:
1. Value Added Tax (VAT)
VAT is a tax that is applied to the value added by each stage of production and distribution of a product or service. It is usually charged as a percentage of the final price that the customer pays.
2. Withholding tax
The Withholding Tax (WHT) is not another form of tax, rather, an advance payment of income tax on specific transactions. Generally, when such transactions are executed, the person or company making payment is required by law to deduct WHT at the specified rate depending on the type of transaction and the party involved. The tax withheld is then remitted to the relevant tax authority. The objective of withholding tax is basically to minimize tax evasion, ensure that more taxpayers are captured into the tax net and provide revenue to the government to meet up with its budget.
Registration and licensing requirements for e-commerce platforms
E-commerce operation in Nigeria must first be registered with the Corporate Affairs Commission in Nigeria, and also register with Nigeria Information Technology Development Agency (NITDA). Also, all financial related transactions of E-commerce are highly regulated by several Central Bank of Nigeria rules aside the existing Banks and Financial Institutions law. It is important for company or individuals to research whether there are certain restrictions on some of their products for sale in law and also comply with Anti-fraud conditions of the payment gateways or platforms
Anti-money laundering and combating the financing of terrorism (AML/CFT) measures
Effective anti-money laundering and combating the financing of terrorism (AML/CFT) policies and measures are key to the integrity and stability of the international financial system and member countries’ economies. Money laundering (ML) and related underlying crimes (the so-called “predicate offenses” or “predicate crimes”), as well as terrorist financing (TF) and the financing of the proliferation of weapons of mass destruction (WMD) or proliferation financing (PF) are crimes with economic effects—they can threaten the integrity and stability of a country’s financial sector and a country’s external stability more generally. They can result in destabilizing “hot money” resulting from inflows and outflows, as well as in banking crises, ineffective revenue collection, broader governance weaknesses, reputational risks for international financial centers, and loss of correspondent banking relationships (CBRs). In an increasingly interconnected world, the harm done by these crimes is global, affecting the integrity and stability of the international financial system. AML/CFT policies and measures are designed to prevent and combat these crimes and are essential to protect the integrity and stability of financial markets and the global financial system.
Cross-Border E-Commerce and International Trade
Cross-border E – Commerce is international e-commerce. It is literally “selling across a border using E-Commerce,” as opposed to domestic e-commerce transactions.
Business-to-business (B2B) eCommerce transactions are made between businesses, where a supplier sells in bulk. Business-to-consumer (B2C) is where a business sells its product directly to a customer, either directly from a company website or an online marketplace.
Legal considerations in cross-border online transactions
i. Diplomacy and Cultural Awareness
ii. Different Legal Systems
iii. Language of the Contract
iv. Tax Implications and Tax Treaties
v. Dispute Resolution and Enforcement of Judgments
vi. Data Protection Regimes
vii. Finding Reliable Foreign Counsel
Dispute resolution mechanisms for cross-border e-commerce disputes
E-commerce increases the frequency of cross-border disputes between consumers and businesses. Due to the nature of e-commerce transactions, dispute resolution systems should be flexible where contractual parties are free to choose which mechanism to use. It could either be Alternative Dispute, Online Dispute Resolution, or Self-help Dispute Resolution (referring to third parties).
Legal remedies for parties in e-commerce disputes
1. Compensatory Damages
2. Specific Performance as a Contract Remedy
3. Rescission for Material Breach of Contract
4. Liquidated Damages in Contract Cases
Role of alternative dispute resolution (ADR) in resolving e-commerce disputes
Alternative dispute resolution (“ADR”) refers to out-of-court methods for resolving disputes, including negotiation, mediation and arbitration. Oftentimes, the high costs and delays found in litigation can be avoided by using ADR. ADR also helps to preserve important long-term business relationships by leaving all parties more satisfied with the outcome by avoiding the winner-take-all aspect of litigation.
Conclusion on the importance of addressing legal issues to foster a thriving e-commerce ecosystem in Nigeria
Although the principles of the traditional contract law can be applied to this modern mode of entering into contracts, there is a need for certain issues to be specifically provided for in the Electronic Transactions Bill.
Electronic commerce, by its nature, goes beyond borders so it is important to harmonize the laws that regulate electronic commerce. The United Nations has taken a commendable step in that direction. However, it should have gone ahead to make provisions addressing the issue of who makes the offer and who accepts the offer in electronic commerce, and when an acceptance becomes effective.
Elizabeth Olalekan is a Senior Associate in the ICT and Media Practice group of the Firm.
The Trusted Advisors is a leading Nigerian full-service law firm providing cutting-edge and timely legal solutions and services to its clients.
Disclaimer: This article provides general information and does not constitute legal advice. For specific legal advice, readers are advised to
consult with a qualified legal professional familiar with Nigerian laws and regulations.
