Introduction
The idea of a “Smart City (SC)” – with driverless cars, sustainable energy sources, Internet of Things (IoT), connected devices, etc. – may seem illusory to many parts of Nigeria due largely to absence of support infrastructure. However, there are plans by the Lagos State Government (LASG) in collaboration with its partners, Dubai Holdings LLC to “develop sustainable, smart, globally connected knowledge-based communities that drives a knowledge economy” across the State.[1] In the same vein, leveraging the National Broadband Plan,[2] MainOne, using its infrastructure company (InfraCo) licence from the Nigerian Telecommunication Commission (NCC), has invested more than N25 billion in delivering fibre optic cable in Lagos State and ultimately across the country.[3]
Indeed, SCs may provide the needed housing deficit solution coupled with new cities design given Nigeria’s increasing population and the need for modern urban planning. For instance, the introduction of semi-driverless cars which collects real-time data about road condition, traffic situation, infrastructural problems, crashes and road hazards has been projected to immensely reduce road accidents.[4]
However, with this innovation comes associated privacy and other related risks including users’ liability.[5] Also, much more opportunities in data privacy management envisaged by the Nigeria Data Protection Regulation (NDPR), 2019 will be created. For SCs development to gain much traction, there is the need for a concerted effort by all stakeholders in the real estate sector; public and private sector operators on one hand and technology developers and innovators on the other hand towards improving the Nigerian housing and urban planning landscape. More so, given the recently launched Nigerian Strategy for Digital Economy, it behoves regulatory agencies to expand its application towards reducing Nigeria’s housing deficit.
Although some have argued and rightly so that SC projects could constitute massive government surveillance and create resultant chilling effects on users,[6] SC project developers must put in place mechanisms to allay the fears of users by complying with regulations which guarantees and protects users’ privacy.
This article thus focuses on examining the opportunities in Nigerian SCs development whilst also considering the commercial, legal and regulatory optics in implementing the project in a bid to de-risk the industry to attract incremental investment from both domestic and international investors.
Smart City: A One-Stop Shop for Real Estate Development and Urban Planning?
SC has been defined as “the use of information and communication technologies (ICT) to increase operational efficiency, share information with the public and improve both the quality of government services and citizens’ welfare.”[7] Given recent technological innovation in housing and urban planning, SCs have been linked with sustainable urban development with a projected spending expected to hit US$135 billion by 2021.[8]
Generally, investors are fascinated with the potential return in SC development as well as the ability to provide urban and modern infrastructure.[9] Depending on what problem SCs are created to solve, one common link amongst SC is the ability to aggregate users’ data through motion sensors, facial recognition, Internet of Things (IoT) etc. which can provide necessary insights using data analytics to predict a pattern in behaviour. This has proven instructive in the provision of essential services and planning purposes including building security architecture.
Despite these lofty upsides, there are a few issues that could potentially increase exposure of SC developers to lawsuits if not properly addressed at project planning stage in Nigeria. For instance, are special permits needed to develop a SC project? To what extent are users’ data permitted to be collected? Are SC developers liable to disclose data generated from the project to local authorities? Can developers be indemnified by smart Original Equipment Manufacturers (OEMs) against any loss arising from the claim by users of smart equipment? Where the development is a public-private partnership, who retains the right to users’ data generated from the project and can same be commoditised? In storing and transferring users’ data, what threshold is allowed to be retained by OEMs? Are smart devices (home equipment) which are installed fall under the classification of radio and television for tax purposes and thus requiring a licence?[10] Putting these issues in perspective will enable the potential investor gauge his risk appetite through a due diligence and compliance check and subsequently design contractual arrangements to mitigate these risks.
Private Smart City Estate Development: Commercial and Legal Issues
One of the pertinent considerations in SC development in Nigeria is the policy direction of all tiers of governments in terms of delineation of urban and rural areas for the purpose of curbing Nigeria’s housing deficits. Primarily, by virtue of section 1 Land Use Act,[11] all the land in a State is within the purview of the Governor who holds it in trust for the citizens of that State. Nonetheless, there are certain agencies of government’s saddled with the responsibility of planning the development of the State.
There have an attempt at evolving a uniform National Physical Development Planning for the country through the Nigeria Urban and Regional Planning Act (NURPA). [12] According to section 7 NURPA, the National Urban and Regional Planning Commission (Commission) is reposed with the responsibility to formulate policies on urban and regional planning as well as implement the National Physical Development Plan amongst others. These responsibilities are however carried out in cohort with their State and Local Government counterparts. Sequel to the development of new areas, the approval and permit of the relevant Development Control Department shall be sought and obtained upon the submission of a development plan; sections 28 and 30 NURPA.
However, the Supreme Court in A.G Lagos v. A.G Federation[13] held that the power to make laws on town and regional planning is neither in the Exclusive nor Concurrent Legislative Lists, it is therefore within the legislative competence of the respective states being a residual matter. Thus, the NURPA can only be applicable in the Federal Capital Territory where the National Assembly can make laws.
Many states across Nigeria have their respective urban and regional planning laws. In Lagos, for instance, the applicable law on urban and regional planning is the Lagos State Urban and Regional Planning and Development (Amendment) Law (LSURPL(A)L), 2019.
Notwithstanding, this permit under the NURPA (applicable only in the FCT) is not automatic and could be rejected where: the plan is not in accordance with the approved plan; or the plan is in the course of preparation; or likely to have major impact upon the environment, facilities, or inhabitants of the community or contains such additional facilities which are not within the estimation of the Physical Development Plan; or likely to cause a nuisance to the inhabitants of the community or contains such additional facilities that are not within the estimation of the Physical Development Plan for that community; or development is not in accordance with any other conditions as may be specified under any regulation made pursuant to the NURPA.
Similarly, under the LSURPL(A)L, an application for planning permit may be rejected if the application is not in accordance with the Operative Development Plan, in the opinion of the Planning Permit Authority, the proposed development in likely to cause nuisance or have major impact which cannot be adequately mitigated on the environment, facilities, or inhabitants of the community or in the public interest; or the development is not in accordance with any condition as may be specified by Regulations made under the law.
It is therefore prescient to ask the question, is the Commission or the Planning Permit Authority (Lagos) attuned with the realities of a modern SC development in view of granting the permit to create same given the wide discretion granted to them?
In defining Development Plan, the Lagos State Physical Planning Permit Regulations, 2019 made pursuant to the Lagos State Urban and Regional Planning and Development Law, 2015 posits (in Para 1 –) that “a Plan prepared by the Ministry, Planning Permit Authority and other authorized government agencies indicating the manner in which an area of land should be developed and it includes all plans enumerated in Section 2 (c) of the Law” while the NURPA states in section 91 that; physical development plan “means any of the plans set out in section 1 of this Act and includes any schemes, plans, or master plans approved under authority of the legislation…..or made under any other authority of any legislation approved under this Act.”
It is therefore important for investors in SCs to conduct searches to know if provisions for a ‘SC’ development with its supporting infrastructure has been made in the master plan of the State in question. Usually, such provision will be in urban designated areas. Unsuspecting investors in the past had lost huge sums in investment during the demolition exercise by the Federal Capital Development Authority wherein the constructions were sited in unapproved places in the masterplan.[14]
The development of projects of this nature can be through a Joint Venture (JV) between the State and private companies or government concession arrangements under a Public-Private Partnership. Where this is case, it is important to identify the party responsible for ‘controlling’ the purpose and manner of processing users’ data so as to reduce exposure in cases of personal data breach.
Section 4 NDPR defines Data Controller to mean “…a person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purpose for and the manner in which personal data is processed or is to be processed.” In the same vein, liability for data breach, although could be on any person subject to the NDPR, Data Controllers (DC) dealing with more than 10,000 Data Subjects (DS) are liable to a fine of 2% of its preceding year Annual Gross Revenue or 10 million naira whichever is greater whilst DC dealing with less than 10,000 DS are liable to a fine of 1% of its preceding year Annual Gross Revenue or 2 million naira whichever is greater.
As part of the project risk exposure assessment and mitigating action, parties to the project development may choose to cede their data controlling obligations to a special purpose vehicle (SPV). For instance, where an SC project is being developed by party A and Party B who are also project financiers, party C could be created for the purpose of controlling users’ data (which may also include management services) obtained from the project and thus liable for any breach.
SC project development is driven by data obtained from DS. It is prescient to understand what extent of users’ data can be collected and are there incumbent responsibilities on developers to regularly report to regulatory authorities? Accordingly, section 4 (Chap. 1.3) NDPR in defining personal data provides: “…means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; it can be anything from name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others.” This contains an expansive definition of users’ data covered by the Regulation and thus project developers must understand the nature and degree of information needed from users.
More so, there is the compliance obligation on DC to regularly carryout detailed audit of its privacy and data protection practices – where it processes the personal data of more than 1,000 [DS] in a period of six months; where it processes the data of more than 2,000 DS on an annual basis, submit not later than 15th March of the following year – and submit same to the National Information Technology Development Agency (NITDA); Chap. 3.1.6 and 3.1.7. It is noteworthy that the volume of DS’ personal data processed is immaterial in determining compliance obligation. Thus, organisations processing personal of less than 1,000 DS are only required to carry out audit without submitting same to NITDA. For small projects with less than 1,000 DS, only an audit of developer’s privacy and data protection practices is required.
It is important whilst obtaining users’ data to ensure that they are lawfully processed. Section 6 (Chap. 2.2) NDPR provides that data processing shall be lawful where: “…the [DS] has given consent to the processing of his or her personal data for one or more specific purposes; …for the performance of a contract to which the [DS] is a party or in order to take steps at the request of the [DS] prior to entering into a contract; … for compliance with a legal obligation to which the Controller is subject; …in order to protect the vital interests of the [DS] or to another natural person; and …for the performance of a task carried out in the public interest or in the exercise of public mandate vested in the controller.”
In the same vein, section 7 (Chapter 2.3 (i) and (ii)) NDPR, provides “No data shall be obtained except the specific purpose of collection is made known (sic) to the [DS]. [DC] is under obligation to ensure that consent of a [DS] has been obtained without fraud, coercion or undue influence…” Essentially, the developer is required obtain consent from users of the SC before deployment. For instance, where an estate is modelled with smart infrastructure, consent can easily be obtained from occupiers or tenants through their agreements with the developers, however, same cannot be said of visitors or bystanders in the estate whose data are processed as a result of their contact with the estate.
Does this create a legal exposure in the event of complaint of unlawful data processing without a data collection disclosure? As earlier discussed, one of the criteria for obtaining consent is disclosure of purpose of the data collection. As developers, it is prescient to include public disclosures on conspicuous locations in the estate disclosing the nature of data collected and the purpose for which it is intended. It could also be argued that the defence of public interest may exculpate SC developers from any form of liability for data privacy breach resulting from failing to obtain consent from DS.
Bearing in mind that one of the underlining upsides in SC is the commercial viability of users’ data aggregated over a long period of time as well proper economic planning, can same be disclosed to ‘local authorities’, say the police or government agencies for ‘public purpose’? Under the NDPR, Chap. 2.1(1)(a)(ii) prohibits the transfer of data being processed to any person other than where consent has been obtained from the DS.[15] Nothing precludes the SC developers from assigning data processing obligations to a third party through a written contract whilst sharing same with government agencies for public purpose[16] although DS have the right to object to their personal data being processed for marketing purposes.[17] Consequently, in SC development, due consideration must be given to data commoditisation and information sharing taking cognisance of the potential revenue yield as well as government’s use of such data.
Data obtained from SC development are often warehoused in data centres /cloud servers operated by the OEMs or software developers outside the country of deployment. In Nigeria, transfer of personal data shall take place where certain safeguards are put in place in the destination country such as adequate level of legal and other protection.[18] Nonetheless, such transfers can be undertaken where: the DS explicitly consent to the transfer – after having being informed of the possible risks of such transfer; performance of a contract between the DS and the DC or the implementation of pre-contractual measures taken at the DS’s interest; conclusion or performance of a contract concluded in the interest of the DS between the DC and another natural or legal person; important reasons of public interest; for the establishment, exercise or defence of legal claims; and in order to protect the vital interests of the DS or other persons, where the DS is physically or legally incapable of giving consent.
To exercise this right, the DS must manifestly be made to understand (through clear warnings) the specific principles of data protection although this will not be applicable in cases of duly established legal action against the DS for any civil or criminal claim in a third country. It is therefore pertinent for SC developers to consider these during their developer contract negotiations with OEMs, software designers and engineers whilst developing an SC project.
Interestingly, the National Identification Management Commission (NIMC) recently introduced the Data Protection Bill (DPB), 2020 to establish the Data Protection Commission in a bid to protect personal data and rights of data subjects as well as regulate the processing of personal data. The rights of DS under the DPB is expansive and sought to cover areas erstwhile not covered under the NDPR.
Indisputably, SC projects fall within the scope of properties liable to pay tenement rates in accordance with the Lagos State Land Use Charge Law, 2018 and other similar laws across Nigeria. However, the classification of devices (such as smart TV) under the Taxes and Levies (Approved List for Collection) Act[19] for the purpose of radio and television licence fee is doubtful given that Item 14 Part III excludes radio and television transmitter. More so, such modern smart TV have the capacity to transmit through internet enabled facilities.
Conclusion
To ensure that the Nigerian Broadband Plan is actualised – and deepen Nigeria’s digital economy – which will pave way for increased digital penetration as well as the development of viable SC projects – thus reducing Nigeria’s housing deficit by leveraging technology – across Nigeria, there is the need for coordination amongst all government agencies in charge of urban planning and data management to put in place investor- attraction policies. These policies will not only make investment attractive but also guarantee investment protection for SC development projects. Most importantly, harmonizing data generated from these projects towards economic planning and national development and increased access to social amenities.
To optimise investment in SC projects and given the importance of data to the success of SC project implementation, potential investors must understand Nigeria’s legal environment and protection afforded DS and design their projects in accordance with these compliance obligations.
Source: Mondaq