By Samuel Ngwu, Esq.
The Court held in this case that the failure of the Respondents in taking measures towards protecting the data privacy of the citizens, taking into account the vital information required from the data subjects such as Bank Verification Numbers (BVN), Names and addresses, poses a threat to the Applicant’s members’ right to private and family life because the objective of the Nigeria Data Protection Regulation as provided in Regulation 1.1(a) is to safeguard the rights of natural persons to data privacy. The Court further stated that when a Statute or Regulation stipulates the way a thing or act is to be done or carried out, such legislation must be complied with strictly, otherwise such legislation becomes cosmetic
Facts of the case
The Respondents, (Minister of Industry, Trade, And Investment, Attorney-General of Federation and National Information Technology Development Agency (NITDA) through the 1st Respondent, set up a Micro Small and Medium Enterprise (MSME) Survival Fund on an online portal wherein they collect personal information of individuals including sensitive information such as BVN without having a privacy notice published in the portal through which it processes the personal information. It was also discovered that the 1st Respondent did not appoint a Data Protection Officer (DPO) nor developed any security measures to protect personal data. The Applicant, a civil society organisation, claimed that on the 1st of September 2020, its members sought to apply for the said Fund but discovered non-compliance with the above requirements which amounted to a violation of provisions of the NDPR and section 37 of the 1999 Constitution. The Applicant, therefore, instituted an action to enforce its members’ fundamental human rights. The Applicant sought the following DECLARATION:
- that by Articles 1.1(a), 2.2 and 2.3 of the NDPR, data protection is guaranteed under the right to private and family life provided under section 37 of the Constitution of the Federal Republic of Nigeria.
- that the Respondents’ processing of personal data under the MSME Survival Fund is likely to interfere with the Applicant’s members’ right to private and family life provided under section 37 of the Constitution of the Federal Republic of Nigeria.
- that the Respondents’ failure to provide on their portal information relating to the contact details of their Data Protection Officer, the legal basis of processing, recipients of personal data, etcetera constitute a violation of Regulation 3.1 NDPR.
- that the Respondents’ failure to provide information on their portal in a concise, transparent, intelligible form constitutes a violation of Regulation 3.1(1) NDPR.
- that the 1st Respondent’s failure to provide on their portal as a Data Controller a designated Data Protection Officer (DPO) through the Federal Ministry of Trade and Industry and Investment constitute a violation of Regulation 4.1(2) NDPR.
- That the 1st Respondent’s processing of personal data on the portal without developing security measures to protect personal data violated Regulation 2.6 NDPR
- An Order mandating the 1st Respondent to designate a DPO for its MSME Survival Fund and publish his or her contact on the portal.
- An Order mandating the Respondents to comply with the provisions of the Regulation 3.1(7) NDPR.
- An order mandating 3rd Respondent to ensure that the 1st and 2nd Respondent complies with the provisions of NDPR and any other data protection legislation.
Issue for determination
The parties raised several issues which the court summarised into one as follows: “whether or not from the circumstances of this present case, the Respondent had failed to comply with the Nigeria Data Protection Regulation, 2019 resulting in the likely infringement of the Applicant’s members’ right to private and family life provided for in Section 37 of the Constitution”.
Rule of Law
Every Data person, body, public or private institutions in Nigeria must take steps to comply with the provision of Nigeria Data Protection Regulation concerning the processing of personal data of an individual which provision safeguards the right to privacy guaranteed under Section 37 of the Constitution of the Federal Republic of Nigeria.
On filing counter affidavit, the 1st Respondent challenged the competency and jurisdiction of the court to hear the case on the ground that the
- Affidavit in support of the suit was not deposed to by the Applicant and that the deponent failed to provide details of how he learnt about the facts and therefore did not comply with Order 2 Rule 4 of the Fundamental Right Enforcement Procedure Rules 2009(FREP).
- The Applicant did not comply with Section 84 of the Evidence Act on the requirements of computer-generated document.
- The Applicant is not a juristic person known to law.
- The suit is an abuse of the court process.
The Court disagreed with the 1st Respondent and found in favour of the Applicant on the facts that:
- the deponent of the Affidavit is a member of the Applicant as averred in paragraph 1 of the Affidavit who sought to apply for the Survival Fund and therefore gave first-hand information of the facts deposed.
- the said exhibits were accompanied by a certificate pursuant to section 84 of the Evidence Act 2011.
- the suit is not an abuse of the court process as there is a caution of action.
In resolving the dispute generally, the Court agreed with the Applicant based on Regulation 1.3(x)NDPR that the 1st Respondent is a statutory body who determines how personal data submitted to the online Survival Fund portal are to be processed and as such must comply with Regulations 1.1(a); 2.1(d); 2.5; 2.6; and 3.1(7). It was acknowledged by the court that while the Applicant provided the Court with exhibits 3-6 (photographs of the MSME Survival Fund Program online portal) to support its case, the 1st Respondent did nothing more to demonstrate compliance with the NDPR than merely deposing in paragraphs 9 and 10 of the counter affidavit that “the portal was set up and being used with all security measures and statutory provisions regarding the privacy of data being collected and that the operation of the Survival Fund was transparent and available to members of the public”. In other words, the 1st Respondent did not provide evidence to rebut the Applicant’s claim.
Holding of the Court
The Court, after examining the facts against the background of the relevant provisions of the Constitution and the NDPR in danger of being breached, resolved the suit in favour of the Applicant and granted all the reliefs sought by the Applicant.
- Court Name: Federal High Court Awka
- Suit No: FHC/AWK/CS/116/2020 per Hon. Justice N.O. Dimgba
- Year: 2020
Date of judgement
2nd November 2021
The reasoning of the court is highly commendable. The 1st Respondent as a data controller must not only comply with the provision of the NDPR but also demonstrate compliance and having failed to do so, the court was right in holding them accountable. Nonetheless, it is to be seen if the 3rd Respondent with always loud silence when it comes to public institutions not complying with NDPR will take steps to ensure the 1st Respondent complies with the judgement. The judgement came timely in the light of the recent launch of the eNaira by the Central Bank of Nigeria (CBN) which also failed to comply with the NDPR. Hopefully, they will take a cue from this judgement.
Legal provisions/case law references:
- Section 37 of the 1999 Constitution of Nigeria, Articles 1.1(a); 2.1(1)(d); 2.5; 2.6; 1(7) NDPR
- Nwali v. Ebonyi State Independent Electoral Commission (EBSIEC) (2014) LPELR-23682 CA; Digital Right Lawyer Initiative v. National Identity Management Commission(unreported) Suit No. Ab/83/ 2020.
- L and W. W v. Germany (ECTHR).
- Caty Germany GmbH v. Stadt Sparkasse Magdeburg (C580/13) ECTHR.
- Madukolo v. Nkemdilim (1962) 2SCNLR 341.
- Habeeb & Anor v. AGF & Ors (2012) LPELR 15515(SC).
- FUTMINNA v. Okoli (2011) LPELR-9053(CA).
- Agbonmagbe Bank v. General Manager,
- GB Ollivant Ltd (1961) 1 All N.L. R 116.
- AG Rivers State v. AG Akwa Ibom State (2011) NWLR (Pt 1248) Pg.95.
- Esogwa v. Nwosu (2020) LPELR-50610HhHH
Samuel is a privacy analyst at NDPR Consultants. Contact at Samuel.firstname.lastname@example.org