By Olumide Babalola
On the 15th day of May 2024, in suit No. FHL/CS/1281/23 between Chris Eke and Central Bank of Nigeria, the Federal High Court, per Hon. Justice Nnamdi Dimgba, Phd ruled that the Central Bank’s (Customer Due Diligence) Regulation which allows banks to process customers’ social media handles as part of their Know-Your-Customer procedure does not interfere with the right to privacy.
In striking out the suit, the judge opined that: “Fourthly, and for all it is worth, I do not see how asking a banking or potential banking customer to provide his social media handle can ever amount to a breach of privacy …I should even say that the essence of having a social media account was for one to be publicly visible communication wise. It therefore appears quite ironic, though wryly and also counter-intuitive that one can suggest that asking for information about a social media handle with which an individual exposes and immerses himself or herself in the public pool of social or other interactions, can amount to a violation of privacy right.”
The court’s conclusion above raises some theoretical and practical privacy issues which I will discuss briefly in the successive paragraphs. I must however begin my analysis by acknowledging Justice Dimgba’s reputation as the only sitting Judge of the Federal High Court who has written an academic article on privacy in a peer-reviewed journal. (see The Right to Privacy and the Intrusion of the Press in Nigeria’ (2000) 4 Modern Practice Journal of Finance and Investment Law, 177). Hence, it is not patronizing to say, his lordship has a commendable knowledge of the field.
Privacy paradox and social media engagements
His Lordship suggests that one cannot reasonably have a functional social media account and still claim privacy over the same account which is publicly available. My immediate reaction to this is that it speaks to the concept known as the ‘privacy paradox.’ This state of mind is also referred to as ‘privacy contradiction’ because ‘users of social networking websites tend to disclose much personal information online, yet they seem to retain an expectation of privacy’ (see Avner Levin & Patricia Sanchez Abril, ‘Two Notions of Privacy Online’ (2009) 11 Vanderbilt Journal of Entertainment and Technology Law, 1001).
Daniel Solove – arguably the most prominent American author on privacy – defines ‘privacy paradox’ as ‘the phenomenon where people say that they value privacy highly, yet in their behaviour relinquish their personal data for very little in exchange or fail to use measures to protect their privacy.’ (see The Myth of the Privacy Paradox’ (2021) George Washington Law Review, 6). In dislodging the argument that people who put their personal information on social media do not ‘value’ privacy, Solove argues that the social media users behaviour in this context should not be predominantly viewed from the prism of value placed on privacy but should be based on their decisions on the risks reasonably envisaged from such activities. Hence, social media activities do not necessarily speak to the value placed on privacy, but rather the decisions on the type of privacy harms that could result from such exposure of personal data by the account holders.
So in other words, social media users may be willing to bear some but not all privacy harms and still retain their claims to privacy. For example, physical harm like kidnapping, may result from the indiscriminate sharing of personal data on social media; economic harm like identity theft and financial crimes may be eased by the display of personal financial information on social media; reputational injury may stem from sharing of nudes or sexually suggestive information; psychological harms resulting in anxiety may also be occasioned by certain activities on social media. By engaging on social media, one may consciously envisage one or more of these harms but not all, hence when reasonably unexpected harm occurs, the victims may have a valid cause of action in privacy. So contrary to the court’s position, the public nature of behavioural activities on social media does not necessarily rule out a privacy claim and this takes us to the next issue:
Reasonable expectation of privacy on social media
Even though the court finds that the requirement of social media handles is aimed at further identification like emails and telephone numbers, it is erroneous to allude that (prospective) bank customers do not retain a measure of reasonable expectation of privacy over such accounts despite being public. It is worthy of note that the Nigeria Data Protection Regulation 2019 defines ‘personal data’ to include social media accounts, hence, they are protected under the notion of privacy. On reasonable expectation of privacy over social media, Hendersen writes thus: “Some social media is exposed to the public, such as an open-to-the-world blog. It is not reasonable to expect privacy when one publishes something to all comers… On the other end of the spectrum, there are functions on social media sites that are the antithesis of public, meaning it is immediately apparent that one retains a reasonable expectation of privacy….Thus, I argue that there is a reasonable expectation of privacy in once public, now deleted social media content.” (See Stephen Henderson, ‘Expectation of Privacy in Social Media’ (2012-2013) 31 Mississippi College Law Review, 227).
Also commenting on social media users’ expectation of privacy, Newell argues that: “For some, yesterday’s closet has become today’s limited-access Facebook or MySpace profile. Indeed, these services allow users to dictate whom they allow to access their posted content and online communication…Holding that there is no reasonable expectation of privacy in Internet postings posits an unreasonable standard for those who view their limited-access posts on Facebook or MySpace as private, or at least quasi-private, where the number of “friends” who can access the information is high, and deserving of some sort of privacy protection” (See Rethinking Reasonable Expectations of Privacy in Online Social Networks’ (2011) 12 Richmond Journal of Law & Technology, 17). So long as social media platforms provide the functionality for keeping certain segments private or the enablement to restrict access or others’ engagement on the platform, then it becomes clear that privacy is part of the contemplations of the users and the platform providers.
Conclusion
The simplistic view that whatever is placed on social media or in the public is bereft of the expectation of privacy loses sight of what privacy represents and the various interests protected by the notion. When privacy is viewed from the perspective of the desire to control the use of one’s personal information, then it will be appreciated that, social media users do not generally expect their publicly available personal data to be put to unauthorised or prejudicial use.
Even our laws tacitly recognise these reasonable expectations of privacy on social media by criminalising cyberstalking and cyberbullying. (See the Cybercrime (Prohibition, prevention etc) Act. In the context of CBN’s regulation, we should be reminded that unlike telephone numbers and email addresses, social media accounts and or their activities do much more than provide communication channels. They tell and expose sometimes sensitive and intrusive information that a bank does not need thereby infringing on the principle of data minimization. On the whole, without necessarily commenting on the court’s technical reasons for striking out the case, it is, with respect, erroneous to sweepingly assume that social media users do not have reasonable expectations of privacy.