Introduction
The evolution of data privacy rights in Nigeria reflects the growing global emphasis on safeguarding personal information in the digital age. With the increasing digitization of services and the collection of vast amounts of data, Nigeria has recognized the need to protect the privacy rights of its citizens. The Nigerian Data Protection Regulation (NDPR), introduced in 2019 and the Nigerian Data Protection Act (NDPA), enacted in 2023 have been a pivotal step in this direction, laying down rules and guidelines for the processing of personal data. However, the protection of these rights hinges on the effective enforcement and adjudication by Nigerian courts.
The judiciary plays a crucial role in ensuring that the privacy rights of data subjects are not only recognized but also adequately protected. Through various landmark decisions, the courts have affirmed that data privacy is a fundamental right enshrined in the Nigerian Constitution, particularly under section 37, which guarantees the right to privacy. In instances of breach, the courts have been instrumental in providing remedies to aggrieved parties, ensuring that violators are held accountable and that data subjects are compensated. This article explores the decision of the Federal High Court (“Court”) in Miss Folashade Molehin (“Miss Molehin”) v. United Bank for Africa Plc (“UBA”) which reinforced the protection of data privacy rights and the provision of remedies in the event of an established breach
A Review of the Federal High Court Decision in the Case of Miss Folashade Molehin v United Bank for Africa Plc
Miss Molehin provided her UBA savings account to her employer for the payment of her salary, which was denominated in US Dollars. The employer subsequently deposited the salary into the designated account as instructed. However, UBA did not make any confirmation as to the payment rather UBA informed Miss Molehin via a text message that it had created a domiciliary account for Miss Molehin where the salary amount was deposited. On receipt of the text message, Miss Molehin reached out to UBA on the reason and justification for unilaterally opening a domiciliary account for her. She requested that the domiciliary account be closed. However, UBA failed to close the
domiciliary account.
Miss Molehin contended that the right to privacy of data is a fundamental human right guaranteed under Section 37 of the Constitution of the Federal Republic of Nigeria and that the right to data privacy which is also contained in
the NDPA and the Central Bank of Nigeria Consumer Protection regulation (“CBN Regulation”) was violated by UBA when without the consent of Miss Molehin, UBA create a domiciliary account for her.
On its part, UBA contended that as at the material time, it was illegal in Nigeria to make a foreign currency transfer into a Naira account and that in order to avoid a situation where the transaction was aborted, UBA acted in Miss
Molehin’s best interest in line with the existing banker-customer relationship by channelling the fund into a system-created domiciliary account. On this note, UBA submitted that it had only acted with good faith in the interest of the
customer and that does not amount to breach of her right to privacy.
Decision
The court’s duty was to determine whether the unilateral opening of a domiciliary account using Miss Molehin’s personal data, that is her account details which was used to open a savings account for her by UBA contravened the principle of lawful processing of data thus breaching Miss Molehin’s data privacy rights.
The court, in its judgment delivered on 13th May,2024 considered several legal issues such as the concept of lawful processing under the NDPR and whether UBA ought to have obtained the consent of Miss Molehin prior to the opening of the domiciliary account.
On whether the act of UBA in opening a domiciliary account for Miss Molehin amounted to the processing of her personal data, the court held that in line with the provisions of the NDPR, processing means any operation performed on the personal data of a data subject and this includes the opening a domiciliary account for Miss Molehin. The court faulted the argument of UBA that the processing of personal data only occurs where the personal data of a data subject is transferred to a third party. The court further noted that Miss Molehin’ s personal data was adapted from her savings account for the purpose of creating the domiciliary account. Therefore, by the NDPR’s definition of ‘processing’, Miss Molehin’s data was processed by UBA having been adapted.
On the issue of whether UBA ought to have obtained the consent of Miss Molehin prior to the opening of the domiciliary account, the court found that the processing was unjustifiable under the NDPR on lawful processing as the consent of the data owner, Miss Molehin was not sought and obtained. The only purpose for which there was any consent was for the creation of a savings account. There was no consent to create the domiciliary account. Although UBA attempted to provide a justification that the domiciliary account opened in favour of Miss Molehin was done in good faith because the transaction would have failed if the domiciliary account was not created, however, the court was not swayed by this submission because the evidence before the court showed that Miss Molehin had instructed that the account be closed but UBA insisted on maintaining the account against her wish. UBA failed to justify its insistence for maintaining the domiciliary account despite several demands from Miss Mohelin to deactivate the account.
The court considered the concept of consent under NDPR which defines consent of the Data Subject as “any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her”. The court noted that the concept of consent could not be dispensed with even if UBA alleged to have acted in the interest of Miss Molehin.
The Court further noted that Miss Molehin had provided her data to UBA only for the purpose of creating the savings account and not for the creation of the domiciliary account. The fact that there was a contract between Miss Molehin and UBA to which Miss Molehin had granted her consent to the use of her data does not amount to the grant of the Miss Molehin’s consent for another purpose which was not contained in the contract. The court thus, held that there was no unambiguous indication through a statement or a clear affirmative action from Miss Molehin to UBA in relation to the use of her data by UBA in the creation of the domiciliary account. The court emphasised that consent must be expressly given and not implied. Upon establishing that the data privacy right of Miss Molehin has been violated by UBA, the court awarded the sum of N7,500,000.00 (Seven Milion Five Hundred Thousand Naira) as general damages in favour of Miss Molehin.
Conclusion
The court’s decision underscores the critical responsibility of data controllers and processors to remain vigilant against actions that may result in data breaches. It highlights the importance of continuous education and awareness of existing data protection laws to avoid legal liabilities. This case demonstrates that even unintentional violations can lead to significant penalties, emphasizing the need for strict compliance. The court’s role in enforcing remedies for data breaches reaffirms its commitment to upholding the rights of individuals and ensuring that data protection regulations are taken seriously.