By Olawale Abdulbasit
INTRODUCTION
Privacy, according to Black’s Law Dictionary, 9th Edition is defined as “The condition or state of being free from public attention to intrusion into or interference with one’s acts or decisions”
The grundnorm for the protection of right to privacy is the Constitution of the Federal Republic of Nigeria, 1999 (as amended) specifically under Section 37.
Other legal frameworks protecting right to privacy in Nigeria are: Cybercrimes (Prohibition, Prevention. Etc) (Amendment) Act, 2024, Nigeria Data Protection Regulation (NDPR), 2019, Nigeria Data Protection Act (NDPA), 2023, Freedom of Information Act (FOI), 2011, Child Rights Act, 2003, The Nigerian Communications Act, 2003 among others.
In a recent decision of the Federal High Court, sitting in Lagos, in the case of Miss Folashade Molehin V United Bank For Africa PLC (FHC/L/CS/2625/2023), the applicant, Miss Folashade Molehin challenged the wrongful processing of her personal data without her consent by the respondent. The court examined in detail what constitute breach of privacy. It also posits that wrongful processing of personal data is a breach fundamental right to privacy.
SUMMARY OF FACTS
Miss Folashade Molehin in a privacy suit challenged the wrongful processing of her personal data which is the act of opening a domiciliary account in her name without due authorisation. The bank contended that the action of the plaintiff is not litigable as it falls under general civil claims and that no action can be maintained under fundamental rights enforcement procedure.
DECISION OF THE COURT
In a well delivered judgement, Justice A.O Faji of the Federal High Court, Lagos held that the act of the defendant breached the privacy rights of the plaintiff and that the issue of data privacy violation falls within the confines of Section 37 of the Constitution. The court awarded a damages of 7.5 Million Naira in favour of the plaintiff.
IMPLICATIONS OF THE DECISION OF THE COURT
- Processing of personal data without consent is a breach of right to privacy:
The argument of the respondent is that the suit centres on the breach of the banker’s duty to its customers, therefore the action falls under negligence and not within the scope of fundamental rights.
In dismissing the argument of the learned counsel for the respondent, the court held that a breach of banker’s duty involving wrongful processing of personal data without consent falls under the breach of privacy, consequently, a breach of fundamental rights.
It went further to state that a breach of the provisions of the NDPR, 2019 is part and parcel of a breach of Section 37 of the constitution.
- Data are sensitive information that must be treated with proper care:
The court observed that one of the objectives of the NDPR, 2019 is to safeguard the rights of natural persons to data privacy.
The court cited article 2.9 of the NDPR, 2019 which states as follows:
Notwithstanding anything to the contrary in this regulation, the privacy rights of a data subject shall be interpreted for the purpose of advancing and never for the purpose of restricting the safeguards Data subject is entitled to under any data protection instrument made in furtherance of fundamental rights and the Nigeria Laws
![](https://legaldeskng.com/wp-content/uploads/2024/08/LegaldeskNG-WhatsApp-Channels.jpg")
- Privacy and protection of personal data of the citizens falls within the confines of Section 37 of the Constitution:
Section 37 of the Constitution states as follows:
“The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”
The court gave the above quoted Section of the Constitution an elastic interpretation to include “privacy and protection of personal data”. In determining this, the court enthused as follows:
Even from the holding of the trial court at pages 89-90 of the Record which I have quoted above and the dictum of Agim, J C A (as he then was) in NWALI V EBISEC (supra), as well as the provisions of Article 2.9 of the NDPR, 2019 which I have quoted above, it is beyond doubt that, even as the scope of privacy of citizens as used in Section 37 of CFRN, 1999 remains undefined, such a scope will undoubtedly include the privacy and protection of the personal data of citizens.
- Notice and consent of a customer is required for the creation of a domiciliary account:
The fact the personal data of a customer is at the disposal of the bank does not confer automatically on the bank a unilateral action to open a domiciliary account for its customer without proper notice given and consent of the customer sought.
The court observed as follows:
The respondent has not also contended that the CBN regulations or directives on creation of a tier one account do not require consent of the customer……… It therefore seems to me that there was no justification for creating the tier one domiciliary account for the applicant without knowledge or consent.
It could be deduced from the above quotation that notice and consent are requirements of the law.
- Processing of personal data does not only involve disseminating it to a third party:
The word “processing” as defined in the NDPR in clause 1.3 (xxi) includes among others collection, recording, organisation, structuring, storage, adaptation [ Emphasis mine].
The court is of the view that Miss Folashade Molehin’s personal data was adapted by the bank to create a tier one domiciliary account for her without her consent.
In determining this, the court observed as follows:
A combined reading of the clauses therefore shows that to process data does not involve disseminating same to a third party only. It is any operation performed on personal data. That to my mind, includes the use of the data as done in the instant case. There is no provision for an implied consent in this matter. The consent must be express.
CONCLUSION
Right to privacy is a fundamental human right as enshrined in Section 37 of the Constitution. It is therefore imperative that data controllers safeguard the personal data of their data subjects and utilize it in a way that does not breach their privacy rights.
Similarly, where there is a need to process, adapt, store or record the personal data of a data subject, proper notice must be given and consent must be sought.
REFERENCES
Black’s Law Dictionary, 9th Edition, Edited by Bryan A. Garner (2009 Thomson Reuters)
Constitution of the Federal Republic of Nigeria, 1999 (as amended)
Cybercrimes (Prohibition, Prevention, E.t.c) (Amendment) Act, 2024
Child’s Right Act, 2003
Freedom of Information Act (FOI), 2011
Miss Folashade Molehin V United Bank For Africa PLC (FHC/L/CS/2625/2023)
Nigeria Data Protection Regulation (NDPR), 2019
Nigeria Data Protection Act (NDPA), 2023
The Nigerian Communications Act, 2003
