By Olumide Babalola

Two of the reasons for the stunted growth of privacy and data protection in Nigeria are (1) a lack of awareness of the data protection obligations of businesses and the rights of customers; and (2) the lethargy of Nigerian citizens towards seeking legal or administrative redress for privacy violations. Little wonder Privacy International, in their Stakeholder Report, decries that the right to privacy is the least litigated fundamental right in Nigeria. This narrative needs to change!

Last week, one of the largest retail stores in Nigeria – Prince Ebeano Supermarket, unassumingly published a notice of data breach at its outlets in Lekki. According to them, the incident has ‘affected’ the database of customers and prevented access to loyalty points.

I am one of their customers, hence, when this incident was brought to my notice, I immediately did a quick search to ascertain the supermarket’s level of minimum compliance with their data protection obligations as a controller of thousands of customers’ personal data. My first shock was the absence of any privacy notice on their website, at the very least. This is a red flag for lack of transparency and unfair data processing activities. My second search revealed that the supermarket has neither filed a data protection compliance audit since 2019 nor designated an officer to relate with the public on data protection, hence I did not know to whom my enquiries on their privacy practices could be directed.

Consequently, on the 9th day of August 2023, I approached the High Court of Lagos State, for some reliefs, to wit:

A DECLARATION that the Respondents’ collection and storage of the Applicant’s personal data in a database with (undisclosed) software without his consent or due information on data security interferes and/or is likely to further interfere with the Applicant’s right to privacy guaranteed under section 37 of the Constitution of the Federal Republic of Nigeria, 1999.

A DECLARATION that the Respondents’ processing of Applicant’s personal data without compliance with the provisions of the Nigeria Data Protection Act, 2023 and Nigeria Data Protection Regulation 2019 constitute an interference with the Applicant’s right to privacy guaranteed by section 37 of the Constitution of the Federal Republic of Nigeria, 1999.

A DECLARATION that the Respondents have admitted a personal data breach by virtue of the notice pasted at the Respondents’ business premises thus:
“Dear Esteemed Customers, Kindly note that due to a system error during software upgrade which affected our client database. We are currently not able to add points, all accumulated points will be redeemable once we are able to resolve the issue.”

A DECLARATION that the Respondents’ collection and storage of the Applicant’s personal data in a database with an (undisclosed) software violates the principle of transparency provided under section 24(1)(a) of the Nigeria Data Protection Act, 2023.

A DECLARATION that the Respondents’ collection and storage of the Applicant’s personal data in a database with an (undisclosed) software breaches the Respondents’ obligations to provide adequate information to the Applicant at the time of collection of his personal data in contravention of section 27(1) of the Nigeria Data Protection Act, 2023.
A DECLARATION that the omission or lack of a privacy policy on the Respondents’ website – https://princeebeano.comviolates the express provision of section 27(3) of the Nigeria Data Protection Act, 2023.

A DECLARATION that the Respondents’ omission to inform its customers of the personal data breach suffered by its database software through national dailies or social media constitutes a violation of its duty under section 40(3) of the Nigeria Data Protection Act, 2023.

A DECLARATION that the Respondents’ omission to inform the Nigeria Data Protection Commission of the personal data breach suffered by its database software within 72 hours of its discovery constitutes a violation of its duty under section 40(2) of the Nigeria Data Protection Act, 2023.

A DECLARATION that the Respondents’ omission to file a data protection compliance audit since 2020 is a violation of the provision of article 4.1(7) of the Nigeria Data Protection Regulation 2019.

A DECLARATION that by virtue of section 53(2) of the Nigeria Data Protection Act, 2023, the Respondents and their business entity are vicariously liable for the data breach suffered by Prince Ebeano Supermarket.

PERPETUAL INJUNCTION restraining the Respondent from further processing (storing and using) the Applicant’s personal data without compliance with the provisions of the Nigeria Data Protection Act, 2023 and Nigeria Data Protection Regulation 2019”
While the new suit awaits assignment to a Judge in the jurisdiction, it is hoped that, as many Nigerian businesses continue to integrate technology into their processes, they will not only prioritize citizens’ privacy and data protection concerns but will not further treat personal data breaches with kids’ gloves.