By Olumide Babalola
In a suit filed by the Digital Rights Lawyers Initiative (DRLI) against the Minister of Industry, Trade and Investment, the Attorney General of the Federation and the National Information Technology Development Agency (NITDA), the Federal High Court sitting in Awka, Anambra State, per Dimgba, J. restrains the Respondents from further collecting BVN for survival funds until they publish an NDPR-compliant privacy policy in a judgment delivered on the 2nd day of November 2021.
By an originating summons signed by Irene Chukwukelu but argued by Izuchukwu Omeji in Suit. No. FHC/AWK/CS/116/2020 filed in December 2020, DRLI prayed for the following reliefs:
1. A DECLARATION that by virtue of articles 1.1(a), 2.2, & 2.3 of the Nigeria Data Protection Regulation (NDPR) 2019, data protection is guaranteed under right to private and family life provided under section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (As Amended).
2. A DECLARATION that the Respondents’ processing of personal data under MSME Survival Fund (https://www.survivalfund.gov.ng/) is likely to interfere with the Applicant’s members’ right to private and family life guaranteed under section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (As Amended).
3. A DECLARATION that the Respondents’ failure to publish a privacy policy on their portal (https://www.survivalfund.gov.ng/) constitutes a violation of regulation 1.1(a) and 2.5 of the Nigeria Data Protection Regulation (NDPR) which provision safeguard the right to privacy guaranteed under section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (As Amended).
4. A DECLARATION that the Respondents’ failure to provide information on its portal (https://www.survivalfund.gov.ng/) relating to processing of personal data in a concise, transparent, intelligible form constitutes a violation of regulation 3.1(1) of the Nigeria Data Protection Regulation (NDPR) which provision safeguards right to privacy guaranteed under section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (As Amended).
5. A DECLARATION that the Respondents’ failure to provide information on their portal (https://www.survivalfund.gov.ng/) relating to contact details of its Data Protection Officer, legal basis of processing, recipients of personal data etc constitutes a violation of regulation 3.1(7) of the Nigeria Data Protection Regulation (NDPR) which provision safeguards right to privacy guaranteed under section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (As Amended).
6. A DECLARATION that the 1st Respondent’s failure as a Data Controller to designate a Data Protection Officer with respect to its processing of personal data on its portal (https://www.survivalfund.gov.ng/) through the Federal Ministry of Industry, Trade and Investment) constitutes a violation of regulation 4.1(2) of the Nigeria Data Protection Regulation (NDPR) which provision safeguards right to privacy guaranteed under section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (As Amended).
7. A DECLARATION that the 1st Respondent’s processing of personal data on the (https://www.survivalfund.gov.ng/) portal without developing security measures to protect data, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling personal data constitutes a violation of regulation 2.6 of the Nigeria Data Protection Regulation which provision safeguards right to privacy guaranteed under section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (As Amended).
8. AN ORDER mandating the 1st Respondent to immediately publish a privacy policy for its MSME Survival Fund on a conspicuous part of its portal (https://www.survivalfund.gov.ng/) upon the delivery of judgment herein.
9. AN ORDER mandating the 1st Respondent to designate a Data Protection Officer (DPO) for its MSME Survival Fund (https://www.survivalfund.gov.ng/) and publish his/her contact on the said portal.
10. AN ORDER mandating the Respondents to comply with provision of regulation 3.1(7) of the Nigeria Data Protection Regulation (NDPR) by immediately providing comprehensive information on its https://www.survivalfund.gov.ng/ portal relating to:
a) the identity and the contact details of the Controller;
b) the contact details of the Data Protection Officer;
c) the purpose(s) of the processing for which the Personal Data are intended as well as the legal basis for the processing;
d) the legitimate interests pursued by the Controller or by a third party;
e) the recipients or categories of recipients of the Personal Data, if any;
f) the period for which the Personal Data will be stored, or if that is not possible,
a. the criteria used to determine that period;
g) the existence of the Data Subject’s rights
h) the existence of automated decision-making, including profiling and, at least, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject;
i) m) Where the Controller intends to further process the Personal Data for a purpose other than that for which the Personal Data were collected, the controller shall provide the Data Subject prior to that further processing with information on that other purpose, and with any relevant further information.
11. AN ORDER mandating the 3rd Respondent to ensure that the 1st and 2nd Respondent comply with the provisions of the Nigeria Data protection Regulation and/or other relevant data protection legislation while processing personal data via its https://www.survivalfund.gov.ng/ portal.
12. PERPETUAL INJUNCTION restraining the Respondents and/or their agents from further processing (collection and retention) of Bank Verification Numbers (BVN) until its publishes its privacy policy and designates a Data Protection Officer (DPO).
13. CONSEQUENTIAL ORDER(S) as this honourable court may deem fit to make in the circumstance.
Before the court, both the AGF and NITDA did not file any response to the suit but the Minister filed an objection rather than respond to the allegations in the suit especially with respect to non-provision of information to data subjects on the portal’s privacy practices.
In resolving the dispute, the court found that the Minister within the context of the case was a data controller and that: “The 1st respondent to whom direct allegation lie did not really counter the applicant’s case by providing any evidence to show that the obligations set out above as a data controller were complied with. One would expect that for such allegations, the 1st Respondent will provide evidence to show that the said portal contains a request for data consent, data policy as well as the identity and contact of controller and Data Protection Officer, all as set out above and as outlined in regulations 2.3(b) , 2.5 and 3.1(7) respectively of the NDPR.”
On whether the Respondents’ non-compliance with NDPR interferes with data subject’s privacy, the court ruled that:
“All things considered, I hold that the failure of the Respondents from taking measures towards protecting the data privacy of the citizens, taking into account the vital information required from the data subject such as Bank Verification Number (BVN), names and addresses, pose threat to the Applicant’s members right to private and family life owing to the fact that the objective of the NDPR as provided in regulation 1.1 is to safeguard the rights of natural persons to data privacy.”
On the necessity to take privacy seriously, the court noted that:
“Notwithstanding the fact that the Survival funds is an economic sustainability plan and for public good, it must be organised and implemented in conformity with the law and in a way that the beneficiaries are not at risk of possible breach of the right to private and family life guaranteed under section 37 of the Constitution.”
Conclusively, the court all reliefs 1 -12 as prayed in the originating summons in a judgment that appears to be first decision on the necessity to ensure website privacy policies provide adequate information to data subjects on the controller’s privacy practices.