Key Contacts
Introduction
The enactment of the Nigeria Data Protection Act, 2023 (NDPA) marks a fundamental recalibration of Nigeria’s data protection framework. The Act aligns Nigeria’s data protection landscape with modern global standards, criminalising unauthorized use of personal information and ensuring accountability in data handling. It safeguards individual privacy rights, granting citizens increased control over their personal information, such as rights of access, correction, and objection to processing, while imposing obligations on organisations that collect and use data. Within this framework, financial institutions, particularly banks that process vast volumes of personal and financial data – often in circumstances that can produce significant legal, economic, and reputational consequences for data subjects are now in a uniquely sensitive position, often bringing them into the web of data privacy enforcement proceedings.
Data privacy has transitioned from a predominantly administrative and regulatory concern into a robust rights-based statutory regime with direct judicial enforceability. Notably, data rights are now redressable under the general constitutional right to privacy and the specific rights created and enforceable under the NDPA.
It is against this background that this Case Note reviews the factual circumstances and decision of the Federal High Court in Hadiya Suleiman Sadiya v Guaranty Trust Bank Plc. As an afterword to the commentary that follows, it bears highlighting at the outset that this decision authoritatively delineates the status, obligations, and liabilities of banks as data controllers, particularly where personal data is processed without consent or any other
lawful basis. It also crystallises the emerging judicial posture on institutional accountability under Nigeria’s evolving data protection regime.
Relevant facts
The Plaintiff alleged that the Defendant unlawfully obtained and processed her personal data, specifically her name and mobile telephone number, to open and operate a bank account without her knowledge, consent, or authorisation. The Plaintiff never applied for an account and only became aware of its existence upon receiving unsolicited SMS notifications generated by the Defendant’s banking system. Despite a formal demand, the Defendant failed to disclose the source of the Plaintiff’s personal data. It initially denied the existence of any such account, only later admitting that an account bearing a substantially identical name existed and had since been restricted and closed.
The Plaintiff contended that these acts constituted a violation of her constitutional right to privacy under section 37 of the Nigerian Constitution and multiple provisions of the NDPA.
Court’s Decision & Commentary
Banks as Data Controllers under the NDPA
In its decision, the Federal High Court held, unequivocally, that banks fall squarely within the statutory definition of “data controllers” under section 65 of the NDPA. A data controller is any person or body that determines the purposes and means of processing personal data. By their nature, banks routinely determine both the purpose and manner in which extensive personal and financial data of customers are processed in the course of providing banking services.
Of particular significance is the Court’s rejection of the argument that the absence of a banker–customer relationship could absolve a bank of data protection obligations. The Court held that liability under the NDPA is not predicated on contractual privity or commercial relationships but arises
directly from the act of processing personal data. Once a bank determines the purpose and means of such processing, it assumes the full spectrum of statutory obligations imposed on data controllers. By necessary implication, the NDPA establishes an autonomous regime of rights and duties triggered by processing, not by privity.
Consent and Lawful Basis for Data Processing
In the judgment, the Court emphasised that consent and the existence of a lawful basis for processing data are foundational requirements under sections 25, 26, and 30 of the NDPA. Therefore, consent must be freely given, informed,
specific, and unambiguous, and the burden of proving its existence rests squarely on the data controller.
The Court equally found compelling evidence that the Plaintiff never consented to the processing of her personal data. The unsolicited SMS alerts, admissions by some bank personnel, and the successful use of her details for account-related transactions collectively established that the Defendant
processed the Plaintiff’s data without any lawful authorisation. The Defendant’s inconsistent denials and subsequent admissions fatally undermined its defence.
Privacy Rights and Constitutional Protection
Notwithstanding the robust provisions of the NDPA, the Court relied on appellate authorities such as Omotayo v Airtel Networks Ltd and Digital Rights Lawyers Initiative v NIMC and affirmed that data protection violations are not merely statutory breaches but may simultaneously amount to constitutional infractions.
Consequently, the Court adopted a purposive and progressive interpretation of section 37 of the Constitution, affirming that the constitutional right to privacy extends beyond physical spaces to encompass informational and data privacy. By opening and operating accounts and transmitting SMS notifications using personal data without consent, the bank was held to have intruded into the private informational sphere of the data subject. This dual
layer protection substantially elevates the compliance burden on data controllers, particularly within the financial sector.
Transparency, Accountability, and Remedial Obligations
A defining feature of the decision is the Court’s uncompromising stance on transparency and accountability. The failure of the bank to disclose the source of the Plaintiff’s personal data, coupled with evasive and contradictory
responses, was held to be in breach of sections 24 and 36 of the NDPA.
Once a data subject objects to the processing of personal data, the bank is under a mandatory obligation to discontinue such processing unless it can demonstrate overriding lawful grounds. The Court construed the word “shall” in section 36 as imposing a compulsory, not discretionary, duty. Importantly, the belated closure of the account did not cure the antecedent breaches. This approach mirrors the reasoning that accountability under data protection law requires proactive disclosure and prompt remediation, rather than evasive correspondence or value internal corrective measures.
