The Plaintiff contended that these acts constituted a violation of her constitutional right to privacy under section 37 of the Nigerian Constitution and multiple provisions of the NDPA.
Court’s Decision & Commentary
Banks as Data Controllers under the NDPA
In its decision, the Federal High Court held, unequivocally, that banks fall squarely within the statutory definition of “data controllers” under section 65 of the NDPA. A data controller is any person or body that determines the purposes and means of processing personal data. By their nature, banks routinely determine both the purpose and manner in which extensive personal and financial data of customers are processed in the course of providing banking services.
Of particular significance is the Court’s rejection of the argument that the absence of a banker–customer relationship could absolve a bank of data protection obligations. The Court held that liability under the NDPA is not predicated on contractual privity or commercial relationships but arises
directly from the act of processing personal data. Once a bank determines the purpose and means of such processing, it assumes the full spectrum of statutory obligations imposed on data controllers. By necessary implication, the NDPA establishes an autonomous regime of rights and duties triggered by processing, not by privity.
Consent and Lawful Basis for Data Processing
In the judgment, the Court emphasised that consent and the existence of a lawful basis for processing data are foundational requirements under sections 25, 26, and 30 of the NDPA. Therefore, consent must be freely given, informed,
specific, and unambiguous, and the burden of proving its existence rests squarely on the data controller.
The Court equally found compelling evidence that the Plaintiff never consented to the processing of her personal data. The unsolicited SMS alerts, admissions by some bank personnel, and the successful use of her details for account-related transactions collectively established that the Defendant
processed the Plaintiff’s data without any lawful authorisation. The Defendant’s inconsistent denials and subsequent admissions fatally undermined its defence.
Privacy Rights and Constitutional Protection
Notwithstanding the robust provisions of the NDPA, the Court relied on appellate authorities such as Omotayo v Airtel Networks Ltd and Digital Rights Lawyers Initiative v NIMC and affirmed that data protection violations are not merely statutory breaches but may simultaneously amount to constitutional infractions.
Consequently, the Court adopted a purposive and progressive interpretation of section 37 of the Constitution, affirming that the constitutional right to privacy extends beyond physical spaces to encompass informational and data privacy. By opening and operating accounts and transmitting SMS notifications using personal data without consent, the bank was held to have intruded into the private informational sphere of the data subject. This dual
layer protection substantially elevates the compliance burden on data controllers, particularly within the financial sector.
Transparency, Accountability, and Remedial Obligations
A defining feature of the decision is the Court’s uncompromising stance on transparency and accountability. The failure of the bank to disclose the source of the Plaintiff’s personal data, coupled with evasive and contradictory
responses, was held to be in breach of sections 24 and 36 of the NDPA.
Once a data subject objects to the processing of personal data, the bank is under a mandatory obligation to discontinue such processing unless it can demonstrate overriding lawful grounds. The Court construed the word “shall” in section 36 as imposing a compulsory, not discretionary, duty. Importantly, the belated closure of the account did not cure the antecedent breaches. This approach mirrors the reasoning that accountability under data protection law requires proactive disclosure and prompt remediation, rather than evasive correspondence or value internal corrective measures.
Data Privacy Impact Assessment (DPIA)
The Court also held that unauthorised account opening constitutes processing that presents a high risk to the rights and freedoms of data subjects, including
exposure to identity theft, fraud, and reputational harm, as section 28 of the NDPA imposes a duty on data controllers to conduct a Data Privacy Impact Assessment before engaging in such processing. As such, the Defendant’s failure
to demonstrate compliance with this obligation constituted an additional violation, underscoring the preventive, rather than merely reactive, orientation
of the NDPA.
Data Privacy Impact Assessment (DPIA)
Even though handed down under different regimes, the pronouncement in Sadiya v. GTB is consistent with, and reinforces the earlier decision of the
Federal High Court in Chiebuka Nworah v United Bank for Africa Plc, where the Court similarly affirmed that data protection obligations operate independently of traditional banking relationships. In that case, the Applicant was a customer of
the Respondent, United Bank for Africa Plc, and maintained a domiciliary account opened on 6 October 2020. The account was active and had previously received foreign currency inflows, including a credit of USD 250 in December 2020.
In March 2021, the Applicant anticipated a further inflow of USD 450 into the same account. Contrary to expectation, no credit alert was received. Upon inquiry, the Respondent informed him that a second domiciliary account had been opened in his name (without his request or consent) and that the funds had
been lodged into that unsolicited account.
