Court awarded damages after UBA breached data privacy of customer
The protection of a customer’s personal information from unauthorized use is a right enshrined under section 37 of the 1999 constitution.
In a recent judgment between Mr. Chiebuka Nworah and UBA, the court held that the unauthorized opening of a second USD domiciliary account without the consent of the applicant constituted a breach of his right to the protection of his personal data by the Respondent.
Facts of the case
An applicant, Mr. Chiebuka Nworah, is a customer of UBA with an account domiciled at bank’s Ukpor branch in Anambra state, was expecting the sum of $450 to be paid into his domiciliary account by one Philip Onuoha, whom he had earlier sent his account details to.
However, Mr. Onuoha was called to enquire if he had deposited the money and was told that the money had already been sent to his account.
He waited but did not receive any alert of the said money; however, he was later notified by the bank that a new domiciliary account with account number 2190320230 had been opened in his name and that the money was lodged in the new account.
Consequently, he went to the bank’s Marina, Lagos Head office, and it was confirmed to him that indeed the new Domiciliary account was opened in his name with the $450 lodged.
He enquired from the bank as to why it opened a domiciliary account in his name without his consent but was not convinced by the bank’s explanation.
Upon insisting, the bank told him that the new account was opened in compliance with the CBN circular of 5/3/2021 regarding the “Naira 4 Dollar Scheme” and that banks were asked to set up domiciliary accounts for customers who did not have domiciliary accounts.
Surprised at the explanation of the bank as an active domiciliary account holder that was credited the sum of $250 on December 21, 2020, he averred that he was neither informed of the need to open a second domiciliary account for him nor his consent sought in opening the new account.
He told the court that his personal details, which he provided to the bank while setting up his first domiciliary account, was used by the bank to create a second account without his consent unilaterally.
According to him, he wrote two letters to the bank dated April 26, 2021, and June 30, 2021, asking the bank to transfer the $450 to his first account and close the second account opened without his notice.
However, the bank allegedly refused to accede, and the second account remained active and operative, which made him approach the court on October 21. 2021 seeking to enforce his fundamental human rights allegedly violated by the Respondent.
He said the action of the Respondent (the Bank) compromised his personal data, thereby exposing him to data breaches and potential misuse of the new account created without his knowledge.
Chukwwunonso Azih, His Counsel, argued that the failure of a data controller to obtain the consent of data subjects as stated under the NDPR 2019 means that they have contravened the provision of the NDPR and that such data controllers will be liable to the concerned data subject.
He also submitted that the unauthorized opening of a second USD domiciliary account without the Applicant’s consent constitutes a breach of his right to the protection of his personal data by the Respondent.
The applicant contended that he knew of the fact that the CBN circular of March 5, 2021, on the “Naira 4 Dollar Scheme” did not in any way empower Deposit Money Banks or International Money Transfer Operators to arbitrarily open accounts for customers to take advantage of the Scheme.
Mr. Azih submitted that the right to privacy of data is a data protection right that is subsumed in the right to privacy guaranteed under section 37 of the constitution, which embodies the protection of data privacy.
He submitted that the applicant’s information was supplied to the respondent solely for the purpose of all transactions that arise from the use of the first domiciliary account and that his personal information is subject to data protection laws.
He argued that the same was used in a manner inconsistent with the purpose for which it was supplied and without the consent of the applicant, thereby constituting a breach of the Applicant’s right to privacy.
He asked the court to determine “whether the Respondent’s action constitutes an infringement of the Applicant’s fundamental rights provided in Section 37 of the constitution”.
Reliefs sought by the Applicant
(1) A Declaration that the Respondent violated the data privacy right of the Applicant as enshrined in Section 37 of the Constitution by unilaterally opening a new domiciliary account number 2190320230 without the consent of the Applicant.
(ii) A Declaration that as a data controller, the Respondent’s failure to obtain the Applicant’s consent before processing his data, that is, by unilaterally opening a new domiciliary account number 2190320230, is a breach of the provisions of the Nigeria Data Protection Regulation 2019 (NDPR), as issued by the National Information Technology Development Agency (NITDA)
(iii) A Declaration that as a financial institution, the Respondent’s failure to protect the privacy and confidentiality of the Applicant’s information, and the act of imposing a second domiciliary account number with the number:2190320230 on the Applicant, is a violation of the Central Bank of Nigeria’s Consumer Protection Regulation (“the CBN Regulation”), as issued by the Consumer Protection Department of the Central Bank of Nigeria in a circular dated December 20, 2019.
(iv) An Order directing the said sum of Four Hundred and Fifty United States Dollars (US$450) to be paid into the Applicant’s first domiciliary account number 3002971242 and for the immediate closure of the domiciliary account number opened without the consent of the Applicant.
(V) An Order awarding the sum of Twenty Million Naira (20,000,000) as damages against the Respondent for violating the Applicant’s fundamental and data privacy rights.
(vi) An Order awarding the sum of Two Million Naira (N2,000,000) against the Respondent as the cost of this action.
(vii) And for such further or other Orders as the Honourable Court may deem fit to make in the circumstance.
The Respondent’s case
The Respondent is a limited liability company registered under the Companies and Allied Matters Act and licensed by the apex bank to carry out banking transactions in Nigeria.
On November 16, 2021, it wrote a letter to the applicant’s counsel explaining that the second account was opened due to a system glitch and that the said account had been closed and his money moved to the existing account.
The Respondent did not deny or contradict the Applicant’s claims; however, its lawyer, H.B William submitted that the name under which the respondent was sued is unknown to law.
The Counsel argued that the Bank sued by the Applicant is not a juristic person and that having a non-juristic person as a party is not a misnomer and that same cannot be amended.
Relying on a plethora of cases, He urged the Court to therefore strike out this suit because the suffix “Plc” was not inserted in the name of the Respondent.
What the judge ruled
After listening to arguments and submissions from both parties in the suit, Justice Akintayo Aluko ruled this;
“I have examined the affidavit evidence and documentary exhibits of the Applicant. The Applicant seems clearly to have made a good case against the Respondent.
“The Applicant obviously seems to be on firm ground both by the established facts in support of his claims and in law as contained in his counsel’s submission.
“It is already established that the second domiciliary account was unsolicited, unapproved and opened by the Respondent without the requisite authority and consent of the Applicant.
“It is established that the Respondent, as a financial institution in control of the Applicant’s data, intruded into the personal data and information of the customer unilaterally without his consent, knowledge, and approval, processed the unsolicited second domiciliary account, and unlawfully transferred or intercepted the Applicant’s fund from his lawful account into the illegal account without his consent.
“The action of the Respondent has no justification in law, and same constitutes a violation of the Applicant’s right to privacy according to section 37 of the Constitution.”
On the objection of the Respondent against the suit on the ground that the Applicant sued a non-juristic person, the judge said, “I hold the considered view that the failure of the Applicant to add the suffix “Plc” to the name of the Respondent is a mere misnomer which cannot vitiate the proceedings.
He held that “The Bank is the party being sued as the Respondent in this suit and accordingly the suffix “Plc” is ordered to be added to the name of the Respondent.”
The judge noted that The Bank did not controvert or deny the Applicant’s claims by filing a counter-affidavit.
He said “The law is settled that where the adverse party does not deny depositions on material facts in an affidavit in support of an application by filing a counter-affidavit, such facts not denied in the affidavit in support of the application remain the correct position and the court can act on them if they are not moonshine.
“Those facts are deemed admitted by the Respondent and require no further proof.
“I hold the considered view that, by its action and act of using the personal data and information of the Applicant at its disposal to open the unsolicited second domiciliary account in the name of the Applicant without his knowledge, approval, and consent, the Respondent has breached his right to privacy which has to do with his right to decide, to choose, plan or desire the Second domiciliary account.
“Consequently, reliefs 1 and 4 are hereby granted. With respect to relief 5, I award the sum of N2 million Naira (two million Naira) and N500,000 (five hundred thousand naira) with respect to relief 6 in favor of the Applicant against the Respondent as compensation for the unlawful violation of his fundamental rights and cost of litigation incurred by the Applicant respectively.
“I award the sum of One Hundred Thousand Naira (N100,000) only as cost of action in favor of the Applicant against the respondent.”
The basis for the judgment
On the order to add “plc” to The Bank, the judge said, “The Respondent knew well that it is being described and referred to in the proceedings, and so there is no case of mistaken identity. The respondent even went to the extent of briefing a counsel who wrote a letter dated November 16, 2021.”
The judge further stated, “let me state emphatically here that when both parties are quite familiar with the identity envisaged in a writ of summons and could not have been misled or have any real doubt or misgiving as to the identity of the person suing or being sued, then there can be no problem of mistaken identity to justify a striking out of the action.
“A misnomer that will vitiate the proceedings would be such that it will cause reasonable doubt as to the identity of the person intending to be sued.”
Speaking further, he said, “By the provisions of order 9 rule 14 (2) of the extant Civil Procedure Rules of this Court, which becomes applicable by the provision of Order XV rule 4 of the FREP Rules, 2009, this court is empowered to at any stage of the proceedings either upon or without the application of either party and on such terms as may appear just order that the name of any party improperly joined be struck out and that the name of any party who ought to have been joined or whose presence before the court is necessary to effectually and completely adjudicate upon and settle the question involved in the proceedings, be added.
“Coming from the foregoing, I hold the view that the objection of the Respondent against the suit on the ground of suing a nonjuristic person is misplaced and overruled.”
In interpreting the term “privacy of citizens” as provided in Section 37 of the Constitution, the judge said, “Every provision of the constitution was made to realize a particular object. Therefore it cannot be presumed that any clause in the constitution is intended to be without effect…where the constitution states a word or phrase generally or without any limiting words, it is obvious that it intends that the word or phrase should have general meaning and application, unless other provisions in the constitution state or suggest the contrary.
“If there are no other provisions of the constitution requiring or suggesting the contrary, the Court must apply the word or phrase generally and will have no power to restrict its application to specific situations. For the above reasons,
“I interpret the phrase “privacy of Citizens” generally, liberally, and expansively to include privacy of citizen’s body, life, person, thought, belief, conscience, feelings, views, decisions (including his plans and choices), desires, health, relationships, character, material possessions, family life, activities etcetera.”
On the violation of the applicant’s right, the judge stated, “Apart from the failure of the Respondent to attach the statement of account and banking documents showing that indeed the Applicant’s funds have been transferred or moved to his legal account and that the illegal account has been closed, The content of the letter of the Respondent’s counsel dated November 16, 2021, is a further confirmation establishing the bank’s violation of the Applicant’s right to privacy provided in Section 37 of the Constitution. I agree with the Applicant that he is entitled to compensation for damages for the Respondent’s wrongful, unjustified, unlawful, and unwarranted breach and infraction of his constitutional right to privacy.”
“To this end, I hold that the lone issue in this Judgment is resolved in favour of the Applicant against the Respondent. There is merit in the case of the Applicant,” the judge ruled.
What you should know
Section 37 of the 1999 constitution which is under Chapter IV (Fundamental Rights), speaks on the Right to private and family life of the Nigerian people.
The Section provides that, “The privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications is hereby guaranteed and protected.”
On January 25, 2019, the National Information Development Technology Agency (NITDA) issued a regulation titled “Nigeria Data Protection Regulation (NDPR 2019),” which is the Act that particularly addresses data protection and privacy in Nigeria.
The NDPR 2019 is a data protection regulation aimed at safeguarding the rights of natural persons to data privacy which fosters safe-conductor transactions involving the exchange of Personal Data, prevents manipulation of Personal Data, and it also ensures that Nigerian businesses remain competitive in international trade.
The NDPR 2019 emphasized and strengthened the provision of section 37 of the 1999 constitution of the Federal Republic of Nigeria.