ARTICLE
31 January 2025

Fiduciary Duty And Data Protection: Examining The Court's Decision In Frank Ijege v Nigeria Data Protection Commission

SK
Streamsowers & Kohn

Contributor

Streamsowers & Köhn is a leading commercial law firm providing legal advisory and advocacy services from its offices in Lagos, Abuja and Port Harcourt. The team has extensive experience in acting for Nigerian and international companies, government and industry regulators in the firm’s various areas of practice.
On 22nd November 2024, the Federal High Court (the Court) in Frank Ijege v Nigeria Data Protection Commission (Suit No. FHC/KD/CS/34/2024) delivered a landmark...
Nigeria Privacy

Introduction

On 22nd November 2024, the Federal High Court (the Court) in Frank Ijege v Nigeria Data Protection Commission (Suit No. FHC/KD/CS/34/2024) delivered a landmark decision invalidating certain provisions of the Guidance Notice on the Registration of Data Controllers and Data Processors of Major Importance (the Guidance Notice), issued by the Nigeria Data Protection Commission (NDPC or the Commission). One of the invalidated provisions was paragraph 1(2), which provides:

A data controller or a data processor who is under a fiduciary relationship with a data subject by reason of which it is expected to keep confidential information on behalf of the data subject shall be regarded as a data controller or a data processor of major importance – taking into consideration the significant harm that may be done to a data subject if such data controller or processor is not under the obligations imposed on data controllers or processors of major importance.

The crux of the applicant's case was that, considering sections 5(d), 44, and 65 of the Nigeria Data Protection Act 2023 (NDPA), paragraph 1(2) exceeded the NDPC's statutory authority, rendering it ultra vires, null, and void. Consequently, the applicant sought its invalidation.

This article examines the Court's decision, with a particular focus on paragraph 1(2) of the Guidance Notice, which outlined the fiduciary responsibilities of data controllers and processors towards data subjects. It explores the arguments presented by both parties, the Court's findings and the extent to which the provision aligned with the NDPA. This article also examines the breadth of the fiduciary relationship created under the NDPA and by extension under paragraph 1(2) of the Guidance Notice.

Finally, the article assesses the implications of the decision for the NDPC and for data controllers and processors operating in Nigeria.

Case analysis

As an initial matter, it is important to address certain averments contained in the affidavit deposed to by the applicant in support of his case. In paragraphs 12–15, the applicant states as follows:

  1. I am the data protection officer of my Law Firm, hence my privacy is impacted by the registration and submission of my personal data to the [NDPC].
  2. The [NDPC's] forced registration will negatively impact our privacy especially since we will be required to provide personal information as controllers or processors of major importance.
  3. The personal information of members of my Law Firm will be exposed when forced to register with the [NDPC].

The applicant essentially argues that compliance with the registration requirements under the Guidance Notice would infringe upon his right and that of his staff, to privacy as guaranteed under section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) (the Constitution). In rebuttal, counsel for the NDPC argued that the applicant failed to substantiate how the registration process, which involves submitting specific information for registration as a data controller or processor, interferes with their right to privacy. Specifically, counsel noted that the applicant made no attempt to clearly define or demonstrate the alleged infringement.

However, in my view, the applicant's appears to misconceive the nature and intent of the Guidance Notice. An examination of the Guidance Notice will show that it does not seek to collect personal data, as suggested by the applicant. Rather, it mandates the registration of data controllers and processors classified as entities of major importance, ensuring compliance with data protection standards to safeguard the rights of data subjects. Even section 44(2) of the NDPA, which prescribes the procedure for registering as a data controller or data processor of major importance, does not explicitly require the provision of personal data as part of the registration process.

Furthermore, the applicant's reliance on section 37 of the Constitution fails to recognise the qualified nature of the right to privacy. Section 45(1)(b) of the Constitution permits derogations from privacy rights where such limitations are: pursuant to a law that is reasonably justifiable in a democratic society; and necessary to protect the rights and freedoms of other persons. On this basis, it is evident that both the NDPA and the Guidance Notice are specifically designed to protect the rights and freedoms of data subjects.

I now turn to the primary arguments surrounding the legality of paragraph 1(2) of the Guidance Notice. The applicant sought its invalidation, relying on sections 5(d), 44, and 65 of the NDPA, which provide as follows:

Section 5 (d) The Commission shall ‘register data controllers and data processors of major importance'.

Section 44

  1. Data controllers and data processors of major importance shall register with the Commission within six months after the commencement of the Act or on becoming a data controller or data processor of major importance.
  2. Registration under subsection (1) shall be made by notifying the Commission of —
    1. the name and address of the data controller or data processor, and name and address of the data protection officer of the data controller or data processor;
    2. a description of personal data and the categories and number of data subjects to which the personal data relate;
    3. the purposes for which personal data is processed;
    4. the categories of recipients to whom the data controller or data processor intends or is likely to disclose personal data;
    5. the name and address, or name and address of any representative of any data processor operating directly or indirectly on its behalf;
    6. the country to which the data controller or data processor intends, directly or indirectly to transfer the personal data;
    7. a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of the personal data; and
    8. any other information required by the Commission.
  3. A data controller or data processor of major importance shall notify the Commission of any significant change to the information submitted under subsection (2) within 60 days after such change.
  4. The Commission shall maintain and publish on its website a register of duly registered data controllers and data processors of major importance.
  5. A data controller or data processor shall be removed from the register of the Commission, where it notifies the Commission that it has ceased to operate as a data controller or data processor of major importance.
  6. The Commission may exempt a class of data controllers or data processors of major importance from the registration requirements of this section, where it considers such requirement to be unnecessary or disproportionate.

Section 65 defines a ‘data controller or data processor of major importance' to mean

data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate

The applicant challenges the legality of paragraph 1 (2) of the Guidance Notice arguing, among other things, that its enactment exceeds the powers granted to the NDPC under the NDPA. Specifically, the applicant contends that, in light of sections 3 and 65 of the NDPA, the challenged provision falls outside the scope of authority contemplated by these provisions and should therefore be invalidated.

In response to the applicant's argument, counsel for the NDPC contended that paragraph 1(2) of the Guidance Notice does not contravene section 65 or any other provision of the NDPA. Counsel further argued that the applicant had failed to provide any cogent explanation to show how ‘almost every citizen is involved with one another in a fiduciary relationship with one another to the extent that every human and artificial person would be a data controller and processor of major importance'. He emphasised that accountability, as a threshold principle, is explicitly provided for in the NDPA, particularly in section 24, and is not a creation of the Guidance Notice. On these grounds, among others, counsel urged the Court to dismiss the suit as lacking in merit.

In its analysis, the Court, however sided with the applicant, holding that the fiduciary relationship element ascribed to a data controller or data processor of major importance under paragraph 1(2) of the Guidance Notice does not align with the criteria enumerated in section 65 of the NDPA. The Court noted that section 65 provides a definitive framework for identifying data controllers or processors of major importance and does not include fiduciary relationships as one of the defining factors. This according to the Court is ‘because fiduciary relation could merely be personal'.

In reaching its decision, the Court relied on the principle of statutory interpretation, particularly the literal rule, as reaffirmed in the Supreme Court decision in Sani v. President Federal Republic of Nigeria (2020) LPELR-50990 (SC), which held that statutory provisions must be given their plain and ordinary meaning unless doing so leads to absurdity. Applying this principle, the Court concluded that the inclusion of fiduciary relationships under paragraph 1(2) of the Guidance Notice exceeds the contemplation of section 65 of the NDPA. On this basis, the Court invalidated paragraph 1(2) of the Guidance Notice, holding that it was inconsistent with the express provisions of the NDPA. Consequently, the applicant's case succeeded, and the challenged provision of the Guidance Notice was declared null and void.

In my humble opinion, I respectfully disagree with the decision of the Court to invalidate paragraph 1 (2) of the Guidance Notice for the following reasons. First, the NDPA grants the NDPC regulatory powers to prescribe additional classes of data controllers and data processors of major importance. Section 65 expressly empowers NDPC to: (i) specify the threshold for the number of data subjects whose data processing elevates a data controller or data processor of major importance; and (ii) designate other categories of data controllers or data processors [emphasis on the underlined] based on their significance to Nigeria's economy, society, or security. This delegation of authority inherently allows the NDPC to define criteria for the classification of data controllers and data processors of major importance through subsidiary legislation, provided the rule-making exercise aligns with the scope of the NDPA.

Secondly, paragraph 1(2) imposes the data controller and data processor of major importance classification on data controllers or processors in fiduciary relationships, emphasising the heightened risk and harm to data subjects should such entities breach their obligations. In my view, this provision does not explicitly contradict section 65 of the NDPA. Instead, it interprets fiduciary relationships as qualifying under the second limb of section 65, which refers to ‘data controllers or processors of particular value or significance to the economy, society, or security of Nigeria'. Fiduciary relationships involve sensitive and often critical personal data, making their protection integral to societal interests.

In addition, under the principle of expressio unius est exclusio alterius (the expression of one thing excludes others), section 65's explicit reference to two categories of data controllers and data processors of major importance limits the NDPC to creating subsidiary classifications within these categories. Paragraph 1(2), however, aligns with the second category (‘particular value or significance') by emphasising societal harm that could arise from breaches of fiduciary duties. Therefore, paragraph 1(2) does not contradict the NDPA but rather operationalises its broad language, providing clarity on what may constitute significance to societal interests.

In the light of the foregoing, paragraph 1(2) of the Guidance Notice is consistent with section 65 of the NDPA. It provides a logical and reasonable interpretation of the second limb of section 65 by classifying fiduciary relationships as significant to societal interests. This aligns with principles of statutory interpretation, respects the scope of delegated legislative authority and advances the objectives of the NDPA including the objective to ‘safeguard the fundamental rights and freedoms, and the interests of data subjects'. Thus, there is no conflict between the two provisions.

In any case, it must be emphasised that the fiduciary relationship created in paragraph 1 (2) arises because data controllers and processors collect, process and manage personal data on behalf of individuals, creating an implicit trust relationship. This trust inherently places fiduciary responsibilities on data controllers and processors to act in the best interests of the data subjects. By codifying this principle, paragraph 1(2) reinforces the accountability and transparency objectives of the NDPA, particularly where such relationships involve high risks of harm to individuals' rights and freedoms.

In this regard, the data subjects trust controllers and processors to handle their personal data responsibly and in compliance with the highest legal and ethical standards. This fiduciary duty compels controllers and processors to act in the best interests of the data subject by safeguarding their rights and protecting their personal data against misuse. For instance, section 24 (3) of the NDPA provides that a data controller or processor owes a duty of care, in respect of data processing, and shall demonstrate accountability, in respect of the principles contained in this Act. This duty of care manifests by requiring data controllers and processors to securely handle personal data in their custody, minimise the risk to such personal data and to ensure compliance with all the principles of data processing.

Regarding compliance with the data processing principle of accountability, this requires data controllers and processors to take responsibility for their data processing operations and to demonstrate compliance with legal and ethical standards. The accountability principle complements the fiduciary duty by among other things, ensuring that data controllers and processors are transparent through their disclosure of how they collect, use, and protect personal data, enabling data subjects to make informed decisions, take proactive measures by embedding privacy-by-design and privacy-by-default practices into their systems and processes and instituting an adequate mechanism that provides avenues for data subjects to exercise their rights as data subjects and seek remedies for grievances.

Furthermore, section 39 (1) of the NDPA emphasises data security by mandating the data controller and processor to implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal data in its possession or under its control, including protections against accidental or unlawful destruction, loss, misuse, alteration, unauthorised disclosure, or access. A failure to meet the fiduciary duty, erodes trust and undermines the duty of care owed to the data subject.

In addition, section 62 (a) (i) – (ii) authorises the NDPC to among other things issue guidelines regarding its (enforcement) operations that foster accountability, ensure transparency and consistency with the highest ethical standards and ensure compliance with international best practices, as it relates to the regulation of data protection and privacy.

In light of the fiduciary duty imposed on data controllers and processors, the duty of care and accountability principles under the NDPA, and the NDPC's authority to issue guidelines that enhance compliance, it is difficult to see how the Court could have invalidated paragraph 1(2) of the Guidance Notice on the basis that it lacked any bearing on the provisions of the NDPA. 

Implications

The Court's invalidation of paragraph 1(2) of the Guidance Notice raises significant questions about the limits of regulatory authority and the interpretation of legislative intent. While the Court emphasised the literal rule of statutory interpretation, it arguably overlooked the purposive approach, which considers the broader objectives and context of the enabling legislation. The NDPA explicitly aims to safeguard data subjects' rights, promote accountability, and enhance trust in the digital ecosystem.

To achieve these goals, the NDPA grants the NDPC broad powers to prescribe additional categories of entities subject to heightened regulatory oversight. The invalidation of paragraph 1(2) may inadvertently narrow the scope of protections available to data subjects, particularly in situations where fiduciary relationships play a central role in data processing activities.

The Court's decision also has significant practical implications for the NDPC, as well as data controllers and processors operating in Nigeria:

  1. For the NDPC

    The decision presents a challenge for the NDPC in its efforts to enforce data protection standards effectively. By invalidating paragraph 1(2), the Court has limited the NDPC's ability to classify data controllers and processors of major importance based on fiduciary relationships. This restriction could create regulatory gaps, particularly in sectors such as healthcare, legal services and financial services, where fiduciary relationships are integral to operations and involve processing highly sensitive personal data.

    Moving forward, the NDPC may need to revisit its regulatory framework and provide more detailed justifications for its classifications under section 65 of the NDPA. It may also consider seeking legislative amendments to clarify its powers and address ambiguities that could lead to further legal challenges. Alternatively, the decision of the Court may be appealed to the Court of Appeal on the basis that the Court erred in its interpretation of the NDPA and paragraph 1(2) of the Guidance Notice.

    In addition, the NDPC could explore alternative mechanisms, such as issuing sector-specific guidelines or engaging in stakeholder consultations to build consensus on the classification of entities of major importance.

  2. For Data Controllers and Processors

    For data controllers and processors covered under the NDPA, the decision underscores the importance of understanding the legal framework governing data protection obligations. While the invalidation of paragraph 1(2) may provide temporary relief for some entities, it also creates uncertainty regarding the criteria for classification as a data controller or processor of major importance. 

    Entities in fiduciary relationships with data subjects should not assume that the absence of explicit regulatory classification absolves them of heightened responsibilities. Fiduciary

    duties, by their nature, impose ethical and legal obligations to protect personal data and act in the best interests of data subjects. Organisations should proactively adopt best practices for data protection, including implementing robust security measures, conducting regular risk assessments, and ensuring compliance with the NDPA's accountability principles.

  3. For the Data Subjects

    The judgment may inadvertently weaken protections for data subjects whose personal data is managed under fiduciary relationships. Without explicit recognition of such relationships as a basis for heightened regulatory scrutiny, there is a risk that data subjects could face greater harm from breaches or misuse of their data.

Conclusion

The decision in Frank Ijege v Nigeria Data Protection Commission marks a very important moment in Nigeria's data protection regulatory landscape and jurisprudence. While the Court's reliance on the literal rule of statutory interpretation reflects a commitment to upholding legislative intent, it also highlights the challenges of balancing regulatory authority with legal precision. By invalidating paragraph 1(2) of the Guidance Notice, the Court has raised critical questions about the scope of the NDPC's regulatory authority and the interpretation of its powers under the NDPA.

While the Court's judgment may appear to narrow the regulatory scope of the NDPC, it also serves as an opportunity for the Commission to refine its framework and reaffirm its commitment to safeguarding data subjects' rights in an ever-evolving digital economy. Moving forward, it will be crucial for the NDPC to balance its mandate to promote accountability and duty of care among data controllers and processors with the requirement to remain firmly within its statutory limits.

This decision also highlights the need for a deeper judicial and regulatory alignment on the fiduciary responsibilities inherent in data processing activities. The invalidation of a provision that codifies internationally recognised principles of accountability and trust could have far-reaching implications, potentially diminishing the protections available to data subjects in Nigeria.

Ultimately, the judgment is a clarion call for the NDPC to engage stakeholders proactively, strengthen its regulatory instruments, and foster a collaborative approach to data protection that ensures clarity, compliance, and alignment with global best practices. By addressing these challenges, the NDPC can enhance its regulatory impact while preserving the fundamental rights of data subjects and maintaining trust in Nigeria's data protection ecosystem.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More