- in United States
- within Tax, Employment and HR and Corporate/Commercial Law topic(s)
- with readers working within the Consumer Industries and Law Firm industries
Introduction
The Nigerian Data Protection Act 2023 (NDPA) was enacted to establish a comprehensive statutory framework for data protection in Nigeria. Before its enactment, the Nigerian Data Protection Regulations 2019 (NDPR), issued by the National Information Technology Development Agency (NITDA), served as the primary instrument governing data protection. The NDPR significantly reshaped the national data protection landscape, prompting NITDA to undertake several enforcement actions and public awareness initiatives. Subsequently, through an executive directive, the Nigerian Data Protection Bureau (NDPB) was carved out of NITDA, as an independent body with the mandate to enforce the NDPR. Upon the enactment of the NDPA, the NDPB was, by operation of law, transformed into the Nigerian Data Protection Commission (NDPC), which has since recorded notable enforcement actions alongside increased litigation initiated by private individuals.
Facts of this case
In the case at hand, the Applicant, Mr. Araka, a registered customer of Jumia Foods, an online food delivery services now defunct, relying on the constitutional right to privacy and relevant provisions of the NDPA, sought several declaratory reliefs. These include a declaration that both Respondents qualify as data controllers within the meaning of the NDPA; a declaration that the 2nd Respondent's continued retention of his personal data violates his right to erasure under Section 34 (2) of the NDPA; and a declaration that the processing of his personal data for direct marketing purposes is unjustifiable and contrary to the lawful basis and consent requirements contained in Sections 25 and 26 of the NDPA.
The 1st Respondent, an online delivery platform that partnered with Jumia Foods to fulfil online food orders, argued that its business model requires it to receive and process orders placed through smart devices. Consequently, it must collect certain personal data from users. It further contended that, under the terms and conditions of Jumia Foods, Mr. Araka, being a registered customer, had consented to the sharing of his personal data with third parties, including the 2nd Respondent, solely for the purpose of processing his orders. The 1st Respondent maintained that the Applicant's personal data was used strictly for this limited and legitimate purpose. The 2nd Respondent, for its part, stated that it had entered into an On-Demand Service Agreement (ODSA) with the 1st Respondent, and that the Applicant had consented to the 1st Respondent's processing and transfer of his personal data for order processing and delivery. It also explained that it periodically sends bulk direct marketing messages about its products to existing customers and individuals who had previously used its services, with a clear option provided to opt out of such communications.
A notable fact in this case is that, upon receiving a complaint from Mr. Araka, the 1st Respondent instructed the 2nd Respondent to cease sending unsolicited marketing messages, a directive the 2nd Respondent complied with. However, these marketing communications resumed automatically when the Applicant subsequently placed a new online order.
Findings of the Court
In reaching its decision on 18th of February 2025, the Court first noted that established case law affirms that the right to privacy extends to the protection of personal information.1 The Court further outlined the underlying objectives of the NDPA, namely, to ensure that personal data is processed lawfully, transparently, and with accountability by data controllers and processors. It held that any person who acts contrary to the provisions of the NDPA infringes the data subject's right to privacy and is liable to compensate the data subject for the resulting breach.
The Court sided with the 1st Respondent that the Applicant had consented to the processing of his personal data by accepting the Respondent's Terms and Conditions as well as its Privacy and Cookie Notice, particularly since the Applicant neither challenged nor denied this fact. The Court then proceeded to examine the allegation that the Applicant's personal data had been misused, or processed for a purpose other than that for which it was collected. In doing so, it relied on section 131 of the Evidence Act 2011, which provides that "he who asserts must prove". The Court held that the Applicant failed to demonstrate that the 1st Respondent had processed his personal data beyond the scope of the stated purpose. Accordingly, the Applicant's claim under this ground failed.
With respect to the allegation that the processing of 1 See Incorporated Trustees of Digital Rights Lawyers Initiatives & Ors v NIMC (2021) LPELR-55623 (CA). the Applicant's personal data violated section 25 of the NDPA, which sets out the lawful bases for processing, the Court referred to the provision and listed the recognised bases as: (i) consent; (ii) contract; (iii) legal obligation; (iv) vital interest; (v) public task [sic]; and (vi) legitimate interest. In its analysis, the Court held that the appropriate lawful basis for processing the Applicant's personal data fell under Section 25(1)(b) of the NDPA, which permits processing where it is necessary "for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract." The Court found that the Applicant had indeed entered into a contractual relationship with the 1st Respondent for the placing and delivery of food orders, and that the processing of his personal data for the purpose of fulfilling that contract was therefore lawful. However, the Court emphasised that nothing in that contract authorised the use of the Applicant's personal data to send unsolicited marketing SMS messages. On that basis, the Court concluded that the 2nd Respondent's actions violated the Applicant's constitutional right to privacy.
The Court proceeded to make several important declarations relevant to data protection compliance. It affirmed that the 1st and 2nd Respondents qualify respectively as a data controller and data processor within the meaning of the NDPA. It held that the 2nd Respondent's retention of the Applicant's personal data contravened his right to erasure under Section 34(2) of the NDPA. The Court further found that the processing of the Applicant's personal data lacked a valid lawful basis and did not satisfy the consent requirements under the NDPA, and that the processing exceeded the purpose for which the data was originally collected. As a remedy, the Court awarded the sum of ₦3,000,000 (three million naira) as general damages for the violation of the Applicant's fundamental right to privacy by the 2nd Respondent.
Commentary
From my reading of the Court's decision, three key observations arise.
First, in its assessment of whether the Applicant had granted consent within the meaning of Section 26 of the NDPA, the Court did not specify the precise manner in which consent was obtained. The reasoning suggests that the Court may have treated the Applicant's acceptance of the 1st Respondent's Terms and Conditions and its Privacy and Cookie Notice as sufficient to establish valid consent. However, Sections 26(3) and 26(7) expressly provide that a data subject's silence or inactivity does not constitute consent, and that consent must be affirmative and not derived from a pre-selected option. Taken together, these provisions require a clear, active expression of agreement by the data subject. As such, pre-ticked boxes or any mechanism that does not require a deliberate action by the user would not satisfy the statutory threshold for valid consent.
Second, the Court did not appear to consider the potential applicability of the "legitimate interest" basis under Section 25(1)(v) of the NDPA as a lawful ground for the 2nd Respondent's processing of the Applicant's personal data. Legitimate interest may, in appropriate circumstances, be relied upon where a pre-existing relationship exists, particularly in contexts involving unsolicited direct marketing communications. It also necessitates an assessment of the reasonable expectations of the data subject at the time and within the specific context in which the personal data was collected.
Third, the Court's conclusion that the Applicant's personal data was consented to solely for the purpose of placing and receiving food orders appears to conflate the concept of consent with the doctrine of legitimate interest. By restricting the scope of the Applicant's consent in this manner, the Court implicitly foreclosed the possibility that the 2nd Respondent could rely on legitimate interest as an alternative lawful basis for the processing in question
Conclusion
This judgement reinforces the growing judicial recognition of data protection rights in Nigeria and underscores the heightened compliance expectations placed on data controllers and processors under the NDPA. By affirming that a breach of the NDPA amounts to an infringement of the constitutional right to privacy, the Court has effectively elevated statutory non-compliance to a fundamental rights violation, with corresponding exposure to significant damages. Data controllers and processors must therefore appreciate that even routine practices, such as direct marketing communications or data retention beyond the permitted scope now carry substantial legal risks.
The judgment also reveals certain interpretive gaps in the Court's application of the NDPA, particularly regarding the standard for valid consent and the potential applicability of legitimate interest as a lawful basis for processing. While the Court appeared to treat general acceptance of contractual documents as sufficient consent, Sections 26(3) and 26(7) require affirmative, unambiguous agreement. Similarly, the Court did not engage with the possibility that legitimate interest could justify certain forms of direct marketing. These omissions signal the need for clearer judicial guidance and highlight the responsibility of organisations to adopt compliance practices that meet the higher statutory threshold, regardless of gaps in judicial reasoning.
In practical terms, data controllers and processors must review and strengthen their consent mechanisms, ensure that processing aligns strictly with clearly defined purposes, and implement robust governance systems to manage data subject rights, especially erasure and objection to direct marketing. Organisations should adopt explicit opt-in mechanisms, conduct legitimate interest assessments where applicable, and maintain documented evidence of compliance to mitigate liability. This case serves as a strong reminder that proactive compliance is not optional; it is essential to avoid reputational harm, regulatory sanctions, and judicial awards of damages.
Footnote
1 See Incorporated Trustees of Digital Rights Lawyers Initiatives & Ors v NIMC (2021) LPELR-55623 (CA).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
