Case Review: Incorporated Trustees of Personal Data Protection Awareness Initiative v. Nizamiye Hospital Limited.

Introduction

On April 10, 2025, Honourable Justice Abubakar Hussaini Musa of the Federal Capital Territory High Court, Abuja, delivered a landmark judgment in Incorporated Trustees of Personal Data Protection Awareness Initiative v. Nizamiye Hospital Limited (Suit No. FCT/HC/GAR/CV/187/2024). This case, initiated by the Claimant via an Originating Summons dated February 20, 2024, sought to enforce compliance with Nigeria’s data protection framework, specifically Sections 24 and 27 of the Nigeria Data Protection Act (NDPA) 2023 and Article 2.5 of the Nigeria Data Protection Regulation (NDPR) 2019. The Claimant, a public interest organization, challenged the defendant’s, alleged failure to deploy privacy notices for its CCTV surveillance and website tracking, conduct a Data Protection Impact Assessment (DPIA), and adequately inform data subjects, including the Claimant’s Country Director, Ozoemena Nwogbo, about the collection and processing of their personal data. Seeking declaratory reliefs, mandatory orders, and substantial damages, the suit tests the boundaries of data privacy obligations in Nigeria’s evolving digital landscape, raising critical questions about enforcement, compliance, and the role of public interest litigation in safeguarding personal data.

In response, the Defendant challenged the suit primarily on the grounds of the Claimant’s locus standi and disclosure of a reasonable cause of action. The Court, in its determination, framed three key issues:

1. Whether the Claimant had the requisite locus standi
2. Whether the facts of the case constitute a reasonable cause of action against the defendant
3. Whether the Defendant breached the Claimant’s privacy under the NDPA 2023.

Key Legal Issues Addressed:

1. Locus Standi to Institute Action under the NDPA 2023.

The court addressed the issue of locus standi by determining whether the Claimant, a corporate entity, had the legal capacity to institute and prosecute the suit as a public interest group in the light of the Defendant’s argument that the Claimant lacked a direct legal relationship with the Defendant and had not demonstrated how its own civil rights were adversely affected.

The court, relying on Centre for Oil Pollution Watch v. NNPC (2019) 5 NWLR (Pt. 1666) 518, held that the Claimant had locus standi because the suit was a public interest litigation. The court reasoned that public interest litigation allows non-governmental organizations (NGOs) to sue on behalf of groups or individuals who may lack the resources or awareness to seek redress themselves. The Claimant’s objectives, as outlined in its Constitution (Exhibit B), include educating the public on data protection and advocating for data security, which aligned with the suit’s purpose of safeguarding public data privacy rights.

However, the court noted that the Claimant, as a juristic person, could not directly suffer a data breach. The suit was based on the experience of the Claimant’s Country Director, who visited the Defendant’s facility. The court clarified that public interest litigation does not require the Claimant to have a personal stake but rather a broader interest in protecting public rights, as supported by the Supreme Court’s reasoning in Centre for Oil Pollution Watch.

Legal Implications:

The NDPA 2023 does not explicitly define locus standi for public interest litigation, but the court’s reliance on Centre for Oil Pollution Watch establishes that NGOs with objectives related to data protection can sue to enforce compliance with the NDPA, even without direct personal injury.

• The decision expands access to justice under the NDPA by recognizing the role of advocacy groups in holding data controllers accountable, particularly for vulnerable data subjects.
• However, the court’s caution that the Claimant’s objectives do not explicitly include litigating breaches suggests that NGOs must clearly align their constitutional mandates with the reliefs sought to avoid challenges to their standing.

While the court’s recognition of public interest litigation is progressive, it did not fully address whether the NDPA imposes specific requirements for locus standi beyond general principles. Section 46 of the NDPA allows a “data subject” to lodge complaints with the Nigeria Data Protection Commission (NDPC), but it is silent on whether non-data subjects, like NGOs, can directly initiate court actions. Future cases may need to clarify whether NGOs must first exhaust administrative remedies with the NDPC before approaching the courts.

2. Gaps in Nigeria’s Data Governance Landscape.

The judgment highlights several gaps in Nigeria’s data governance framework, as revealed through the Claimant’s allegations and the court’s findings:

a. Lack of Clear Enforcement Mechanisms:

• The NDPA establishes the NDPC as the primary regulatory body (Section 6) with powers to investigate complaints and issue compliance orders (Sections 46–48). However, the judgment reveals a gap in enforcement, as the Claimant bypassed the NDPC and directly approached the court. The court noted that the NDPA provides for administrative remedies (e.g., lodging complaints with the NDPC under Section 46) and judicial review only after exhausting these remedies (Section 50). This suggests a lack of clarity or awareness among litigants about the NDPA’s procedural requirements.
• The absence of evidence that the Claimant engaged the NDPC before filing the suit underscores a gap in public awareness and institutional capacity to handle data protection complaints efficiently.

b. Ambiguity in Privacy Notice Requirements:

The Claimant alleged that the Defendant failed to deploy privacy notices on its website and at its physical facility, as required by Section 27 of the NDPA. The court, however, found that the Defendant’s website (Exhibit D) contained a notice regarding third-party data sharing, which the Claimant overlooked. This points to a gap in standardizing what constitutes a “clear, concise, transparent, intelligible, and easily accessible” privacy notice under Section 27(3). Without specific NDPC regulations or guidelines on privacy notice formats, organizations like the Defendant may adopt inconsistent practices, leading to disputes.

c. Data Protection Impact Assessments (DPIAs):

The Claimant’s second issue alleged that the Defendant failed to conduct a Data Protection Impact Assessment (DPIA) as required under Section 28 of the Nigeria Data Protection Act (NDPA) 2023. The court did not extensively address this issue, due to the Claimant’s failure to substantiate claims of high-risk data processing activities that would necessitate a DPIA. The Nigeria Data Protection Commission’s (NDPC) issuance of the General Application and Implementation Directive (GAID) 2025 on March 20, 2025, provides critical clarity on DPIA obligations, addressing gaps highlighted in the judgment.

Article 28 of the NDP Act-GAID 2025 mandates that data controllers and processors conduct a DPIA when processing is likely to result in high risks to data subjects’ rights and freedoms, particularly for activities involving sensitive personal data, automated processing, or large-scale data collection. Schedule 4 of the GAID outlines a comprehensive DPIA template, requiring assessments of processing purposes, data categories, lawful bases, risks (e.g., data breaches, unauthorized access), and mitigation measures. It further specifies that DPIAs must evaluate necessity, proportionality, and data subject rights, with a final assessment determining whether processing should proceed, be modified, or be halted. The frequency of DPIA reviews (e.g., monthly, quarterly, or annually) must also be justified based on risk levels.

The absence of NDPC regulations at the time of the judgment contributed to uncertainty, as Section 28(3) of the NDPA empowers the NDPC to issue such guidelines, but none were cited. The GAID 2025 rectifies this by providing clear criteria and a structured process, reducing ambiguity for data controllers like the Defendant. For instance, the Defendant’s use of CCTV surveillance and patient data collection could trigger a DPIA if deemed high-risk under Schedule 4, particularly if involving vulnerable data subjects (e.g., minors or patients with health conditions, per Schedule 6’s Data Subject Vulnerability Indexes). The Claimant’s failure to demonstrate such risks likely weakened their case, but the GAID’s framework now enables more precise evaluations.

Despite this progress, the GAID reveals a lingering implementation gap: the need for widespread awareness and capacity building to ensure organizations understand and apply DPIA requirements. Article 7(o) of the GAID mandates DPIAs when required by the NDPA or directed by the NDPC, emphasizing proactive compliance. Future litigation will benefit from these guidelines, but the NDPC must prioritize training and enforcement to ensure data controllers consistently meet these obligations, fostering a robust data protection regime in Nigeria

d. Limited Judicial Precedent:

The NDPA is a relatively new statute, and this case is among the early judicial interpretations of its provisions. The court’s reliance on environmental law precedents (e.g., Centre for Oil Pollution Watch) rather than data protection-specific authorities indicates a gap in local jurisprudence. This reliance may limit the development of nuanced data protection law tailored to Nigeria’s digital context.

e. Public Awareness and Compliance:

The Claimant’s allegations about CCTV surveillance and patient forms suggest a broader gap in public and organizational awareness of NDPA obligations. The Defendant’s defense that CCTV was installed for security purposes (aligned with Section 3(2) exemptions) was accepted without scrutiny of whether the Defendant complied with transparency requirements (e.g., signage indicating CCTV use). This reflects a gap in ensuring that exemptions are balanced with data subject rights.

Recommendations to Address Gaps:

• The Nigeria Data Protection Commission (NDPC) has addressed the need for clarity in data protection compliance through the issuance of the General Application and Implementation Directive (GAID) 2025 on March 20, 2025, which provides detailed guidance on privacy notices, Data Protection Impact Assessments (DPIAs), and exemptions under the Nigeria Data Protection Act (NDPA) 2023. Set to take effect on 19 September 2025, the GAID’s comprehensive frameworks, including Articles 7(l–m) and 27 for privacy notices, Article 28 and Schedule 4 for DPIAs, and Article 5 for exemptions, aim to ensure data controllers and processors have clear, actionable obligations. To maximize compliance, the NDPC should focus on robust awareness campaigns and capacity-building initiatives before and after the GAID’s implementation to support organizations in aligning with these enhanced standards, thereby strengthening Nigeria’s data protection regime
• Strengthening the NDPC’s capacity to investigate and resolve complaints could reduce premature litigation and enhance administrative enforcement.
• Developing a robust body of data protection case law will help clarify the NDPA’s application and address novel issues in Nigeria’s digital economy.

3. Judicial Reasoning on Privacy in the Digital Age.

The court’s reasoning on privacy in the digital age, as articulated in the judgment, reflects a cautious approach to balancing data protection with practical realities:

a. Interpretation of NDPA Provisions:

• The court meticulously reproduced and analyzed Sections 24, 25, 27, and 28 of the NDPA, adopting a literal interpretation as advocated by the Claimant. It emphasized that data controllers must process personal data fairly, lawfully, and transparently (Section 24) and inform data subjects of processing details (Section 27). However, the court found no evidence that the Defendant’s data collection was unlawful or not transparent, as the data subject (Ozoemena Nwogbo) consented to data collection by completing the Patient Information Form (Exhibit C) and paying for registration.
• The court’s finding that the Defendant’s website notice satisfied Section 27 suggests a practical approach to digital privacy, recognizing that explicit consent mechanisms (e.g., clicking an icon for third-party data sharing) meet statutory requirements.

b. CCTV and Security Exemptions:

The court accepted the Defendant’s argument that CCTV surveillance was justified for security purposes under Section 3(2)(a)–(c) of the NDPA, which exempts data processing for crime prevention, public health emergencies, or national security. This reflects judicial recognition of the need to balance privacy with public safety in the digital age, particularly in a security-conscious context like Nigeria. However, the court did not explore whether the Defendant provided visible CCTV warnings, which could have strengthened its analysis of transparency obligations.

c. Constitutional Privacy Rights:

The Claimant invoked Section 37 of the 1999 Constitution, which guarantees privacy of citizens’ homes, correspondence, and communications. The court, citing Hon. Peter Nwali v. Ebonyi State Independent Electoral Commission (2014), clarified that Section 37 protects specific aspects of privacy (e.g., homes, telephone conversations) but found no evidence that the Defendant’s actions violated these rights. This reasoning underscores a narrow interpretation of constitutional privacy in the digital context, limiting its application to data protection unless a clear breach is demonstrated.

d. Absence of Data Breach Evidence:

The court’s central reasoning was that the Claimant failed to show an actual breach of the data subject’s privacy under Section 40 of the NDPA. It emphasized that a cause of action under the NDPA requires evidence of harm, loss, or injury (Section 51), which was absent. This approach aligns with digital age privacy principles that prioritize tangible harm over speculative concerns, reflecting a pragmatic judicial stance.

The court’s reasoning is grounded in statutory interpretation but lacks engagement with emerging digital privacy challenges, such as automated data processing or profiling, which are referenced in Section 27(1)(g) of the NDPA. The judgment could have explored whether the Defendant’s CCTV or patient data systems involved automated decision-making, which requires specific disclosures.

Also, the court’s reliance on consent (via the Patient Information Form) overlooks potential power imbalances in healthcare settings, where patients may feel compelled to provide data without fully understanding its implications.

Furthermore, the acceptance of security exemptions for CCTV without requiring evidence of compliance with transparency measures (e.g., signage) risks undermining data subject rights in the digital age.

4. Implications for the Future of Legal and Policy Advancement

The judgment has significant implications for the development of data protection law and policy in Nigeria:

a. Strengthening Public Interest Litigation:

• By recognizing the Claimant’s locus standi, the judgment sets a precedent for NGOs to advocate for data protection compliance, fostering a culture of accountability. This could encourage more public interest litigation to enforce NDPA provisions, particularly for marginalized groups who lack access to legal recourse.
• However, the court’s dismissal of the suit as premature highlights the need for clearer guidelines on when public interest litigation is appropriate under the NDPA. Future policy should clarify the interplay between NDPC complaints and direct court actions.

b. Enhancing NDPC’s Role:

The judgment underscores the NDPC’s role as the primary enforcer of data protection laws. The court’s reference to Sections 46–50 suggests that litigants should exhaust administrative remedies before approaching courts, except in cases of clear harm (Section 51). This implies a need for the NDPC to strengthen its investigative and enforcement mechanisms to handle complaints efficiently.

c. Clarifying Compliance Obligations:

The acceptance of CCTV exemptions suggests that policy must balance security needs with data subject rights, possibly through mandatory signage or public awareness campaigns about surveillance.

d. Building Judicial Precedent:

• As one of the early NDPA cases, this judgment contributes to Nigeria’s data protection jurisprudence but reveals a reliance on non-data-specific precedents. Future cases should develop principles tailored to digital privacy, addressing issues like automated processing, cross-border data transfers, and data breach remedies.
• Courts should engage more with international data protection frameworks, such as the EU’s General Data Protection Regulation (GDPR), to align Nigeria’s jurisprudence with global standards, as referenced by the Claimant’s citation of RW v. Osterreichische (C-154/21).

e. Promoting Digital Economy Growth:

• The NDPA aims to strengthen Nigeria’s digital economy (Section 1(h)). The judgment’s dismissal of speculative claims ensures that organizations are not unduly burdened by frivolous litigation, fostering a business-friendly environment. However, robust enforcement of NDPA provisions is essential to build public trust in digital services, encouraging participation in Nigeria’s digital economy.
• Policy should prioritize capacity building for data controllers, particularly in sensitive sectors like healthcare, to ensure compliance without stifling innovation.

f. Addressing Speculative Litigation:

• The court’s characterization of the suit as “speculative” and “premature” warns against fishing expeditions in data protection litigation. Future litigants must provide concrete evidence of harm or non-compliance to succeed, reinforcing the need for factual grounding in NDPA claims.
• This could prompt policy reforms to streamline NDPC complaint processes, ensuring that legitimate grievances are addressed administratively before escalating to courts.

Conclusion

The judgment in Incorporated Trustees of Personal Data Protection Awareness Initiative v. Nizamiye Hospital Limited is a significant step in Nigeria’s evolving data protection landscape. It affirms the role of public interest litigation in enforcing NDPA compliance, highlights gaps in enforcement and awareness, and adopts a pragmatic approach to digital privacy. However, the dismissal of the suit as premature underscores the need for clearer regulatory frameworks, enhanced NDPC capacity, and robust judicial precedent to address emerging digital challenges. For Nigeria to advance its data governance, policymakers must prioritize standardized compliance measures, public education, and international alignment to foster a trusted and secure digital economy.

Written by Adeola Osifeko LLB,LLM,ACIS, ABR. Partner Corporate Commercial Group at AEO Law Practice