1.0 Introduction
Across generations, it has been said that information is power. While this truth remains unchanged, the digital age has shifted the global perspective towards the realisation that data is a valuable currency. In a world that relies on data for global development, the importance of data to the digital age is such that it fuels technological advancements, shapes the global economy, and informs pivotal decision-making. Amongst all forms of data, personal data serves as a currency with one of the highest purchasing power, influencing consumer behaviour and driving innovation in niche industries. Similar to a traditional currency, data can be traded, exchanged, utilised to create value, and abused in the absence of strictly enforced laws. According to a global study conducted by Statista, 56 percent of consumers have privacy concerns about the misuse of their personal data.
Privacy is a constitutional right. Therefore, the protection of one’s personal data is an enforceable right, not a suggestion. As sectors such as healthcare start to rely on technology for generating analytics, security and documentation among other uses, data is being collected, processed and stored on a large scale. According to the Nigeria Data Protection Commission Annual Report 2024, there were 213 ongoing investigations of alleged violations of privacy rights among four sectors, one of which is healthcare. One of the major areas of investigation and enforcement during the report is the usage of CCTV for security purposes and its privacy concerns.
Data privacy is the right of an individual to control the collection, usage, storage, and sharing of their personal data. As businesses, including healthcare facilities, digitise their operations, it is imperative to understand the legal boundaries of data privacy to protect individual rights and ensure regulatory compliance.
1.1 Case Analysis of PDPA v. Nizamiye Hospital
As the primary legislation governing data privacy in Nigeria, the Nigeria Data Protection Act (NDPA) 2023 (“the Act”) establishes the legal obligations for data controllers and processors. In the landmark case of Incorporated Trustees of Personal Data Protection Awareness Initiative (PDPA) v. Nizamiye Hospital FCT/HC/GAR/CV/187/2024, the data privacy obligations of a data controller and its enforcement mechanisms were critically examined. The suit was instituted on alleged breach of Section 24 and Section 27 of the Nigeria Data Protection Act (NDPA) 2023 due to its usage of a CCTV surveillance and website tracking without appropriate disclosure and notification to the subjects, failure to conduct a data privacy impact assessment (DPIA) and failure to deploy privacy notices on its website and other data collection medium to inform individuals of how personal data is collected, processed and stored as mandated under Article 2.5 of the Nigeria Data Protection Regulation (NDPR).
The key issues in dispute include:
● Locus Standi: Whether the Personal Data Protection Awareness Initiative (PDPA) has locus standi to institute and prosecute the suit as a public interest group
● Cause of Action: Whether the facts constitute a cause of action against the defendant
● Breach of Privacy: Whether the facts constitute a breach of privacy under the Nigeria Data Protection Act (NDPA) 2023.
On these issues, the defendant argued that the CCTV monitoring was in the public interest of safety, and patients voluntarily submitted their information during registration. Therefore, its data processing activities do not contravene the provisions of the Act. In its final ruling dated 10th April 2025, the court ruled that the Incorporated Trustees of Personal Data Protection Awareness Initiative possess the requisite locus standi to institute and prosecute the matter, thereby affirming the suit’s status as public interest litigation. However, there is no substantive proof of breach of privacy under the Act.
1.2 Balancing Public Interest with Data Privacy Rights
In ensuring the protection of data privacy rights, it is important to strike a balance between an individual’s right to control their personal data and broader public interest. Consent is a core principle of data protection. Section 25 (1)(a) of the Act establishes unwithdrawn consent as a lawful basis for data processing. This consent must be specific, unambiguous, informed and freely given to ensure that data subjects retain control over their personal data.
However, Section 25 (1)(iv) of the Act allows for personal data processing without consent during performance of a task carried out in the public interest as a lawful basis of personal data processing, potentially diminishing the importance of consent for processing personal data. While there is a clear boundary between public interest and personal rights, the distinction may often be blurred. Therefore, in cases where the consent of the data subject can be reasonably obtained, the provision of the law on public interest should not be exploited to circumvent the rights of data subjects. Where other viable alternatives are available, public interest should not serve as a default blanket justification for privacy breaches. Instead, data processing for public interest should be guided by data minimisation and explicit consent when feasible to ensure that individuals’ privacy rights are not sacrificed at the altar of public benefits such as security.
Although the constitutional right to privacy is restricted to Section 45 (1) of the Constitution of Federal Republic of Nigeria 1999 which provides that “Nothing in sections 37, 38, 39, 40 and 41 of this Constitution shall invalidate any law that is reasonably justifiable in a democratic society (a) in the interest of defence, public safety, public order, public morality or public health; or (b) for the purpose of protecting the rights and freedom or other persons.”, public interest should rarely be relied on except is a public health or humanitarian emergency as provided in Article 25 paragraph 1 of the General Application and Implementation Directive (GAID) 2025.
1.3 The Nigeria Data Protection Act 2023 v. The General Data Protection Regulation
The importance of compliance with statutory and regulatory frameworks in protecting data privacy rights extends beyond the healthcare sector. While the court in PDPA v. Nizamiye Hospital ruled against the alleged breach of privacy and the case of action, it is important to uphold global best practices in privacy policies to balance compliance with operational necessities. The General Data Protection Regulation (GDPR) (the “Regulation”) provides stricter limitations for the processing of personal data for public interest. These include the explicit proportionality test requiring personal data processing for public interest to be strictly necessary and proportionate to its intended purpose, and subject to the overriding interest and fundamental rights and freedom of the data subject, which requires protection of personal data as provided in Article 6 paragraph 1 of the regulation. It also provides for the right to object to public interest data processing (Article 21, paragraph 1 of the regulation), and mandatory impact assessment for public interest personal data processing (Article 35 of the regulation)
1.4 Recommendations for Regulatory Compliance
Organisations processing personal data should consider the following measures to ensure regulatory compliance.
● Notification of Privacy Policies: Organisations and businesses should ensure the clear display of privacy policies on platforms used for data collection and processing, such as websites, surveillance areas, and registration forms.
● Consent: Businesses must ensure that data subjects’ consent is obtained through procedures that align with the provisions of Section 25 of the NDPA 2023 and Article 27 of the GAID 2025.
● Compliance Audit: Businesses should conduct compliance audits to identify vulnerabilities, reduce exposure to risks, assess compliance, and ensure the ethical usage of personal data.
1.5 Conclusion
The court’s ruling has laid an authoritative precedent regarding the locus standi in public interest litigation aimed at safeguarding data privacy rights. Moving forward, businesses should proactively prioritise compliance with the requisite legal and regulatory framework and implement internal best practice standards for transparency and accountability.
