In yet another legal victory by Media Rights Agenda (MRA), a Federal High Court in Abuja has ordered the Central Bank of Nigeria (CBN) to make available to the organization the information it requested in its May 22, 2020 letter regarding the bank’s data protection policies and practices and pay it N1 million as damages for wrongfully denial of access to information.
The judgment by Justice Donatus Uwaezuoke Okorowo came about a month after another judge of the Federal High Court in Abuja also handed MRA victory by granting its request for, among other things, an order of perpetual injunction restraining the National Broadcasting Commission (NBC) from further imposing fines on radio and televisions stations in Nigeria while rendering judgment in a legal challenge mounted by MRA against the power of the broadcast regulatory authority to fine broadcasters.
MRA’s latest victory arose from a suit filed by the organization on June 15, 2020, through its lawyer, Mr. Darlington Onyekwere, challenging the CBN’s refusal to disclose the information it applied for by a letter to the bank dated May 22, 2020, signed by Mr. Ayode Longe, MRA’s Director of Programmes.
In a suit instituted against the CBN, the CBN Governor and the Attorney General of the Federation, MRA asked the Court to compel the bank and its Governor to make available the information it requested in its May 22, 2020 letter to the bank in which it asked, among other things, for copies of all the CBN’s data protection policies issued in conformity with the Nigeria Data Protection Regulation (NDPR), 2019; the name and contact details of the CBN’s Data Protection Officer, designated in accordance with the NDPR and its relevant data privacy instruments and data protection directives.
MRA had also asked for details of all capacity building training or other capacity building activities undertaken for the Data Protection Officer and other CBN personnel involved in any form of data processing since the issuance of the NDPR; the number of persons or individuals whose personal data it processes on an annual basis; and a report from a detailed audit it conducted of its privacy and data protection practices in accordance with the NDPR.
Opposing MRA’s suit, the CBN and its Governor claimed that the information requested by the organization relates to the implementation of the NDPR by the bank and that the bank takes the issue of security and protection of the privacy of personal data of members of the public and its employees seriously and ensures that the collection and utilization of such data is in accordance with the requirements of data protection laws and regulations.
The bank claimed that it had published a Privacy Notice as a PDF file on its website and that the privacy notice is widely available to members of the public through the website. Saying that the privacy notice contained the information sought by MRA in its letter dated May 22, 2020, the bank contended that the FOI Act does not apply to published materials and urged the court not to grant MRA’s prayers as it would not be in the interest of justice to do so.
Delivering judgment on June 14, 2023, Justice Okorowo held that on the state of the facts, there was abundant proof of breach of the FOI Act by the CBN, as alleged by MRA.
Observing that the CBN’s defence is that the information sought by MRA has been published and was therefore excluded by the FOI Act, the judge ruled that the burden of proving that the bank was authorized to deny MRA’s application for information on the ground of publication rests on the bank and that it failed to demonstrate that the privacy notice, which it claimed contained the information requested by MRA, was published on its website or otherwise made available to the public at the time of MRA’s request for the information.
He said: “The claim that Exhibit CBN1 (the privacy notice) was published is doubtful since it was indicated to be confidential document at the bottom of the pages of the document. Failure to prove that the information requested by the Applicant (MRA), including Exhibits CBN 1 and 2, are published robs the 1st and 2nd Respondents (the CBN and its Governor) of the benefits of Section 26 of the FOI Act. And I so hold.”
Justice Okorowo noted that MRA had shown that its request letter was delivered to the CBN by courier, DHL, by tendering the waybill for the dispatch and the proof of delivery showing that the bank received it on May 27, 2020 and that the seven days provided under the Act passed without it receiving any response.
He held that the failure or refusal of the CBNto disclose or make available to MRA the information requested by the organization in the letter amounts to a violation of its right of access to information established and guaranteed by Sections 1(1) and 4 of the Freedom of Information Act, 2011, adding “By the same token, it also amounts to wrongful denial of access to information under section 7(5) of the Freedom of Information Act, 2011.”
Observing that where a public institution considers that an application for information should be denied, under Section 4(b) of the FOI Act, the institution is required to give a written notice to the applicant that access to all or part of the information requested would not be granted, the judge said: “In this case, the reason for refusal/denial was not communicated as required by Section 4(b) of the Act to the Applicant (MRA).”
He ruled that the failure of the CBN to give a written notice to MRA that access to all or part of the information it requested would not be granted as well as its failure to state the reasons for its denial of access and the section of the Act under which the denial was made amounted to a violation of section 4(b) of the Act.
Referring to the argument of Mr. Onyekwere, on behalf of MRA, that the CBN and its Governor received MRA’s request letter since May 27, 2020 but chose to ignore it in flagrant contravention of their responsibilities under the FOI Act, Justice Okorowo said: “The events leading to the institution of this suit is a good case for the award of exemplary damages” as prayed for by MRA.
He therefore directed the CBN and its Governor to pay MRA the sum of N1 million as exemplary and aggravated damages “for the flagrant and unlawful violation” of the organization’s right of access to information
The judge however said having granted MRA’s claim for exemplary damages, being a court of equity, it was sufficient punishment for the CBN and its Governor and as a result, he would not grant MRA’s request for an order compelling the Attorney-General of the Federation to initiate criminal proceedings against them.
He issued an order compelling the CBN to make all the information requested by MRA available to the organization, namely:
- Copies of all data protection policies of the CBN, issued in conformity with the NDPR;
- The name and contact details of the Data Protection Officer of the CBN, designated in accordance with the NDPR, together with the CBN’s relevant data privacy instruments and data protection directives;
- Details of all capacity building training or other capacity building activities undertaken for the Data Protection Officer of the CBN and other personnel of the bank involved in any form of data processing since the issuance of the NDPR;
- The number of persons or individuals whose personal data the CBN processes on an annual basis, that is over a period of 12 months.
- A report from a detailed audit conducted by the CBN of its privacy and data protection practices in accordance with the NDPR. The audit report should contain the following information:
(a) the personally identifiable information that the CBN collects on its employees and members of the public;
(b) the purpose for which the personally identifiable information is collected;
(c) copies of any and all notices given to individuals regarding the collection and use of their personal information;
(d) details of any access or opportunities given to individuals to review, amend, correct, supplement, or delete their personal information collected or held by the CBN;
(e) information on whether or not consent is obtained from an individual before personally identifiable information is collected, used, transferred, or disclosed and details of any method used to obtain consent;
(f) copies of the policies of the CBN and details of its practices for ensuring the security of personally identifiable information;
(g) copies of the policies of the CBN and details of its practices for the proper use of personally identifiable information;
(h) copies of the CBN’s policies and details of its procedures for privacy and data protection;
(i) copies of the CBN’s policies and details of its procedures for monitoring and reporting violations of privacy and data protection policies; and
(j) copies of the CBN’s policies and details of its procedures for assessing the impact of technologies on its stated privacy and security policies.