Tech Platforms, Data Controllers & DPCOs: A Nigerian case study

Introduction:

The interplay of relations between a technology-enabled platform and its users, and the mandatory need to comply with data protection laws have remained a growing concern for creators and users of technology. This is especially so in Nigeria where there is a dearth of case laws on data protection and judicial interpretation on complex issues surrounding tech activities. Fortunately, a recent case instituted by Olumide Babalola LP has touched on an aspect of such complex issues surrounding tech activities. This is a review of that decision - Olumide Babalola LP & Anor v. True Software Scandinavia AB and Anor, Suit No: FHC/ABJ/CS/1432/2019 delivered on the 19 of April 2023 by Justice J.K Omotosho of the Federal High Court.

?

Summary of the Case:

Olumide Babalola LP is a Data Protection Compliance Organisation (DPCO). Like all DPCOs, it is mandated to ensure the protection of data privacy as well as compliance with the provisions of the Nigeria Data Protection Regulation (NDPR). The second applicant is a data subject who claims that his personal data has been collected and processed by the owners and operators of the software known as Truecaller App. The claim is that the 1st Respondent (Truecaller) uses the app to harvest telephone numbers of users around the world and makes them available to users of the software all over the world, including that of the 2nd Applicant, without the 2nd Applicant’s consent. The Applicants claim that the right to privacy has been bridged and hinged their suit as a fundamental human right action, whilst citing the provisions of the NDPR.

The 1st Respondent responds that it is not responsible for Truecaller’s activities in Nigeria, rather Truecaller International LLP India is responsible. It therefore raises a preliminary objection on jurisdiction requesting its name to be struck off and the suit dismissed accordingly. It argued that the endorsement for service outside jurisdiction was not made and as such the court lacks jurisdiction. It also raised an issue as to the propriety and locus standi of the 1st Applicant in instituting the suit. The 1st Respondent went on to state that assuming it is in any way responsible for the Applicants, its Truecaller App does not provide services to non-users of the App, and that users of the App granted access and consent to their contact lists. It noted that there is no option for enhanced search for a person’s phone number and that any contact available on its database is that of a user who gave consent for his details to be displayed by the App.

?

Summary of the decision:

The court however formulated two issues for determination. The first was whether failure to serve the 1st Respondent in accordance with the Sheriffs and Civil Process Act makes the suit incompetent, and the second was whether the fundamental right to the privacy of the Applicants was breached by the Respondents. The court held on the first issue that a fundamental right action is sui generis and needs no leave for service outside jurisdiction. If it were a civil suit, the Sheriff and Civil Process Act would have applied. The court cited several cases on the point.

On the issue of whether a fundamental right was breached, the court notes that privacy right is not limited to the words defined in the constitution and that the right to life and privacy connotes everything about the parts of the human person's life, except as limited by the Constitution itself. Thus, by the combined interpretation of the Constitution and the NDPR, the phone number of a person is part of his data. But the court in dealing with the issue of breach of that personal data, held that the Applicants did not prove that their names can be searched on the App and their phone numbers revealed. Since he who asserts must prove the existence of such facts, the onus lies on the Applicants, and they failed to discharge that onus. Weighing the burden with the Respondent's denial that it does not collect or store personal data of non-users who have not given consent, the balance tilts towards the Respondent. The Respondents merely ‘trace the identity and origin of unknown callers.’

The court further examined the definition of a ‘data controller’ and the meaning of ‘processing’ and held that the 1st Respondent did not unilaterally collect or harvest the phone numbers of the Applicants, but rather, it is the data controllers who gave consent and access to those phone numbers. The court noted, ‘the fault here, if any, is on the data controllers (users who downloaded the Truecaller Application) and not the 1st Respondent. Without the actions of the data controllers, the 1st Respondent would have no access to these personal details... The use of the Application is clear from its description and terms and conditions. The Application is used to trace the identity or origin of unknown callers. This to my mind does not amount to infringement of the right to privacy.’ The court went on to dismiss the application for lack of merit.

Evaluation of the Case and the Decision:

It Is the evaluation of this writer that the court’s decision based on the couching of the claims and declaration sought in the origination summons is a sound decision, except for two major neglects. The Applicants in the suit also committed one major flaw in the drafting of their claims. Let us take the issues seriatim.

On jurisdiction

First, the court in deciding the issue of jurisdiction neglected a fundamental point raised by the Respondent. That point is the locus standi of a DPCO to institute an action. Locus standi is a question of jurisdiction. The 1st Applicant instituted the suit in the name of Olumide Babalola LP. Such a name must have been registered in line with the Company and Allied Matters Act as a business name registration for the objective of law services, et al.

Nigerian courts have held consistently in a plethora of cases that a law firm is not a juristic person and cannot therefore endorse a court process or act in place of a legal practitioner as defined by the Legal Practitioners Act (i.e. a natural person called to bar) See Okafor Nweke (2007) 10 NWLR (Pt.1043) 521; SLB Consortium Ltd v NNPC (2011) 3 SCNJ 185 at 191.

The courts have also held that a business name, generally, is not a legal person and cannot sue or be sued, without including the natural name of the person who is the proprietor of the business i.e. Olumide Babalola. See Shiita v Ligali (1941) 16 NLR 23; Agbonmagbe Bank Ltd v General Manager G.B Olivant Ltd and Anor (1961) 1 All NLR 116.

However, the exception to the above position is where such a party is given a legal persona by statute either expressly or impliedly or by common law. Partnerships, trade unions, friendly societies and foreign institutions authorised by their law to sue and be sued but not incorporated, can also be excused. See Fawehinmi v N.B.A (No.2) (1989) 2 NWLR (Pt.105) 558 and Ataguba and Co v Gura Nigeria Ltd S.C 295, 2000. In the latter case, a legal practitioner was sued in the firm’s name and the Supreme Court looking at the rules of court in the originating jurisdiction, noted that ‘any person carrying on business name other than his name may be sued in such name or style as if it were a firm name.’ The objection was thus dismissed.

There is yet the argument that the provision of CAMA supersedes the Rules of Court. The rules of the court are formed in the exercise of the powers given by a statute. Even where that interpretation is far stretched, a simple reference to section 16(2)(a) of the Legal Practitioners Act makes a case for an indirect recognition of a law firm as a legal persona. The said section stipulates ‘…a legal practitioner shall not be entitled to begin an action to recover his charges unless a bill for the charges containing particulars of the principal items included in the bill and signed by him…or in the name of the firm, has been served…’ Section 19(3) reads ‘The remuneration provisions shall apply to a firm consisting of legal practitioners in partnership as they apply to a legal practitioner.’ it thus appears that a law firm is impliedly recognised as a juristic person.

The above provision can be corroborated by the provisions of the NDPR and recently the NDPA which expressly provide for the role of a DPCO, functions, powers and regulation of DPCOs by the Commission. See section 33 NDPA; and Reg 4.1 (4) NDPR that gave powers to DPCOs to monitor, audit, conduct training and data protection compliance consulting. Since law firms are part of licensed DPCOs, therefore, law firms are expressly recognised as a juristic person in their capacity as licensed DPCOs. Consequently, the court should have dealt with the issue and held that Olumide Babalola LP was properly before the court.

Finally, even if by some surprise miracle the 1st Applicant's name is struck out, the existence of the 2nd Applicant as the party who complained of the harm would have been enough to keep the jurisdiction of the court going.

?

On the meaning of Data Controllers and the Proper Claim Against Tech Platforms like True Caller:

‘A data controller is a person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed.’ See the NDPR and the NDPA.

Truecaller admits that users download and install the Truecaller app onto their mobile devices and give it consent to collect their contact information from their mobile phones to store that information in the Truecaller database. The purpose is to trace the identity or origin of unknown callers. ?Indeed, the particular App, it appears, does not store non-members' names and their numbers unless saved accordingly.

Given the above-established fact and the meaning of data controller, the next question is to investigate who stores, processes, or uses personal data without consent. A data subject’s contact information can be stored in a user’s phone where it is freely given by the data subject to the user in consent. It is also possible that a user may obtain a data subject’s number without consent i.e. from a third party or colleague. The act of storing a phone number in the user’s mobile phone constitutes data storage. The act of allowing an application to access the contact database makes the user a data controller. Sadly, it was at this point the court was given nothing to run with.

However, the act of tracing and identifying the origin of data subjects by all users of Truecaller was not part of the consent originally given by the data subject to the user. Hence, the act of putting the data subject into that pool constitutes a data breach by the user. The enabler of the act of tracing and identification is a hand or tool through which the breach occurred. The owner or controller of such tracing and identification apparatus becomes a participant in the act of breach. Moreover, the owner by establishing the apparatus for that purpose determined the purpose for which the breaching platform is to be used. For the avoidance of doubt, the owner’s technological tool is a data processing tool tracing the origin and identification of a data subject who would have preferred to be left out of the pool. If this were the case and the claim, the court’s decision would have been wrong.

But no, it gets interesting. The data subject who wishes to be left alone is left alone (this is the factual situation after the conduct of an empirical test). The only reason why the data subject is caught in the web of such tracing or identification apparatus is that the data subject must have consented at one time or the other when he or she downloaded the Truecaller app and gave consent to become a user in accordance with the terms and conditions of Truecaller.

Thus, the possible way by which Truecaller would be liable is when a user has withdrawn consent by deleting his or her info from the app and uninstalling the app. As Truecaller admits under the T&C ‘You may terminate the terms at any time by uninstalling the Truecaller applications and ceasing the use of the services. These terms will automatically terminate if you fail to comply with them.’

The Applicant would have established that it terminated its user’s right and consent to the app and that despite the same, his personal information gets shown to the world. A practical demonstration would then have moved the court to decide otherwise. Moreover, if the matter was founded after the NDPA, then the burden of proof would have been on the Respondent.

Take-Home Lessons:

·?????? This case is a welcomed development in the advancement of our data protection law in Nigeria. Many thanks to Olumide Babalola LP.

·?????? It is important to note that presently the onus of proof in showing consent now lies with the Data Controller and not the Applicant.

·?????? Tech companies may wish to borrow the business model of Truecaller in the provision of user-generated content services. It limits liability and also protects users due to the existence of a consent pool.

·?????? Tech companies like Truecaller must be on their toes to ensure that the terms and conditions are a practical daily observance and must be reviewed from time to time. This is because it is a gateway to liability.

·?????? It is imminent that tech companies comply with the requirements to engage a licensed data compliance organisation for compliance filing and registration. Imagine what would happen if the claim is for non-compliance with audit requirements. There will be nowhere to run.

Ifeanyi E. Okonkwo is a data protection expert and the deputy head of the IP, Technology, Media & Entertainment sector at Jackson Etti & Edu - a licensed DPCO and sector-focused full-service firm. For discussions on the subject kindly email [email protected]

?