A Data Privacy Breach Is Now Enforceable As A Constitutional Right: An Analysis Of The High Court Of Lagos State's Judgment In Bonje v Guaranty Trust Bank Plc, Suit No: LD/18950MFHR/2024 (Unreported)

Introduction

Following the gains made by the Nigeria Data Protection Regulation 2019 towards creating an enforceable legal framework for the protection of data privacy rights in Nigeria, the Nigerian Legislature enacted the Nigeria Data Protection Act 2023. The Nigeria Data Protection Act 2023  (subsequently referred to as the "NDPA 2023" or "the Act") strengthens privacy rights and establishes a comprehensive regulatory framework to regulate the activities of companies, persons and corporate entities handling personal data, as well as introducing strict sanctions for non-compliance with regulatory obligations created under the Act.

Upon the enactment of the NDPA 2023, the Nigerian Data Protection Commission ("NDPC") was established to oversee its enforcement. Following its creation, the NDPC has actively enforced breaches of regulatory obligations against erring data controllers and data processors responsible for processing personal data, within the scope of its regulatory powers, and has sanctioned such entities in accordance with the provisions of the Act.

Under sections 46 and 51 of the NDPA 2023, a data subject who is aggrieved by the action or inaction of a data controller or data processor has an option to either:

1. register their grievances with the NDPC for regulatory enforcement;
2. seek judicial redress before a Court by way of a civil lawsuit for the enforcement of their rights as data subjects.

However, the High Court of Lagos State has, in its recent judgment in the case of Bonje v Guaranty Trust Bank Plc, Suit No: LD/18950MFHR/2024 (Unreported), delivered on 18 September 2025 by Hon. Justice O.A.Oresanya, created a third option for the enforcement of the breach of a data subject's privacy rights. The High Court of Lagos State expanded the jurisprudence on data privacy law in Nigeria by affirming that an aggrieved data subject could seek judicial redress for a breach of their privacy rights under the NDPA 2023 through an action for the enforcement of their fundamental rights under the constitutional right to privacy as guaranteed under Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended). 

The case of Bonje v Guaranty Trust Bank Plc affirms the legal position that a breach of a data subject's rights under the NDPA 2023 constitutes a breach of the constitutional right to privacy guaranteed under Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended). Therefore, this article analyses the Lagos State High Court's judgment and highlights its implications for data controllers and data processors under the NDPA 2023.

Facts of Bonje v Guaranty Trust Bank Plc

The Applicant, Rebecca Temitope Bonje, was a customer of Guaranty Trust Bank Plc (the Respondent). She alleged that sometime in May 2023, in her bid to purchase a property from a third party, she transferred the sum of N5,600,000.00 (Five million, six hundred thousand naira) to the vendor using the Respondent's mobile banking platform. However, the vendor later complained that it did not receive the funds. Confused by this turn of events, the Applicant approached the Respondent to request an explanation for the non-receipt of the transferred funds by the vendor. The Applicant also requested her statement of account from the Respondent, and it honoured her request.

Notwithstanding the issuance of her statement of account, the vendor still complained of the non-receipt of the transferred funds three months after the Applicant made the transfer through the Respondent's mobile banking platform. Confused by these developments, the Applicant wrote to the Respondent through her solicitors, requesting the issuance of her account statement to enable the Applicant to investigate the reason for the non-receipt of the transferred funds. Upon receipt of the Applicant's solicitors' letter, the Respondent issued the Applicant an account statement. The Applicant carefully examined the second account statement sent by the Respondent and found that several transactions were missing, indicating that the account statement had been altered and distorted.

Given the above, the Applicant instituted a fundamental rights enforcement action against the Respondent at the High Court of Lagos State, on the grounds that the Respondent's actions contravened the Respondent's obligations under Section 24 (1) (e) of the NDPA 2023. The Applicant further argued that the Respondent's breach of its obligations under Section 24 (1) (e) of the NDPA 2023 amounted to a breach of the Applicant's constitutional right to privacy. The Respondent filed a preliminary objection on the grounds that the Applicant's claims were incompatible with the fundamental rights guaranteed under the Constitution of the Federal Republic of Nigeria 1999 (as amended)  and could not be enforced under the fundamental rights enforcement procedure, as the dispute was a mere banker-customer dispute.

Although the Respondent denied all the Applicant's allegations contained in her Affidavit, it did not present any documentary evidence to support its denial or establish its position.

Summary of the High Court's Decision

In deciding the lawsuit, the High Court relied on the case of Incorporated Trustees of Digital Lawyers Initiative & Ors v NIMC (2021) LPELR-55623 (CA), where the Court of Appeal recognised data protection rights as being subsumed under the ever-increasing scope of the constitutional right to privacy. The Court held that since established precedent had subsumed data protection rights under the scope of the constitutional right to privacy, invariably, the rights guaranteed under the NDPA 2023 and the corresponding obligations created under the Act also fall under the scope of the constitutional right to privacy under Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended).  It was on this ground that the Court entered judgment in favour of the Applicant and found the Respondent liable for breaching the rights of the Applicant under the NDPA 2023. The Court also held that the breach of the Applicant's right under the NDPA 2023 also constituted a breach of her constitutional right to privacy. Honourable Justice Oresanya, J. at Pages 12-13 of the judgment held as follows:

"It is now settled that the right to privacy of, data is a data protection right which is subsumed in the right to privacy guaranteed under Section 37 of the Constitution – INCORPORATED TRUSTEES OF DIGITAL LAWYERS INITIATIVE & ORS. V NIMC [2021] LPELR-55623 (CA). I have no difficulty in holding that the personal data protection as provided in the Nigeria Data Protection Act 2023 generally falls under the fundamental right to privacy which is guaranteed under Section 37 of the 1999 Constitution of the Federal Republic of Nigeria (as amended).  I must state that the question of infringement of fundamental right is largely a question of fact and does not really depend on the dexterous submissions of Counsels (sic) on the law. It is the facts as deposed in the supporting affidavit that is examined, analyzed and evaluated to determine whether the fundamental right of an individual has been breached or dealt with in any manner that is inconsistent with the provisions of the fundamental rights of an individual."

The Court further held that it was bound to uphold the Applicant's arguments because the Respondent did not present any documentary evidence to refute the Applicant's allegations and evidence. Honourable Justice Oresanya, J. at Page 13 of the judgment held as follows:

"From the facts and materials placed before this Court by the parties in their respective affidavit, can it be said that the Respondent is in breach of the personal data rights of the Applicant subsumed under the right to privacy? The Respondent in its counter affidavit to the facts deposed to by the Applicant denied any breach of the personal data right of the Applicant. The Respondent, specifically in paragraphs 6, 7, 8, 9, 10, 13, 14, 16 and 17 of its counter affidavit denied the averments in the affidavit of the Applicant. The Respondent did not support its averment with any documentary evidence so as to dislodge and controvert the averments in the Applicant's affidavit which were supported with documentary evidence placed before the Court. The law is trite that a Defendant who does not give evidence in support of his pleadings or in challenge of the evidence of the Claimant is deemed to have accepted evidence adduced by the Claimant notwithstanding his general traverse or denial."

Another important pronouncement made by the Court is that a Claimant is at liberty to pursue any of the legal options available to it regarding the enforcement of its right to privacy, as a Defendant cannot insist that the Claimant must pursue a particular option to enforce its rights. This pronouncement suggests that an aggrieved data subject can decide to make a complaint against a data controller or processor to the NDPC, commence a civil lawsuit against the data controller or processor or file a lawsuit for the enforcement of their constitutional right to privacy under section 37 of the 1999 Nigerian Constitution (as altered). Honourable Justice Oresanya, J. at Page 9 of the judgment held as follows:

"It is trite that a single transaction whether civil or criminal, can lead to a (sic) multiple causes of action. A single civil transaction may give rise to a cause of action for breach of contract, it could be a tort or breach of privacy and so on. It is always within the right of an aggrieved or injured party to pursue any or all of the causes of action open to him. It is not for a Defendant/Respondent to suggest a cause of action to be pursued by an aggrieved party."

Key Takeaways from the High Court's Decision

The following are the key takeaways deducible from the High Court's judgment:

1. A breach of a data subject's right under the NDPA 2023 can also be regarded as a breach of the data subject's constitutional right to privacy, and such a breach can be enforced under the fundamental rights enforcement procedure.
2. Data controllers and data processors must ensure that their compliance framework for data protection goes beyond mere statutory compliance with the NDPA 2023, as a breach of the rights of a data subject could expose a data controller or data processor to legal liability for breach of fundamental rights way beyond the scope of regulatory sanctions under the NDPA 2023. Where the data controller or data processor is a company actively seeking investors, a judicial decision holding such a company liable for violations of fundamental human rights could adversely affect the company's reputation and its ability to secure investors, given that investors are particularly concerned about ethical business practices.
3. Data controllers and data processors must ensure that they adopt a privacy by design approach to conducting their activities, which emphasises the design of operating procedures which take cognisance of the company's obligations as it pertains to data privacy to ensure that the company's exposure to liability flowing from data privacy is minimised as much as possible.
4. Data controllers and data processors should ensure they develop and maintain a robust internal dispute resolution mechanism to resolve all complaints related to breaches of a data subject's rights under the NDPA 2023. This is because most aggrieved data subjects resort to the courts only when data controllers or data processors do not satisfactorily resolve their genuine complaints.
5. Data controllers and data processors should ensure that they always keep comprehensive documentary records showing how they have protected the data subjects' rights under the NDPA 2023, as the Court would reject any position canvassed by a data controller or data processor if they cannot support their position with documentary evidence.
6. Data subjects are at liberty to enforce their privacy rights through any lawful means recognised by the NDPA 2023 and by judicial authorities.

Conclusion

The decision in Bonje v Guaranty Trust Bank Plc represents a significant development in Nigeria's emerging data protection jurisprudence, as it has expanded the scope of the enforcement of data subjects' privacy rights to include the filing of lawsuits for the enforcement of a data subject's right to privacy under the 1999 Constitution of the Federal Republic of Nigeria. For data controllers and data processors, the case of Bonje v Guaranty Trust Bank Plc serves as a cautionary note, underscoring the need for strict data accuracy and greater prudence in ensuring compliance with data privacy obligations.

Research assistance: Zakkiyah Raji (Intern).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.