1. Introduction

With the increase in the use of data in the world today, there has come the need to have the rights of the data subjects protected. Data subjects’ rights refer to those rights available to a data subject to control and protect the use of his data. Data subjects’ rights embody the soul of data protection as it affords data subjects the opportunity to limit the extent to which an organisation can lawfully process personal data, thereby safeguarding data subjects from any foreseen and unforeseen use of personal data for arbitrary use.

Accordingly, various countries have made efforts to ensure that these rights are properly protected by their various data protection laws. For example, in Nigeria, Section 34-38 of the Nigeria Data Protection Act (“NDPA”) provides for the various rights conferred on a data subject. The right to erasure is one of the rights provided under the NDPA and it refers to the right of individuals to have their data deleted from an organisation’s database. Often, this right is also referred to as the right to be forgotten, however the NDPA makes no provision for the phrase “right to be forgotten”

The right to erasure was upheld and judicially recognised in the recent landmark decision of the High Court of Lagos State in Tokunbo Olatokun v Polaris Bank Limited delivered by Honourable Justice Y.A. Adesanya on December 5, 2024. The judgment was delivered in favour of the Applicant, who alleged a violation of his fundamental right to privacy and a breach of data protection regulations by the Respondent.

This case is pivotal to the practice of data protection in Nigeria. It lends credence to the recognition of the right to privacy of every Nigerian citizen guaranteed under Section 37 of the 1999 Constitution of the Federal Republic of Nigeria. It further strengthens the need for compliance with the laws guiding data protection operation in Nigeria, that is, the Nigerian Data Protection Act 2023 and the Nigerian Data Protection Regulation (NDPR) 2019. It also suggests the judiciary’s commitment to upholding the principles of privacy and data sovereignty in the digital age. Accordingly, this paper analyses of the case as well as its impact on the data protection practice in Nigeria.

2. Background And Summary of the Facts of the Case

Mr Tokunbo Olatokun (Applicant) was a customer of the Polaris Bank Limited (Respondent) and sometime in the year 2024, the Applicant made a request to the Respondent to delete his information (email address and phone number) from the Respondent’s database. The Applicant further requested that the Respondent refrain from sending him any message via text or email and the request was made in line with the Respondent’s communicated process for deleting information from its database. Despite the clear request/ instructions which the Respondent acknowledged receipt of, the Applicant continued receiving unsolicited messages on his phone number and email.

In view of the continued unsolicited messages received by the Applicant from the Respondent, the Applicant initiated the instant suit against the Respondent at the High Court of Lagos State seeking the following reliefs amidst others:

1. A declaration that the Respondent’s repeated unsolicited emails to the Applicant constitute a violation of his fundamental Right to privacy guaranteed by Section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as amended).
2. A declaration that the Respondent breached the provision of Section 36(1) and (2) of the Nigerian Data Protection Act, “NDPA” 2023 and the Applicant’s right of objection when they refused to close his account and continued sending him marketing emails even after objecting to them.
3. A declaration that the Respondent breached the provision of Section 34(1)(c) of the Applicant’s right to restrict further processing of personal data when they continued to send him marketing emails even after instructing them to close the account.

The Applicant argued that the Respondent’s continued messaging against his express instruction constituted a violation of his fundamental right to privacy. He also argued that these unsolicited messages were highly intrusive, disturbing, and offensive, and caused him emotional, psychological and mental injury, anxiety, and discomfort. In response to the suit, the Respondent argued that it complied with the Applicant’s request to close his account and that the unsolicited emails were sent pursuant to section 2.4.3. of the Central Bank of Nigeria’s Consumer Protection Framework, which allows the Respondent to send marketing emails, text messages, etc., to its customers if it comes at no cost.

The Court, in its ruling, held that the Respondent breached the Applicant’s right of objection to the processing of his data and his right to restrict further processing of his data pursuant to Section 36(1) and (2) and Section 34(1)(a) and (c) of the NDPA when it continued to send The Court also granted the sum of NGN 1,000,000 (One Million Naira) as general damages.