INTELLECTUALPROPERTY LAW 2 PPL 308

CLASS NOTE (WEEK 3)

COMPILED BY:

OYELEKE S. OYENIRAN, Esq

LLB. B.L (FIRST CLASS), LLM, Ph.D. (In view)
Lecturer, Caleb University College of Law

TOPIC: ENFORCEMENT OF DATA PROTECTION BREACH

SUBTOPICS:
I. Enforcement through Commission.
II. Enforcement through Civil Litigation
1.0 INTRODUCTION
In the last discussion, we have established certain rights that data subjects have
under the Act and the obligations of the data controller and data processors. The
implication of not adhering to the provision of these rights as established in the act
has very fatal implications leading that can lead to death, financial loss, virus,
identity theft, spywares, hacking, phishing, spoofing, unauthorized disclosure, data
logging and may others. The law has created mechanisms for protection in the
circumstance of breach. Data subjects whose data privacy right was breached can
seek enforcement through the Nigeria Data Protection Commission or through civil
litigation at the court of competent jurisdiction.

2.0 ENFORCEMENT THROUGH COMMISSION

Part of the powers of the NDPC is to investigate allegation of data breach. The
commission can exercise this power when it receives complaints from the data
subjects or parties interested. The commission may also initiate investigation on its
own volition if it suspects a violation of the Act. The law mandates the commission to
set up a complaint registry that will be responsible for receiving complaints and
following them up.
In the course of this investigation, the commission may summon witnesses for the
purpose of oral examination, the commission may also request that certain
documents be delivered for the purpose of determining some facts provided the
person is not under obligation not to disclose. The commission may also order
parties involved in the investigation to make written representation under oath on
matters pertaining to data breach. The power of the commission here may be likened
to that of a quasi-judicial body. The law has given them power to conduct trial and
proceed with a verdict as well as imposing punishment.
Upon the conclusion of the investigation, the commission may make some orders.
These orders may include warnings, requirements for compliance with the Act's
provisions (including fulfilling data subjects' rights), or cease and desist orders to
stop violating acts, such as processing personal data unlawfully. Any order issued
must be in writing and specify the violated provisions, corrective measures to be
taken, a timeline for implementation, and the right to judicial review. The
Commission also has power to enforce the Data Protection Act by issuing
enforcement orders or imposing sanctions on data controllers or processors found to
have violated the Act. These orders or sanctions may include requiring the violator to
remedy the violation, compensate affected data subjects for any harm suffered,
account for profits gained from the violation, or pay a penalty or remedial fee. The
penalty or fee may vary depending on the size and importance of the violator, with a
higher maximum amount applicable to data controllers or processors of major
importance. Factors considered in determining sanctions include the nature and
severity of the violation, the purpose of data processing, the number of affected data
subjects, the extent of damage and mitigation efforts, the intent or negligence of the
violator, cooperation with the Commission, and the types of personal data involved.
It must also be noted that any party that is not satisfied with the decision of the
commission is at liberty to apply to court for judicial review to the court within 30.
Days after the order was made. Judicial review comes to play where a party challenge
the proceeding of administrative tribunal like NDPC on the ground of biases,
irregularity, error, etc. The application for judicial review is to be made to the High
Court.
When NDPC makes an order in furtherance of their investigative power and the data
controller fails to comply, the failure will be regarded as a criminal offence and the
data controller will be liable for fine or an imprisonment term of one year. This
provision will not be applicable to persons applying for judicial review under section
50. The commission also has power to arrest, seize and search premises when they
have reasonable cause to believe that crime has been committed or is being
committed.
The commission may also apply to Court for warrant for the purpose of obtaining
evidence in relation to an investigation. Upon such application, the Judge may issue
a warrant if satisfied that certain conditions are met, such as the likelihood of a
person engaging in conduct that contravenes the Act, the need to prevent an offence,
interference with investigative processes, investigating data security breaches, or
preventing future offences. The warrant authorizes the Commission to enter and
search premises where offences are being committed, seize evidence, search persons
and conveyances, use technology to access data, and require the production of
computers or electronic devices relevant to the investigation.

3.0 ENFORCEMENT THROUGH CIVIL LITIGATION

When Data subjects’ experiences harm or loss as a result of a data controller or data
processor violating the Data Protection Act, they also have the right to take legal
action and seek compensation through civil proceedings. This procedure will entitle
data subject to seek damages and specific performance from the data controller or
processor. Notwithstanding that the data controller has been convicted, the data
subject can still be entitled to order of forfeiture of asset. Court referred to in this
circumstance was defined in the section 65 as any court of competent jurisdiction. It
can however, be deduce from the law that the intention of the draftsman is to make
the both the Federal High Court and State High Court have concurrent jurisdiction
over this subject matter. We must also be mindful that Data protection is an offshoot
of Fundamental Human Rights to privacy.

4.0 VICARIOUS LIABILITY IN DATA PROTECTION

Vicarious liability is a legal concept that makes a person responsible or liable for the
wrongs committed by another person. Section 53 establishes the principles of
corporate and vicarious liability. The essence of this is to ensure that directors and
officers of the data controller are unable to escape from the wrong doing of their
companies under the disguise of separate legal personalities. This implies that both
the company (corporate liability) and principal officer (vicarious liability) will be
responsible for the data breach of their companies. However, principal officers will
be able to escape liability if they can establish any of the followings:
1. That the offence was committed without their consent
2. That there is no connivance in the commission of the offence
3. They put all reasonable measures to ensure the safety of data.

Classwork
1. There seems to be conflict between the Federal High Court of Abuja decision
in DRLI v. Unity Bank (unreported Suit FHC/AB/C/85/2020) and Lagos
State High Court decision in Okafor v. Okafor (Unreported Suit
LD/12264/MFHR/21). Court in DRLI v. Unity Bank held that a data subject
cannot approach court for redress without first lodging complaints with DPA.
However, Lagos State High Court in Okafor v. Okafor held that data subject
can seek redress without making redress to the investigative power of the
DPA. The National Commissioner of the Nigeria Data Protection Commission
has invited you to address him on this, what will your advice be?
2. Bertha Medical Record (BMR) is an online application owned by Dr. Bertha
Okezie in partnership with her husband, Engr. Bryan Okezie. Their
application aims to profile the medical records of users and create an
interconnected medical system accessible to various medical establishments
for informed treatment decisions. BMR collects and updates users' medical
records based on prescriptions and hospital visits. Dr. Bertha Okezie has
consistently prioritized data security, employing reputed professionals to
safeguard records. Recently, they hired a cybersecurity expert, Mr. Omede,
who claimed Harvard training, though his credentials were not verified.
During trial and error, Mr. Omede mistakenly exposed users' medical records,
leading to data leakage, including information on high-profile individuals.
Aggrieved users have reported the breach to the Nigeria Data Protection
Commission (NDPC). Dr. Okezie asserts they were not complicit and always
adhered to best practices in data protection. They recommend holding Mr.
Omede liable. The NDPC seeks your advice on this matter. Kindly provide
well-grounded guidance on the appropriate course of action.
3. Does the provision of Section 52 appear like double jeopardy to you? Write a
short legal opinion.
4. Discuss the facts and decision of the Ecowas Court of Justice in
INCORPORATED TRUSTEES OF DIGITAL RIGHTS LAWYERS
INITIATIVE & ORS v. THE FEDRAL REPUBLIC OF NIGERIA
(2023) ECWA/CCJ/JUD/02/23
5. Ayoola Bank PLC is a commercial bank in Ghana and has been in operation
for the last 10 years, the bank is considering starting a branch in Nigeria. The
Board has director has sought your legal opinion on the customer data
protection policy in Nigeria. Kindly write them a letter from your chambers
explaining the liability of data controller in a situation of data breach. You are
advised to support your letter with statutory authorities.