Nigeria: Exploring The Arbitrability Of Data Privacy Disputes In Nigeria

INTRODUCTION

With the exponential increase in the use of personal data by individuals and businesses in the technology age, data protection is at the forefront of the agendas of many countries worldwide. In Nigeria, consumers and data subjects now have greater rights in relation to the use of their personal data, following the issuance of the Nigeria Data Protection Regulation 2019 ("NDPR" or the "Regulation"). The Regulation contains principles and prescriptions that organisations, government, and businesses have to adhere to, to keep their data subjects' personal data accurate, safe, and secure. To this end, Regulation 17 of the Regulation grants data subjects who have suffered "material or non-material damages" as a result of a violation, the right to an effective judicial remedy against a controller or processor and to receive compensation from them. This right to effective judicial remedy through a dispute resolution mechanism is largely synonymous with litigation, and sadly, arbitration is yet to gain widespread acclaim as a viable and effective dispute resolution method for data privacy disputes. Much of the focus has been on the adjudication of data protection disputes in the court room. This is partly because in the context of the Nigerian framework as provided under the Regulation, arbitration is not expressly referenced as a dispute resolution mechanism for breach of data protection and data privacy.

Against the backdrop of the foregoing, it is pertinent to examine the implication of a privacy policy that requires disputes to be resolved by arbitration. Accordingly, this article seeks to explore this subject by examining the prescriptions in the NDPR on resolution of data privacy dispute, viz a viz the legal framework in Nigeria on arbitration.

General overview of Data Protection in Nigeria

Prior to the introduction of the NDPR, most data protection disputes or privacy breaches were enforced under Section 37 of Nigeria's 1999 Constitution as amended which provides thus:

The above quoted provision forms the foundation of data privacy rights and protection in Nigeria. However, this provision was framed in general terms and ultimately fell short of highlighting the nature, scope, implications and other specifics of the right to privacy. This constitutional deficiency militated against the development and entrenchment of the right to privacy and may be contributory to the scarcity of judicial pronouncements on the subject.

Recognizing the need to expand on the provision of the constitution, the National Information Technology Development Agency (NITDA) published, in 2013, Guidelines on Data Protection. The Guidelines was the first attempt in Nigeria at establishing a data protection framework of general application. Barely six years later and on January 25th, 2019, NITDA issued the NDPR. Although there are existing industry-specific laws on data protection, the Regulation is specifically dedicated to data protection and provides a general framework on the various safeguards, standards and protection applicable to the collection, storage, processing, management, operation, and technical control of personal data in Nigeria. The Regulation may also be considered the most far-reaching data law passed in Nigeria, imposing stringent conditions on companies and stiff penalties on defaulters. In addition to the Regulation, an Implementation Framework (Draft NDPR Framework) published in July 2019 which elaborates/clarifies the provisions of the Regulation as well as contains useful templates¹ was issued. This was followed by the Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020 ("the Guidelines") issued on May 18 2020 and governs the roles and responsibility of public officers and public institutions with regards to the processing and management of personal data in compliance with the Regulation. These two instruments complement the provisions of the Regulation.

General Overview of Arbitration in Nigeria – 'Un-Arbitrable' Disputes

In Nigeria, the Arbitration and Conciliation Act 1988 (ACA) is the principal legislation on arbitration and largely covers the federation² . The ACA is modelled after the provisions of the UNCITRAL Model Law. Generally, arbitration is considered the preferred method of dispute resolution due to its efficiency, simplicity, flexibility, party autonomy and cost effectiveness.

It should be noted however that the ACA confines the use of arbitration to commercial disputes.³ Commercial in this context is defined under the ACA to mean4:

However, the ACA does not explicitly list conflicts that are not arbitrable; rather, the test of arbitrability as espoused by the courts is whether the conflict can be settled legitimately by method for accord and satisfaction. ⁵ This simply requires that an arbitrable dispute must be such that the parties have full authority/competence to, and can between each other, vary, compromise and resolve the dispute without obtaining the consent or ratification of a third party. In addition, it is also generally accepted that disputes affect or alter the legal status of any individual are not arbitrable⁶ . In the same vein, recent court decisions⁷ have held that commercial conflicts arising from the fiscal clauses of contracts are not arbitrable, as the dispute impacts on the government's duty of tax collection.⁸

In Kano State Urban Development Board vs. Fanz Construction Limited⁹ , the Supreme Court outlined categories of matters that are not arbitrable in Nigeria – they include:

1. indictment for an offence of a public nature;
2. dispute arising out of an illegal contract;
3. disputes arising under agreements void as being by way of gaming or wagering;
4. disputes leading to a change of status such as divorce petition; and
5. any agreement purporting to give an arbitrator the right to give judgment in rem.

The rationale for the above decision is that an arbitral tribunal, being a creation of contract, is not endowed with general and wide jurisdiction, bestowed upon regular Courts, which are equipped to adjudicate in complex issues and are competent to offer wider range of reliefs to the parties in dispute.¹⁰

Administrative Redress Panel under the NDPR

The NDPR empowers NITDA to establish an Administrative Redress Panel (ARP) to investigate allegations of breach, invite concerned parties, issue administrative orders to protect Data Subject, conclude and determine appropriate redress within twenty-eight (28) working days. ¹¹

However, it is useful to note that the ARP does not oust the jurisdiction of the courts to entertain data privacy disputes. This is because the NPDR expressly provides that the establishment of the ARP is without prejudice to the right of a data subject to approach the court for redress in respect of any data breaches. In any case, the ARP being a quasi-judicial body, is subject to the supervisory jurisdiction of the high courts and prerogative orders such as certiorari and injunctions may be issued by the court against the ARP in pursuance of the court's powers of judicial review.

Furthermore, the powers and remit of the ARP from its terms of references are framed around public law and regulatory objectives and may not necessarily satisfy private law remedies/redress expectations of a data subject which may include applications for monetary damages or compensation for data breaches. This view is expressed against the backdrop of the fact that under the NDPR, sanctions for breach of data privacy are essentially penal in nature and lie in fines or imprisonment. ¹² Consequently, there still exists an incentive for a data subject who has suffered breaches of his personal data to explore other legal avenues for redress other than the ARP in order to obtain maximum private-law based remedies.

Analysis on the Arbitrability of Data Privacy Disputes in Nigeria

As earlier stated in this article, arbitration under the ACA as a dispute resolution method is only available to commercial disputes. On this basis, it is imperative to first determine whether a data privacy dispute qualifies as a commercial dispute within the context of the ACA in order to draw an informed conclusion on the arbitrability or otherwise of data privacy disputes. From a review of the list of commercial relationships enumerated in the definition of commercial under the ACA as reproduced earlier in this article, data privacy is evidently missing. However, it bears noting that the list is non-exhaustive since the ACA makes use of the qualifying word "including" when outlining commercial relationships. Consequently, the omission of data privacy from the list of commercial relationship does not conclusively imply that data privacy dispute is outside the contemplation of the Act and therefore un-arbitrable. Be that as it may, in light of the fact that the ACA expressly defines commercial as all relationships of a commercial nature, it will be useful to undertake an inquiry of what a commercial relationship is, in order to determine whether a data privacy agreement such as a privacy policy qualifies as a commercial relationship.

The Cambridge Dictionary defines commercial as "related to making money by buying and selling things".¹³ In similar vein, Investopedia, an online business encyclopaedia, defines commercial to mean activities of commerce – business operations to earn profits.¹⁴ It also defined commercial activity as an activity intended for exchange in the market to earn an economic profit. Flowing from these definitions, a commercial relationship can be defined as a relationship that entails the exchange of value for profit between parties. Instructively, data is undoubtedly one of the most valuable commodities globally and this is easily illustrated by the sheer number of data processing companies in the list of the most valuable and capitalised companies in the world today. To this end, data which forms the subject matter of data privacy relationships is indeed a commodity capable of being exchanged for value and as such data privacy relationships should constitute a commercial relationship. In effect, a privacy policy between a data controller and a data subject is a commercial relationship since it is provides for the terms for use and mining of a data subject's data, mostly in exchange for value or some other benefits as may be agreed between parties such as access and use of online apps.

However, the foregoing represents just a part of the analysis particularly in light of the peculiar nature of the data privacy rights. As earlier mentioned in this article, the rights of a data subject under the NDPR are analogous to the right to privacy under Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended). Consequently, it is expedient to examine the implications of the constitutional nature of the right to data privacy and how these impacts on the arbitrability on data privacy disputes.

Section 46 (1) & (2) of the Constitution provides as follows:

These provisions suggest that since data protection rights are credited to the revered provisions of Section 37 of the Constitution, then the appropriate and lawful forum for redress is either the High Court or National Industrial Court where applicable.

In the case of Emerging Markets Telecommunication Services Ltd v Eneye (2018) LPELR-46193 (CA), the appellant had argued that in light of the dispute resolution mechanism provided under the Nigerian Telecommunications Act 2003, the high court had no jurisdiction to entertain the suit without first recourse to the dispute resolution mechanism prescribed under the said Act. However, the Court of Appeal in its decision rejected the argument of the appellant and held that considering the supremacy of the constitution over the Nigerian Communication Act, the provisions of the Act cannot apply to defeat the original jurisdiction of the High Court conferred under Section 46(2) of the 1999 Constitution or to prevent an application to enforce fundamental right brought in the exercise of the right given to a person under Section 46(1) of the 1999 Constitution. Going further and relying on the case of Aqua Ltd v Ondo State Sports Council (1988) LPELR-527(SC), the court likewise held that a right vested on a person by the Constitution cannot be taken away by an Act of National Assembly or any other Law and a jurisdiction vested by the Constitution cannot be curtailed or ousted by any other law.

Crucially, the Supreme Court in the cases of Western Steel Works Ltd & Anor Vs Iron & Steel Workers Union of Nigeria & Ors (1982) 2 SCN 1 and Nigerian Army Vs Yakubu (2013) 2 SCNJ 268 made very clarifying and useful pronouncements in the context of this discourse, to the effect that where jurisdiction is conferred on Court by the Constitution, such jurisdiction is not subject to the whims of any other quasi-judicial body or outfit.

On the basis of the foregoing authorities, it is safe to conclude that the jurisdiction of both the Federal High Court and the State High Court and lately the National Industrial Court in relation to disputes arising from the breach of data privacy rights is sacrosanct being a derivative right from the right of privacy provided under section 43 of the Constitution. What this means in effect is that parties cannot by agreement divest the High Court of its original jurisdiction to entertain data privacy disputes in derogation of the express provisions of the Constitution.

Against the backdrop of the foregoing, it is imperative to examine generally the implications of an arbitration clause particularly whether or not an arbitration clause in a privacy policy serves to divest the High Court of its jurisdiction. This is because the outcome of this inquiry would determine whether such clauses are constitutional in which case enforceable, or unconstitutional in which case unenforceable. Ultimately, the conclusions reached will give clarity on the arbitrability of data privacy disputes in Nigeria.

Our jurisprudence is replete with judicial decisions by various levels of courts over the years interpreting the import and ramification of an arbitration clause in an agreement executed parties.¹⁵ These decisions consistently align on the narrow question of whether an arbitration clause ousts the court of its jurisdiction.

In Obembe v. Wemabod Estate (1977) LPELR -2161(SC), the Supreme Court in its decision on the effect of an arbitration clause on the jurisdiction of the court held as follows:

Furthermore, the Supreme Court in the case of Scheep & Anor v MV (2000) LPELR- 1866 (SC) affirming the above decision held thus:

Incisively, in Celtel Nigeria B.V. v. Econet Wireless Ltd (2014) LPELR (22430) 1 at 58 the Court of Appeal per Ikyegh, JCA held as follows:

Similar pronouncements were made by the Supreme Court in the case of City Engineering (Nig) Ltd v FHA (1997) LPELR-868 (SC).

From the generality of judicial authorities on this subject a few of which are quoted above, it is clear that an arbitration clause in a privacy policy does not oust the jurisdiction of the court and as such is not inconsistent with the provisions of Sections 37, and 46 (1) & (2) of the Constitution as amended. This invariably means that parties to an arbitration clause may elect to approach the High Court for adjudication of disputes arising from a breach of data privacy rights notwithstanding their agreement to submit to arbitration. In such cases, it will rightly be within the court's jurisdiction to entertain the action. However, should a party wish to enforce the existing agreement of parties to submit to arbitration, such a party may only do so by applying to the court for a stay of proceedings under Section 5 ACA rather than vainly challenging the jurisdiction of the court.

Judicial credence for this position was provided in Fawehinmi Construction Co. Ltd. V O.A.U (1998) LPELR1256 (SC), where the Supreme Court held that:

The Court of Appeal in the case of Transocean Shipping Ventures Private Limited v MV Sea Sterling (2018) LPELR-45108 (CA) also made apt pronouncements on the approach of the courts to objections raised by a defendant on the non-submission of the claimant to arbitration as agreed:

From the decision of the Court of Appeal quoted above, it becomes apparent that a complementary rationale for the courts granting a stay of proceedings pending arbitration in addition to the statutory basis provided under Section 5 of the ACA, is to give effect to the arbitration clause in the contract between the parties. This is because the courts generally give due regard and serious consideration to the voluntary contract of parties by enforcing the terms of their contract (including the arbitration clause) as agreed to by them. This rudimentary principle of law in respect of contracts and agreements is expressed in the Latin maxim pacta conventa qua neque contro leges neque dolo malo inita sunt omni modo observanda sunt, more commonly expressed as pacta sunt servanda, meaning that agreements which are neither contrary to the law nor fraudulently entered into should be adhered to in every manner and in every detail. A corollary of this principle is that the court will not assist a party breach the terms of his contract nor incentivize a party's breach of his contract.¹⁶

It should however be noted that the power of the court to stay proceedings in an action pending before it upon application by a party to an arbitration clause is discretionary, and the court is not duty bound to grant same. Accordingly, the court may if the circumstances so demand and in deserving cases, refuse an application for stay of proceedings and proceed with the hearing of the data privacy dispute before it notwithstanding the agreement of parties to submit to arbitration under the arbitration clause. In fact, section 5 of the ACA requires a defendant to file an application for stay of proceedings at any time after appearance and before delivering any pleadings or taking any other steps in the proceedings, and failure to comply with this requirement may be considered a waiver of his submission to arbitration under the arbitration clause.

Perspectives from the GDPR

On the heels of the EU Data Protection Regulations 2018 (GDPR), NITDA issued the NDPR in 2019 on the use and protection of personal data of Nigerians. Notably, the NDPR is modelled after the GDPR and replicates some of the provisions of the GDPR. In this respect, the NDPR and the GDPR share several similarities as they both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share personal data, whether the information is obtained online or offline. Yet, there are differences between both regulations and one of such is their respective provisions on remedy for breach of Data Protection. Unlike the NDPR, the GDPR is elaborate in its provisions on this subject and is not averse to the idea of arbitration.

It is interesting to point out that Article 79 (1) GDPR expressly recognise "any non-judicial remedy", thereby showing the potential importance of this type of remedy for enforcing the rights of data subjects under the GDPR. Article 79 (1) of the GDPR is reproduced below:

Similarly, Article 40 (1) GDPR encourages the drawing up of codes of conduct intended to contribute to the proper application of the Regulation, by providing more specifically in Article 40(2)(k) GDPR for out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects.

It may be argued that the title ("Right to an effective judicial remedy against a controller or processor") and the wording of Art. 79 GDPR suggest that the "right to an effective judicial remedy" is mandatory and thus cannot be waived by submitting such disputes to arbitration. However, it is reasonable to presume that the parties in dispute, i.e. the data controllers and the data subjects, have the freedom to decide to solve their personal data dispute by submitting it to a "non-judicial remedy" and specifically to arbitration. More so, there are no indications that data disputes under the GDPR are generally and by their very nature non-arbitrable subject matters.

Conclusion

Given the increased media and public attention to data privacy issues largely informed by the concerted efforts to enact the Data Protection Bill into law, as well as the reinvented drive by NITDA to ensure compliance and respect for Privacy and Data Protection in Nigeria, it is not unlikely that data disputes will be on the rise. It is indeed projected that data disputes and more generally disputes with or connected to online platforms will grow significantly especially due to the boom in digital activities arising from lockdowns and other restrictions that were imposed during the peak of the Covid 19 pandemic. This implies that our already burdened judiciary will potentially become overwhelmed with cases for the determination of privacy rights, data protection and obligations of parties.

For this reason, it is imperative to explore and give due consideration to alternative dispute resolution mechanisms that can be adapted to address the potential rise in data disputes. In this context, arbitration, and mediation or other types of alternative dispute resolution methods can be a very useful alternative for settling data disputes. However, there appears to be some sort of ambiguity and uncertainty on the arbitrability of data privacy disputes in view of the constitutional connotations on data privacy right. With the thorough analysis presented in this article on this hitherto abstruse subject, it is hoped that the clarity provided herein will in turn pave the way for increased adoption of arbitration in the resolution of data privacy dispute.

Footnotes

1 Ademola Adeyoju 'A Quick Guide on the Data Protection Regime in Nigeria' (2020) SSRN-id3522188.pdf Accessed on March 7, 2022.

2 With the exception of Lagos State which has its own arbitration law, the Lagos State Arbitration Law, 2009 (LSAL)

3 See the preamble of the ACA

4 See definition of "Commercial" under section 57 of the Act

5 United World Ltd Inc v MTS (1998) 10 NWLR 106

6 STA Law Firm 'United Arab Emirates: Overview: Arbitration Proceedings in Nigeria' – Mondaq 13 June 2019 https://www.mondaq.com/arbitration-dispute-resolution/814570/overview-arbitration-proceedings-in-nigeria Accessed March 8, 2022.

7 Esso Petroleum and Production Nigeria Ltd& SNEPCO vs. NNPC Unreported Appeal No. CA/A/507/2012; delivered on 22nd July, 2016

8 Shell (Nig.) Exploration and Production Ltd & 3 others vs. Federal Inland Revenue Service Unreported Appeal No. CA/A/208/2012; delivered on 31st August 2016.

9 (1990) 4 NWLR (Pt. 142) 1 at page 33 paragraphs A – B

10 Mekwunye V. Lotus Capital Ltd & Ors. (2018) LPELR-45546(CA)

11 Paragraph 4.2 of the NDPR

12 Section 17 of the NITDA Act and Paragraph 2.10 of the NDPR

13 Available at https://dictinonary.cambridge.org/dictionary/english/commercial

14 Available at www.investopedia.com/terms/c/commercial.asp

15 See Mekwunye v Lotus Capital Ltd & ors. (2018) LPELR-45546 (CA), Oyo State Government v Mogoke Ventures (Nig) Ltd (2015) LPELR -41731 (CA)

16 See Chief of Defence Staff & anor v Tijah (2016) LPELR-40818 (CA)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.