Prince Ebeano Supermarket Faces Legal Action For Data Privacy Breaches, Alleged Non-Compliance with Data Protection Act On Website – TheNigeriaLawyer

Olumide Babalola, a distinguished legal advocate specializing in digital rights, privacy, and data protection, has initiated legal proceedings against Prince Ebeano Supermarket, a prominent retail chain in Nigeria, in response to a recent data breach incident. With a reputation for championing digital rights within Nigeria, Babalola’s action highlights concerns surrounding the lack of awareness about data protection responsibilities among businesses and consumers, as well as the hesitancy of Nigerian citizens to address privacy violations through legal channels.

Babalola’s legal action serves as a robust response to these challenges, directing attention to the urgent need for enhanced privacy safeguards within the nation. Notably, he underscores the disconcerting reality that privacy rights, while inherently essential, are rarely litigated in Nigeria. This situation, highlighted in Privacy International’s Stakeholder Report, has prompted Babalola to assert the necessity for a transformative shift in prioritizing citizens’ privacy rights and overall protection.

The recent data breach incident involving Prince Ebeano Supermarket intensifies the urgency of the matter. In the preceding week, the retail giant discreetly disclosed a breach that compromised the customer database at its Lekki outlets. As a result of the breach, disruptions were experienced in customers’ access to loyalty points and other vital services.

Olumide Babalola, who himself is a patron of Prince Ebeano Supermarket, swiftly reacted to the breach by launching an inquiry into the supermarket’s adherence to data protection regulations. His investigation uncovered disconcerting revelations about the supermarket’s data processing practices, notably the absence of transparency. The lack of a privacy notice on the supermarket’s website raised concerns about potential unfair data processing practices. Furthermore, Babalola’s research unveiled a significant lapse in the supermarket’s commitment to data protection, including the absence of a data protection compliance audit since 2019 and the lack of a designated data protection officer to address public queries about privacy practices.

As this legal action unfolds, its implications are poised to reverberate throughout the landscape of data privacy in Nigeria. Babalola’s proactive stance not only seeks accountability from Prince Ebeano Supermarket but also endeavors to inspire a broader movement among businesses to prioritize data protection in a rapidly digitizing world.

Consequently, on the 9th day of August 2023, he approached the High Court of Lagos State, seeking redress through the following legal measures:

• A DECLARATION that the Respondents’ collection and storage of the Applicant’s personal data in a database with (undisclosed) software without his consent or due information on data security interferes and/or is likely to further interfere with the Applicant’s right to privacy guaranteed under section 37 of the Constitution of the Federal Republic of Nigeria, 1999.
• A DECLARATION that the Respondents’ processing of Applicant’s personal data without compliance with the provisions of the Nigeria Data Protection Act, 2023 and Nigeria Data Protection Regulation 2019 constitute an interference with the Applicant’s right to privacy guaranteed by section 37 of the Constitution of the Federal Republic of Nigeria, 1999.
• A DECLARATION that the Respondents have admitted a personal data breach by virtue of the notice pasted at the Respondents’ business premises thus:
• “Dear Esteemed Customers, Kindly note that due to a system error during software upgrade which affected our client database. We are currently not able to add points, all accumulated points will be redeemable once we are able to resolve the issue.”
• A DECLARATION that the Respondents’ collection and storage of the Applicant’s personal data in a database with an (undisclosed) software violates the principle of transparency provided under section 24(1)(a) of the Nigeria Data Protection Act, 2023.
• A DECLARATION that the Respondents’ collection and storage of the Applicant’s personal data in a database with an (undisclosed) software breaches the Respondents’ obligations to provide adequate information to the Applicant at the time of collection of his personal data in contravention of section 27(1) of the Nigeria Data Protection Act, 2023.
• A DECLARATION that the omission or lack of a privacy policy on the Respondents’ website – https://princeebeano.com violates the express provision of section 27(3) of the Nigeria Data Protection Act, 2023.
• A DECLARATION that the Respondents’ omission to inform its customers of the personal data breach suffered by its database software through national dailies or social media constitutes a violation of its duty under section 40(3) of the Nigeria Data Protection Act, 2023.
• A DECLARATION that the Respondents’ omission to inform the Nigeria Data Protection Commission of the personal data breach suffered by its database software within 72 hours of its discovery constitutes a violation of its duty under section 40(2) of the Nigeria Data Protection Act, 2023.
• A DECLARATION that the Respondents’ omission to file a data protection compliance audit since 2020 is a violation of the provision of article 4.1(7) of the Nigeria Data Protection Regulation 2019.
• A DECLARATION that by virtue of section 53(2) of the Nigeria Data Protection Act, 2023, the Respondents and their business entity are vicariously liable for the data breach suffered by Prince Ebeano Supermarket.
• PERPETUAL INJUNCTION restraining the Respondent from further processing (storing and using) the Applicant’s personal data without compliance with the provisions of the Nigeria Data Protection Act, 2023 and Nigeria Data Protection Regulation 2019”

While the new suit awaits assignment to a Judge in the jurisdiction, it is hoped that, as many Nigerian businesses continue to integrate technology into their processes, they will not only prioritize citizens’ privacy and data protection concerns but will not further treat personal data breaches with kids’ gloves.