Tokunbo Olatokun wanted two things: to close his account and stop receiving marketing emails from Polaris Bank. Instead, his inbox stayed cluttered, and his instructions were ignored.
Represented by law firm, Olumide Babalola LP (OBLP), Olatokun sought redress, alleging a blatant disregard for his fundamental right to privacy under Nigerian law.
Months later, the Lagos State High Court ruled that the bank’s actions weren’t just negligent—they were illegal.
In a landmark decision, the court found Polaris Bank in violation of several provisions of the Nigeria Data Protection Act and Section 37 of the Nigerian Constitution, which guarantees individuals’ right to privacy. This includes the right to object to data processing and the right to restrict further use of their data.
The court ordered the bank to cease sending unsolicited emails to Olatokun and awarded ₦1 million in general damages for the violations, emphasising that the bank’s failure to respect the applicant’s explicit instructions constituted an infringement of his privacy rights.
Polaris Bank raised several arguments in its defence, including that the marketing emails sent to the applicant were prescheduled and part of generic communications.
The court rejected this, stating that the bank had an obligation to act promptly on the applicant’s explicit instructions to stop receiving emails, which he made as early as March 13, 2024, and reiterated formally on April 9, 2024.
The bank also pointed to the opt-out mechanisms included in its emails, arguing that recipients could unsubscribe at any time. However, the court dismissed this defence, emphasising that the applicant’s objection to further communications made reliance on opt-out provisions irrelevant.
Additionally, Polaris Bank cited the Central Bank of Nigeria’s (CBN) Consumer Protection Framework, which permits unsolicited communications with opt-out options. The court ruled that these guidelines could not override the Nigeria Data Protection Act or the express instructions of a customer.
While the court found Polaris Bank’s privacy policy substantially compliant with transparency requirements under the NDP Act, it noted that the bank’s operational practices did not align with the policy’s commitments. The applicant continued to receive unsolicited emails through August 17, 2024, months after his formal objections and even after initiating legal action.
Speaking exclusively to Web Security Lab, Olumide Babalola, Managing Partner at OBLP, highlighted the broader implications of the case:
“While Nigeria has a Data Protection law in place, its practical enforcement has been inconsistent. The judgment could signal a stronger judicial commitment to holding organisations accountable for violating individuals’ data rights. The decision demonstrates that courts are now increasingly willing to uphold consumer protection in the data space.”
Babalola emphasised that the ruling sends a clear message to businesses, particularly financial institutions, about the consequences of failing to respect customers’ data rights:
“This judgment underscores the fact that businesses are legally required to respect customers’ wishes about their personal information, and failure to do so can result in legal action. This could encourage companies to adopt more robust data protection practices and ensure they comply with consumer requests regarding their data.”
In 2024, the Nigeria Data Protection Commission (NDPC) imposed significant fines on several organisations found to violate the Nigeria Data Protection Act.
This court ruling is consistent with the broader push towards stricter enforcement of the Act, signalling that data privacy compliance is no longer optional for businesses operating in Nigeria.
Web Security Lab reached out to Polaris Bank for comments regarding the judgment and its implications. At the time of publication, the bank had not responded to the request.
