By John Walubengo
ABUJA, Nigeria: In a ruling that has sparked debate over privacy rights and data protection, the Federal High Court of Nigeria, on April 19, 2023, sided with True Software Scandinavia AB, the creators of the TrueCaller app, and the National Information Technology Development Agency (NITDA), in a case that questioned the extent of privacy rights under current laws.
In a class suit filed by Olumide Babalola LP and Olasunkanmi Bello, representing a concerned group of non-users of the TrueCaller app, the lawsuit accused TrueCaller of infringing on privacy rights through the unauthorised collection, storage, and processing of personal data.
The plaintiffs argued that such actions violated the constitutional right to privacy and the Nigeria Data Protection Regulation 2019 (NDPR), seeking not only a declaration of rights infringement but also a perpetual injunction against TrueCaller’s data processing activities without explicit consent, alongside a punitive fine levied by NITDA.
In its defence, TrueCaller contested the allegations by asserting that its mobile app functions based on user consent, denying any unauthorised access to or harvesting of contacts.
The company also argued that its services enhance user safety by identifying unknown callers, positioning itself within the public interest sphere protected by the constitution.
Who is the Data Controller?
Additionally, TrueCaller argued that registered users of TrueCaller decide to allow their app to upload contacts from their address book.
As such, registered True Caller users are the data controllers and should subsequently shoulder the corresponding privacy obligations—not TrueCaller Developers or the Company.
Hon. Justice J.K. Omotosho’s judgment thus dismissed the lawsuit, concluding that the plaintiffs failed to prove any breach of privacy rights by TrueCaller convincingly. The court’s decision underscored that TrueCaller’s operation, which relies on users’ consent to access their contacts, falls within legal boundaries.
Privacy advocates have criticised the outcome as a setback for data protection efforts. It underscores potential legal protections against unauthorised data collection and processing vulnerabilities.
Critics argue that the ruling may encourage tech companies to exploit personal data under the guise of subscribed user consent rather than actual data subjects’ consent, thereby eroding privacy rights.
Privacy by Design
Whereas the Hon Judge may be right in concluding that the TrueCaller, in this case, was not a Data Controller, but the subscribed TrueCaller users were, he failed to observe that TrueCaller was a Data Processor in this case and is therefore obligated to respect privacy laws – just like the Data Controller.
At the least, by design, TrueCaller Software Company should be obligated to trigger an alert to unsubscribed users each time a TrueCaller subscriber tries to expose them to TrueCaller Software to prompt and obtain the corresponding explicit consent.
The case has highlighted the challenges in balancing technological advancement against individual privacy rights, indicating a need for more robust regulatory frameworks and explicit consent mechanisms to protect personal data in the digital age.
This ruling is a stark reminder of the ongoing battle for data privacy and the complexities of safeguarding personal information against misuse.
John Walubengo is an ICT Lecturer and Consultant. @jwalu.
RELATED
Kenya: Putting Data Privacy at the Heart of the Debate
