CORAM: HER HONOUR JUDGE SEDINAM AWO KWADAM (MRS.), SITTING AT THE CIRCUIT COURT 2, ADENTAN, ACCRA ON THE 18TH DAY OF SEPTEMBER, 2024
SUIT NO. C11/003/2023
JUSTICE NOAH ADADE PLAINTIFF
GD-263-9295-63A
ODAMETEY ROAD NMAI DJORN
VRS.
1. BOLT GHANA LIMITED DEFENDANTS
NO. 10 KOFI DZATA STREET
ODEL HEIGHTS – FORMER BEDMATE BUILDING
DZORWULU – ACCRA
2. BOLT HOLDINGS OU
ACCRA
PLAINTIFF ………………………. PRESENT
DEFENDANTS ………………………. ABSENT
SYDNEY ANTONIO, ESQ. HOLDING BRIEF FOR ENOCH DEEGBE, ESQ. PRESENT FOR PLAINTIFF
EMMANUEL AGYARKO, MINTAH, ESQ. HOLDING BRIEF FOR GWENDY BANNERMAN, ESQ.
PRESENT FOR 2ND DEFENDANT
FULL JUDGMENT
Introduction
“How you gather, manage, and use information will determine whether you win or lose” – Bill Gates.
This quote is particularly relevant in the context of data breach lawsuits. In such cases, the way a company handles data which belong to other people but is under its control or in its possession can significantly impact the outcome of legal proceedings, which can result in severe financial and reputational damage, demonstrating how poor data management can lead to significant losses.
Suppose this happens; you order a ride on the ride-hailing App on your smart device only to be staring at a picture of yourself, as well as your details as indicated on your driver’s licence. You think it is a mistake, perhaps an algorithm glitch, but the photograph and details do not change. Lo and behold, you are the driver you just hailed on your ride-hailing App, yet you have never registered as a driver on the said ride-hailing App or any other ride-hailing App for that matter.
This is the shocking and disconcerting situation in which the Plaintiff in this suit, found himself on August 1, 2022.
According to the Amended Writ of Summons and Statement of Claim issued in this court on the 16th day of December 2022, for and on behalf of the Plaintiff by his lawyers, the Plaintiff found his photograph and personal details on the Second Defendant’s (Hereinafter referred to as D2’s) ride-hailing App known as Bolt, when he hailed a ride on 1st August 2022. To his utter shock, when the vehicle arrived to pick him up, the actual driver of the said vehicle was very known to the Plaintiff. It was one of his employees by name, Peter Walker who was seated behind the steering wheel of the said vehicle.
Upon confronting Peter Walker, the said employee, it was revealed that he had stolen the identification documents of the Plaintiff, his boss, and used those details including Plaintiff’s photograph and driver’s licence to successfully register himself as a driver on the ride hailing App, Bolt.
According to the Plaintiff, he contacted D2 about this event. D2 assured Plaintiff that they had deleted the profile created on the Bolt App with the details of the Plaintiff and that it had further reported the incident to the Ghana Police Service for appropriate action to be taken. D2 asked the Plaintiff to cooperate with the police in the event that he was contacted with regards to the incident.
The Plaintiff instigated internal measures against Walker and terminated his employment as a result of the findings made against him. However, after failed correspondence with D2, the Plaintiff instituted the instant suit.
PRELIMINARY PROCEEDINGS
The issue of Misjoinder and Joinder:
The 1st Defendant through its lawyer who is currently lawyer for the 2nd Defendant applied to be misjoined as an unnecessary party to the suit. The court however, decided otherwise and suo motu joined the 2nd defendant to the suit and maintained the 1st Defendant in order to unravel from the trial, which of the two Defendants undertook the registration of the Plaintiff’s profile as a driver on the Bolt App.
Interestingly, learned Counsel who at the time represented the 1st Defendant, suddenly withdrew her representation and became Counsel for the 2nd Defendant for the pendency of the trial.
The joinder of the 2nd Defendant to the suit was necessitated as a result of revelations made during the hearing of the 1st Defendant’s misjoinder Application to the effect that the registration of prospective Bolt drivers and the processing of the Data they upload during the process of registration is undertaken by the 2nd Defendant.
In consequence, the Court deemed D2 a necessary and indispensable party to the suit. Thus, the Order for Joinder.
Subsequently, the Plaintiff filed an Amended Writ of Summons with the following reliefs indorsed thereon;
a) A declaration that the Defendants have been negligent,
b) A declaration that the Defendants have breached the Data Protection Law relative to the Plaintiff,
c) An order for compensation in the sum of GH¢2,000,000.00 directed at the Defendant either jointly or severally in favour of the Plaintiff,
d) An order directed at the Second Defendant to delete the personal data of the Plaintiff from its database,
e) Costs including solicitor’s fees, and
f) Any other relief(s) the court may deem fit.
ISSUES FOR TRIAL
Both the Plaintiff’s and D2’s lawyers filed Memoranda of suggested issues for the trial. The Court on 11th May 2023, set down the issues for trial (see the record of proceedings of 11/05/2023).
However, the issues set down by this court on 11/05/2023 shall be determined under the following questions;
1) Whether or not D2 as a support office for Data Protection purposes for Bolt Operations OU, who are the operators and owners of the ride-hailing App known as Bolt, is liable per the Plaintiff’s Amended Writ of Summons and Statement of Claim.
2) Whether or not D2 is vicariously liable for the conduct of its drivers, specifically the conduct of Peter Walker.
3) Whether or not D2 has been negligent with respect to the Plaintiff.
4) Whether or not D2 has breached the Data Protection Act/Law with respect to the Plaintiff.
5) Whether or not the Plaintiff is liable for negligence with respect to the theft of his identity.
6) Whether or not the Plaintiff colluded with or abetted his impersonator.
7) Whether or not the Plaintiff is entitled to compensation as claimed.
THE GENERAL LAW ON PROOF IN CIVIL LITIGATION
It is trite law that he who asserts must prove. Therefore, for both the Plaintiff and 2nd Defendant, the burden of persuasion they each bear, is discharged by each leading sufficient evidence to prove the existence or non-existence of each fact asserted, which is essential to their claim or defence, where applicable.
Further, it is the duty of the party claiming that a party is guilty of a wrongdoing or crime to persuade the court as to that claim. This burden of persuasion in civil suits, is thus, discharged with proof by the preponderance of the probabilities.
Proof by the preponderance of the probabilities means, that degree of certainty of belief in the mind of the tribunal of fact or the court by which it is convinced that the existence of a fact is more probable than its non-existence.
In this suit therefore, the parties in proving their claims and defence must be guided by these rules.
Refer to the following legal authorities for further understanding on proof in civil cases;
1) Sections 10(1), 11(1) and (4), 12, 14, 15 of the Evidence Act, 1975 (NRCD 323)
2) International Ram Ltd. Vrs. Vodafone Ghana Ltd & 2 Ors [2016] JELR 64 2227 (SC)
3) Zambrama Vrs. Segbedzi [1991] 2 GLR 221
4) Re Ashaley Botwe Lands; Adjetey Agbosu & Ors. Vrs. Kotey & Ors [2003-2004] SCGLR 420
5) Okudzeto Ablakwa (No. 2) Vrs. Attorney General & Anor [2012] 2 SCGLR 845 at 867.
6) Ababio Vrs. Akwesi III [1994-1995] GBR part II, 74.
7) Dan Ackah Vrs. Pergah Transport Ltd [2010] SCGLR 731
THE EVIDENCE PRESENTED BY THE PLAINTIFF
The Plaintiff and his witness (Hereinafter referred to as PW1) presented the Plaintiff’s evidence to this court through their Witness Statements.
The totality of their evidence may be accurately summed up as follows;
1) The Plaintiff is the Co-founder and Chief Executive Officer of Glydetek Group, a software house, systems integrator and financial technology provider, which offers software solutions to its clients who are primarily in the financial sector.
2) On 1st August 2022, the Plaintiff took several trips using the Bolt App, which was installed on his phone. During his fourth ride of the day, the Plaintiff noticed something unusual: the driver assigned to pick him up had a profile bearing the Plaintiff’s name and photograph.
3) Upon the driver’s eventual arrival to pick up the Plaintiff, it turned out that the person behind the wheel was none other than the Plaintiff’s own employee, Peter Walker. Remarkably, the vehicle the Plaintiff had hailed displayed a profile featuring the Plaintiff’s name and photograph as its designated driver.
4) Upon being confronted, Peter Walker alleged that there must have been an error because he had used the laptop provided by Glydetek, the software company where he worked, to register as a Bolt driver. Subsequent investigation revealed that the laptop contained photographs of both the Plaintiff’s driver’s license and that of another employee, Samuel Kodjo Adjetey.
5) Despite Peter’s plea for forgiveness, he was ultimately dismissed due to his conduct. Interestingly, he remained tight-lipped about the actual number of trips he had taken as a Bolt driver while using the Plaintiff’s identity.
6) Concerned about the potential misuse of his identity, the Plaintiff reached out to Bolt and other ride-hailing platforms to inquire whether Peter had registered with them. The investigation revealed that only the Bolt platform had the Plaintiff’s personal details associated with Peter as a driver.
7) In paragraph 18 of his witness statement, the Plaintiff listed several companies for whom his company, Glydetek, provides software solutions. These companies include First Atlantic Bank, Letshego Ghana, Jospong Group, Bestpoint Savings and Loans, Bidvest Microfinance, Gidan Capital, Service Integrity Savings and Loans, and Abii National Savings and Loans. The Plaintiff contends that Glydetek experienced a general downturn in its business fortunes during the period when his identity was working as a driver on the Bolt platform. Notably, certain projects, some valued at hundreds of thousands of dollars, experienced mysterious delays and frustration. Further investigation revealed that some of these project setbacks were linked to due diligence processes conducted by the organizations.
8) The Plaintiff contends that in the business world, a company like Glydetek Group, whose CEO also moonlights as a Bolt driver would not typically secure contracts worth hundreds of thousands of dollars within Ghana’s Financial Sector.
9) The Plaintiff sought redress from D2 without success. Although D2 denied liability for the incident, it assured the plaintiff that it had reported the incident to the Ghana Police Service for investigation and further actions. D2 also requested that the plaintiff cooperates with the police when contacted.
10) The Plaintiff contends that the incident significantly impaired his state of mind, resulting in emotional and psychological trauma.
11) The Plaintiff presented the following evidence in support of his case;
a) Exhibit A Series – Glydetek Group Ltd’s Company Registration Documents.
b) Exhibit B – A Photograph of Bolt Driver Profile. This photograph depicts the Plaintiff as a driver of a Toyota Belta GR-2050-22. Notably, it shows the Plaintiff arriving within 3 minutes to pick up a passenger, charging a fare of GH¢15.00.
c) Exhibit C – A Letter of Peter Walker’s Interdiction.
d) Exhibit D – Peter Walker’s Dismissal Letter. The dismissal letter further implicates Peter Walker.
e) Exhibit E – Plaintiff’s Request for Information from D2 and other Ride-Hailing Apps. This evidence suggests that the Plaintiff sought information from D2 and other similar platforms.
f) Exhibit F – Plaintiff’s Appointments as Chairman, highlighting the Plaintiff’s professional roles, specifically as Chairman of the Advisory Board for the Banking and Finance Department at Kumasi Technical University.
g) Exhibit G Series – Plaintiff’s Demand Letters to Bolt.
h) Exhibit H Series – D2’s Responses to Plaintiff’s Demand Letters.
i) Exhibit J – D2’s Petition to Ghana Police Service requesting an investigation into the Plaintiff’s alleged impersonation on the Bolt App.
12) PW1, Philip Amano, who is the Co-Founder and Chief Technical Officer of Glydetek confirmed that Peter Walker’s employment had been terminated after investigations conducted by Glydetek.
13) The Plaintiff thus prayed the court for the reliefs indorsed on the Amended Writ of Summons and Statement of Claim.
NOTES FROM THE CROSS-EXAMINATION OF PLAINTIFF
The court took the following notes out of the Defence’s cross examination of the Plaintiff and PW1;
1) The Plaintiff is an expert in the IT world of business and should possess working knowledge on how to protect his personal data.
2) D2 argued that the Plaintiff’s negligence regarding the safety of his personal data led to Peter Walker using the Plaintiff’s details to register as a driver on the Bolt platform. Therefore, the plaintiff had knowledge of the fact that Peter Walker had been using his (Plaintiff’s) details to drive using the Bolt platform.
3) D2 further contended that the Plaintiff’s acquiescence (i.e., not objecting to or reporting the impersonation) was the reason for not involving the Ghana Police in the case.
4) D2 contended that the Plaintiff, despite the ongoing legal proceedings, continues to hold positions as a Lecturer and Board Chairman at the Kumasi Technical University.
5) There is no proof on record of any nexus between the Plaintiff’s profile on the Bolt App (where he is listed as a driver) to any financial loss or project delays experienced by his company, Glydetek. D2 considers the Plaintiff’s claim of financial harm as speculative. Essentially, D2 insists that just because the Plaintiff’s details drive for Bolt does not necessarily mean it impacted Glydetek’s business negatively.
6) Before the critical date of 1st August, 2022, the Plaintiff received a report from a friend about his Bolt App profile as a driver. However, he did not take any action because he did not believe the report.
7) The photograph displayed on the Plaintiff’s Bolt profile is the same as his WhatsApp display picture and the one found on the Glydetek website (refer to Exhibit B).
8) Peter Walker, who registered the Plaintiff’s details as a driver on the Bolt platform, initially explained that he mistakenly uploaded this photo from the office laptop during registration.
9) The Defence claims that the Plaintiff provided the photograph to Peter Walker intentionally. They also argue that Peter Walker could not have accessed the Plaintiff’s driver’s licence without the Plaintiff’s negligence and/or acquiescence.
10) The Plaintiff claims he did not report the impersonation incident to the police because D2 indicated that they had already taken action. However, D2 insists that the Plaintiff did not report the impersonation because he knew Peter Walker was using his details to earn a living as a Bolt driver.
11) Despite the impersonation incident, D2 contends that the Plaintiff’s reputation has not suffered. The Plaintiff still works as a lecturer at Kumasi Technical University, chairs the Advisory Board of the Banking and Finance Department, and his software is still being studied by students. D2 also argues that Kumasi Technical University students would not have encountered the Plaintiff’s Bolt profile since they likely use Kumasi drivers rather than Accra-based ones.
12) D2 insists that it would be unlikely for any student from Kumasi Technical University (located in Kumasi) to have hailed Peter Walker as a Bolt driver since as a Marketing Officer for Glydetek, he was based in Accra.
13) There was no official report from Glydetek’s business partners indicating adverse findings during their due diligence process related to Glydetek. Additionally, there is no evidence connecting the plaintiff’s Bolt driver profile to any loss of contracts or projects suffered by Glydetek.
14) D2 insists that the plaintiff colluded with Peter Walker to unjustly enrich himself. This allegation may explain why the plaintiff did not sue Peter Walker.
15) D2 confirms that they deactivated the profile created with the plaintiff’s details on the Bolt App and promptly took steps to address the situation.
16) PW1, the Chief Technology Officer (CTO) of Glydetek, chaired the committee that investigated Peter Walker after the incident. PW1 denies colluding with Peter Walker for unjust enrichment. He also confirms that Peter Walker’s contract was terminated due to his conduct. Interestingly, PW1 did not report the issue to the police or the Data Protection Commission.
THE EVIDENCE PRESENTED BY THE SECOND DEFENDANT
During the hearing, the Second Defendant (D2) presented a single witness, Mr. Enoch Amobire, an Operations Manager at Bolt Technologies, the parent company of D2’s Ghana branch. Mr. Amobire’s testimony, provided through a witness statement filed on 13th June 2023, included documentary evidence.
An accurate summary of the evidence DW1 presented is as follows;
1) DW1 is privy to the operations of the Bolt platform because D2 provides software support services for both Bolt Operations OU (the platform owner) and its Ghana branch.
2) The Plaintiff became a registered driver on the Bolt Platform on 7th July 2022. Importantly, this registration did not make the Plaintiff an employee of Bolt Operations OU.
3) The process of registration of a prospective driver who applies to becomes a driver on the Bolt platform or App is as follows;
i. Prospective drivers must upload personal documents, including a driver’s license and a passport-size photograph.
ii. DW1’s team verifies that the photograph matches the image on the submitted driver’s license.
iii. The driver’s license itself is further verified with the Driver and Vehicle Licensing Authority (DVLA) to confirm its authenticity.
iv. Additionally, vehicle documents (such as the Road Worthy Certificate and Insurance Certificate) are checked for authenticity to prevent forgery.
4) Based on the data uploaded by the Applicant (presumed to be the Plaintiff), DW1 followed the outlined verification, authentication, and registration process. As a result, the Plaintiff’s profile as a Bolt driver was successfully created on the Bolt Platform.
5) On 8th August, 2022, D2 received a demand letter from Plaintiff’s lawyers. The demand letter stated that the Plaintiff had discovered his profile as a Bolt driver on the Bolt platform, even though he had not signed up as a driver on the platform. The Plaintiff demanded a compensation package of GH¢200,000.00 in that letter. In response, D2 permanently deactivated the Plaintiff’s Bolt driver profile and submitted a petition to the Ghana Police Service for investigation.
6) D2 informed the Plaintiff about all the steps they had taken to address the situation.
7) DW1 blames the Plaintiff for granting access to his impersonator, which led to the unauthorized registration of plaintiff as a driver on the Bolt App. DW1 insists that D2 verified all the documents submitted by the Applicant before registering the profile.
8) It is noted that the Plaintiff did not report his impersonator to the police, and this, DW1 finds alarming.
9) D2 adduced the following pieces of documentary evidence;
i. Exhibit 1 – D2’s general terms and condition for Bolt Drivers.
ii. Exhibit 2 – Plaintiff’s driver’s licence.
iii. Exhibit 3 – D2’s Petition to Ghana Police.
iv. Exhibit 4 – D2’s response to Plaintiff’s demand letters.
v. Exhibit 5 – Plaintiff Demand letter.
vi. Exhibit 6 – D2’s further response to Plaintiff’s demand letter.
10) DW1 believes that the Plaintiff is not entitled to any of the reliefs indorsed on the Amended Writ of Summons and Statement of Claim.
NOTES FROM THE CROSS-EXAMINATION OF DW1
The following facts are noted from the totality of the cross examination of DW1.
1) When someone applies to become a Bolt driver, several documents are submitted for authentication. These typically include a photograph, driver’s license, and vehicle documents (such as insurance and roadworthy stickers). Notably, the verification process at the material time, did not include a liveliness identity verification step. In other words, while the submitted documents were verified for authenticity, there was not a specific process to verify that the applicant was in fact, the owner of the details uploaded.
2) D2 introduced a liveness identity verification process, commonly referred to as the “selfie verification check”, which was initially piloted in January 2023, approximately six months after the incident involving the Plaintiff came to light. By March 2024, the selfie identity verification process was fully rolled out for all prospective Bolt drivers. How does this selfie verification check work? Prospective drivers take a selfie using the Bolt App, then an API (Application Programming Interface), verifies this photograph against the driver’s license image and bio data held by the DVLA. This ensures the liveliness of the applicant, which in turn, proves that applicant is the same person and not a photograph or other spoof image of the person. It thus, verifies the liveliness of the applicant.
3) Interestingly, D2 does not verify whether the vehicle proposed for use as a Bolt ride actually belongs to the applicant. Instead, the focus is on verifying the authenticity of the roadworthy and insurance stickers uploaded by the driver during registration.
4) D2’s financial arrangement with Bolt drivers differs from a traditional employer-employee relationship. Drivers receive cash fares directly from passengers. D2 then deducts its 20% commission from these fares. Additionally, D2 receives payments via electronic payment options such as mobile money (momo) directly from passengers, deducts its 20% commission, then credits the driver with what is left of the fare.
5) When assessing applications, D2 considers the personal data submitted online by the applicant. In the Plaintiff’s case, the photograph submitted during registration was verified against the image on the driver’s license. D2 presumed that the applicant was indeed the same person whose image and details had been submitted for assessment.
6) DW1 emphasized that D2 adheres to industry standards and holds ISO certification. The subsequent implementation of the selfie (liveliness) identity verification step aligns with these standards.
7) DW1 confirms that D2 serves as both a data processor and a data controller, carrying statutory responsibilities.
8) DW1 admits that a data processor is prohibited from processing personal data without the individual’s prior consent.
9) DW1 further admits that D2 is legally obligated to collect the Plaintiff’s details directly from the Plaintiff.
10) DW1 insists that in 2022, D2 verified that the Plaintiff was the applicant by comparing the passport-size photograph uploaded.
11) DW1 admitted that the selfie identity verification step, introduced in January 2023 and fully rolled out by March 2024, confirms the true identity of driver applicants. An algorithm performs a liveliness check on the selfie taken via the Bolt App.
12) D2 initiated a petition to the police regarding an impersonation incident that occurred two years prior to July 2024. DW1 asserts that the Plaintiff should have followed up with a police report, but there is no awareness of any contact from the police since D2 lodged the petition.
DETERMINATION OF THE ISSUES EMANATING FROM THE PLEADINGS IN LIGHT OF THE EVIDENCE ON RECORD
Before determining the issues, a definition of key words, role of the Parties as well as other relevant players in the suit per Section 96 of the Data Protection Act, 2012 (Act 843), and their interrelationship shall suffice.
Per Section 96 of Act 843;
a) The Plaintiff herein is the Data Subject whose personal data was processed by D2 and is defined as an individual who is the subject of personal data.
b) Personal Data means data about an individual who can be identified;
i) from the data, or
ii) from the data or other information in the possession of, or likely to come into the possession of the data controller.
c) Data is defined as information which;
i) is processed by means of equipment operating automatically in response to instructions given for that purpose.
ii) is recorded with the intention that it should be processed by means of such equipment.
iii) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or
iv) does not fall within (i), (ii) or (iii) but forms part of an accessible record.
d) Data Processor means any person other than an employee of a data controller who processes the data on behalf of a Data Controller.
e) Data Controller means a person who either alone or jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed.
f) Processing means an operation or activity or set of operations by automatic or other means that concerns data or personal data and the;
i) collection, organization, adaptation or alteration of the information or data.
ii) retrieval, consultation or use of the information or data.
iii) disclosure of the information or data by transmission, dissemination, or other means available or
iv) alignment, combination blocking, erasure or destruction of the information or data.
g) Data Protection Principles mean the principles set out in Sections 17 to 26 of Act 843.
Therefore, the interrelationship of the parties and terms in this suit are captured as follows;
1) The Plaintiff is the owner of his personal data, which was submitted or uploaded by Peter Walker onto the Bolt platform. This data was processed by D2 during the registration process, which Peter Walker initiated in an attempt to become a Bolt driver using the Plaintiff’s personal information.
2) D2 is the Data Processor for Bolt Operations OU, the company that owns the Bolt platform/App where Peter Walker, the impersonator, submitted or uploaded the plaintiff’s digital personal data while attempting to register as a Bolt driver.
3) Bolt Operations OU serves as the Data Controller, while D2 processes personal data, including that of prospective drivers.
4) However, D2 and Bolt Operations OU are both data controllers by the nature of their activities or operations. This is confirmed by DW1 under oath.
5) The Bolt Platform/App serves as the digital platform for prospective Bolt drivers. Owned by Bolt Operations, it operates as a ride-hailing App where driver applicants submit their data. D2, the Data Processor, handles the registration process. Successful applicants become Bolt drivers with profiles on the platform, which is used by both drivers and passengers for transportation.
ISSUE 1
The appropriateness of the Second Defendant (D2) as a Party to this suit:
Initially, an Application was made to remove the First Defendant, D1, (who was the sole defendant at the time) from the suit. However, the court decided to maintain the First Defendant, D1, as a party and also join the Second Defendant, D2, to the suit. The court’s decision to join D2 was based on its authority under Order 4 Rule 5(2) of the High Court (Civil Procedures) Rules 2004, C.I. 47 (as amended).
D2 serves as the software system support provider for Bolt Operations OU.
Among its responsibilities is, processing the personal data submitted by prospective driver applicants who want to register as drivers on the Bolt App.
Specifically, D2 handles the digital personal data submitted by these prospective Bolt drivers.
Paragraphs 3 and 23 of D2’s Statement of Defence contain an unambiguous admission; D2 is the sole entity responsible for processing the digital personal data submitted via the Bolt App by prospective driver applicants. This admission pertains to the Plaintiff’s data as well, which was presumably submitted during the registration process.
D2 received and processed various digital documents related to the Plaintiff, including his passport-size photograph and driver’s license. Importantly, D2 verified the authenticity of this data and successfully registered the Applicant (presumably the Plaintiff) as a Bolt driver.
Given D2’s central role in data processing and its admission, the court must carefully consider whether D2’s presence as a party is appropriate.
The court will evaluate D2’s impact on the events leading to the lawsuit and whether its involvement is essential for a fair trial.
The Plaintiff contends that D2 negligently processed his personal digital data. This alleged negligence arises from D2’s failure to comply with the provisions of the Data Protection Act, 2012 (Act 843).
Specifically, the Plaintiff claims that;
1. D2 processed his data without obtaining his prior consent.
2. The personal data processed was never collected directly from him.
Undoubtedly, D2’s compliance with data protection laws is at the heart of the Plaintiff’s case. The Plaintiff’s grievance centers on D2 permitting the processing of his personal data as a prospective Bolt driver, even though he never requested such registration on the Bolt App.
All questions raised by the Plaintiff’s claim relate to the specific data processing activity carried out by D2 for the Bolt App. This data processing forms the core of the dispute.
Given the above, it is evident that D2 plays a significant role in the entirety of the Plaintiff’s claim. Therefore, D2 must address these allegations regarding data processing in order to defend the itself in the instant suit.
Finding:
In these circumstances, the court finds that the Second Defendant is an appropriate party to be sued by the Plaintiff in relation to the claims presented in the Amended Writ of Summons and Statement of Claim.
Holding:
The court thus holds that (D2), as the data processor for the Bolt ride-hailing platform/App, is an appropriate party to be included in the lawsuit.
The court’s analysis however, reveals that D1, Bolt Ghana Limited, lacks a clear connection to the central issues raised by the plaintiff.
Here are the key findings supporting this conclusion:
Firstly, Bolt Ghana Limited (D1) has been shrouded in obscurity due to a lack of information about its operations in Ghana. Counsel for D2 withdrew legal representation for D1, affirming that there is no affiliation between D1 and D2. D2’s Statement of Defence further emphasizes that it is a separate entity from D1 and has no knowledge of D1’s activities or affiliation.
Secondly, the Plaintiff’s central claim revolves around D2’s alleged negligence in registering the plaintiff as a Bolt driver on its platform and non-compliance with Act 843. Despite the Plaintiff’s assertions, there is no substantive evidence connecting D1 to these specific allegations.
The court has carefully reviewed the evidence on record and finds no established role for D1 in the events underlying the lawsuit.
Given the absence of evidence linking D1 to the Plaintiff’s core claims, the court deems D1 an unnecessary party to the suit.
Accordingly, the Plaintiff’s claims against D1 are dismissed.
The Court will now delve into the substance of the Plaintiff’s claims against D2.
ISSUE TWO
Is D2 vicariously liable for the conduct of its drivers, specifically, the criminal conduct of Peter Walker, the Identity Thief Bolt driver?
Vicarious liability is a legal principle that holds one person (often an employer) responsible for the actions or wrongdoings of another person (usually an employee) based on their relationship.
Vicarious liability operates under the idea of strict liability. This means that even if the responsible party (the employer) did not directly commit the wrongful act, they can still be held liable.
To establish vicarious liability, the relationship between the parties involved is paramount.
The most common scenario is when an employer is held liable for the actions of their employee. For instance, if an employee causes harm or commits a wrongful act while performing their job duties, the employer can be legally responsible.
Crucially, vicarious liability hinges on whether the employee’s actions occurred within the scope of their employment. If the employee was acting within their job responsibilities, the employer may be held accountable.
Therefore, to prove the existence of vicarious liability, the following are the elements required;
1) An employment relationship.
2) Negligence or tort must be committed by the employee.
3) The wrongful act must occur within the scope of the employee’s employment.
Accordingly, this court must determine the liability of D2 with respect to Peter Walker by determining whether or not the elements stated above are proved by the evidence on record.
Was there an employer-employee relationship between D2 and Peter Walker?
In the case of Yewens v. Noakes (1880) 6 Q.B. 530, the court established that an “employee” encompasses individuals who are under the authority and direction of an employer regarding how they perform their work. Essentially, an employee is someone who carries out tasks or services as instructed by their employer.
Section 175 of the Labour Act, 2003 (Act 651) defines “Worker” as a person employed under a contract of employment whether on a continuous, part-time, temporary or casual basis.
The said Section further defined an “Employer” as any person who employs a worker under a contract of employment.
Again, the Section defines a “Contract of employment” as a contract of service whether express or implied and if express, whether oral or in writing.
The following therefore must characterize the relationship between the employer and employee:
a) The employer must have control over the manner the employee carries out his work.
b) The employee’s work must be an integral part of the employer’s business or organization.
c) The benefits and risks associated with the business must be borne by the employer.
d) There must be a contract of service between the Parties.
e) The employer must be seen to pay the employee wages or salaries.
From Exhibit 1, the court acknowledges the General Terms and Conditions for Bolt Drivers. These terms outline the responsibilities of prospective drivers who sign up with Bolt. Specifically, by becoming a Bolt driver, individuals commit to providing transportation services through the Bolt platform.
Accordingly, the court finds as follows:
a) A registered driver with D2 and/or Bolt does not receive regular wages or fixed salaries paid by D2 and/or Bolt.
b) It cannot be asserted that a master-servant relationship exists between D2 and Bolt drivers, primarily because D2 does not terminate or dismiss Bolt drivers. Instead, the termination of the relationship between drivers and D2 occurs through profile deletion or deactivation within the Bolt App, rather than a dismissal.
c) D2 does not exercise control over the drivers in their conduct as drivers on the Bolt App.
d) D2 does not assume the risks associated with the drivers, as the drivers are responsible for obtaining their own insurance.
The court finds that D2 is not involved in any of the described actions that would classify its relationship with the Bolt drivers it registers on the Bolt platform as one of an employer-employee relationship.
In contrast, the contractual relationship between Bolt drivers and Bolt Operations OU, can best be characterized as a Contract for Services, where prospective Bolt drivers commit to providing transportation services to passengers who use the Bolt platform to hail rides.
This court therefore finds that Bolt drivers are Independent Contractors who provide transportation services for Bolt Holdings OU, through the Bolt App.
Does any legal principle impose vicarious liability on an Independent Contractor?
Typically, employers are not held legally liable for the negligent actions of independent contractors. This principle is well-established in many legal systems. For persuasion, we can look to the UK Supreme Court’s decision in Barclays Bank Plc Vrs. Various Claimants (2020) UKSC 13. The cases cited therein make it clear that a person can be held vicariously liable for the acts of someone who is not their employee, provided the relationship between them is sufficiently akin or analogous to employment. However, they do not erode the classic distinction between employment (and relationships that are akin or analogous to employment) on the one hand, and the relationship with an independent contractor on the other hand.
In that case, the court emphasized the concept of relationships akin to employment.
See also;
1. Woodland Vrs. Swimming Teachers Association [2013] UKSC 66
2. E Vrs. English Province of Our Lady of Charity [2012] EWCA Civ. 938.
3. Kafagi Vrs. JBW Group Ltd [2018] EWCA Civ. 1157.
Is the relationship between D2 and the Bolt drivers akin or analogous to an employment relationship?
Bolt drivers possess significant autonomy in their work. They have the freedom to choose when to accept ride requests and when to decline them. D2 does not exercise direct control over the conduct of Bolt drivers during their work. The drivers also bear their own insurance policy hence, risk.
Finding:
Based on all available evidence, the court finds that the relationship between Bolt drivers and D2 cannot be classified as one of employment.
There exists no discernible characteristics of a master-servant relationship between D2 and the drivers that qualifies it to be akin or analogous to employment.
Furthermore, this relationship does not possess the requisite elements that qualify it to sufficiently resemble an employer-employee relationship.
The following cases are instructive on the question of employment relationship;
a) Kwadwo Appiah Vrs. Kwabena Anane [2020] 160 GMJ1 (SC)
b) Partick Tekpetey & 3 Ors Vrs. Attorney General [2020] JELR 68 326 (CA)
c) Kussasi Vrs. Ghana Cargo Handling Co. [1978] 1GLR 170
d) Frederick Abban & 9 Ors. Vrs. Takoradi Floor Mills [2023] DLSC 16119
e) Samptson Essianu Vrs. Femme Arch Consult & Anor. [2021] JELR 10 9116
f) Kobeali & 39 Ors Vrs. TOR & 79 Ors 485 [2003 – 2005] 1GLR
Holding:
The court accordingly holds that, the relationship between D2 and the Bolt drivers is not one that is akin or analogous to an employment relationship. D2 has no employer-employee relationship with the drivers registered on the Bolt platform/App or operating as Bolt drivers. The drivers on the Bolt App are best described as Independent Contractors under a contract for their services.
The Questions of:
1) Negligence or tort committed by the employee.
2) The wrongful act occurring within the scope of the employee’s employment
Peter Walker was factually the person driving the vehicle with Registration number GR 2052-22. Essentially, he was the Bolt driver who had, for an uncertain period in 2022, been driving the said vehicle, albeit under a profile created upon his registration by D2 with the personal details of the Plaintiff herein. It is not in dispute that the conduct of Peter Walker amounted to him impersonating the Plaintiff thereby stealing the identity of the Plaintiff.
However, should D2 herein be held vicariously liable for this unscrupulous act by Peter Walker?
This court has determined that there exists no employer-employee relationship between D2 and Bolt drivers. Therefore, there remains no employer-employee connection between Peter Walker and D2.
Consequently, there is no need to address whether or not this conduct occurred within the scope of his duty.
The evidence on record therefore fails to establish the necessary elements for holding D2 vicariously liable for Peter Walker’s actions.
The court’s finding as a matter of fact, eliminates the need to delve into the other two elements necessary to establish vicarious liability for D2 concerning Peter Walker’s actions. Which said elements are;
1) Negligence or tort must be committed by the employee.
2) The wrongful act must occur within the scope of the employee’s employment.
Conclusion on the question of D2’s vicarious liability.
Findings and Holdings on Issue 2:
Based on the evidence on record and analysis immediately above, the court finds and holds as follows:
1) D2 is not vicariously liable for the wrongful conduct of the drivers it registers on the Bolt platform.
2) D2 is not vicariously liable for the act of impersonation by Peter Walker.
Refer to the following cases which are instructive on the legal doctrine of vicarious liability;
a) Neuseite Metitek and Konsult Vrs, UBA [2021] JELR 108991
b) Partrick Tekyetey & 3 Ors. Vrs. The Attorney General [2016] GELR 68326
c) Uber BV & Ors. Vrs. Aslam & Ors. [2021] UK SC 5 (for Persuasive effect)
d) Appiah Vrs. Anane [2020] GH ASC 27
ISSUES 3 AND 4
This court shall determine the questions of negligence and non- compliance with Act 843 by D2 conjunctively.
The court opines humbly that the Plaintiff’s claim of negligence against the Defendant hinges on the compliance or non-compliance statutory provisions as outlined in Act 843.
Therefore, in addressing the two questions at hand, the court shall adopt a cocktail approach by considering both the evidentiary proof of negligence and the specific compliance requirements as stipulated in Act 843.
It is trite law that in order to prove a case of negligence against a Defendant, the Plaintiff would have to prove that;
a) The Defendant owed him a duty of care,
b) The Defendant breached that duty of care, and
c) The Plaintiff suffered personal or other damage as a result of the said breach of the duty of care.
The following cases are instructive:
1) Standard Chartered Bank vrs. Victoria Island Props and Another [2004] JELR 63501 (CA)
2) Ecobank Ghana Ltd vrs. … Enterprise Ltd [No. J4/18/2020] delivered on 13th May 2020
3) Ghana Highway Authority vrs. Mensah [1999-2000] 2 GLR 237
4) Gyan vrs. Ashanti Goldfield Corp. [1991] 1 GLR 466
5) Abraham Ajumako Nunoo vrs. School of Highway Tamale and 2 Others [2016] JELR 91901 (CA)
(A) DUTY OF CARE
“You must take reasonable care to avoid acts of omissions which you can reasonably foresee would likely injure your neighbour.” – Lord Atkin, Donoghue Vrs Stevenson [1932] AC 562 at 580.
It is incumbent on this court to determine whether D2 owed a duty of care to the Plaintiff when the Plaintiff was registered as a driver on the Bolt platform. It is worthy of notice that D2 does not dispute this duty.
During cross-examination, DW1 affirmed that D2 has a duty of care to the public, ensuring that registered drivers on the Bolt platform do not endanger public safety.
Refer to the following cases with regards to the legal requirements of establishing a Duty of Care;
a) Donoghue Donoghue Vrs Stevenson [1932] AG562.
b) Ecobank Ghana Ltd Vrs Aluminium Ent Ltd. [J4/18/2020, delivered on 13th May, 2020]
c) Heaven Vrs Pendo [1883] 11 QBD 903
d) Edward Nassar & Company Ltd Vrs McVroom & Anr [1996-1997] SCGLR.
However, before this court can address the issue of breach, it is crucial to establish the reasonable scope or standard of the duty of care owed to the Plaintiff by D2.
What is the reasonable standard of duty of care D2 owed Plaintiff at the material time?
It is essential to examine statutory requirements in order to ascertain the scope or standard of care that D2, acting as a data processor for Bolt Operations OU (the entity behind the Bolt ride-hailing platform), must exercise toward a data subject, such as the Plaintiff, when processing their personal data.
Upon a comprehensive analysis of the Data Protection Act, 2012 (Act 843) and its provisions, it becomes evident that specific duties, obligations, and expectations are placed upon both data processors and data controllers.
For reference, these definitions were previously outlined in the Judgment based on Section 96 of Act 843.
It is the duty of this court that particularly in the context of establishing a duty of care in tort, it must take into account the provisions of Act 843, when determining the reasonable standard or scope of the duty of care owed by D2 (as a data processor) to the Plaintiff.
This standard of care can be succinctly summarized as follows:
1) The application of data protection principles, including accountability, lawfulness of processing, specification of purpose, quality of information, data security safeguards, and data subject participation, as outlined in Section 17 of Act 843.
2) Ensuring compliance with data protection principles to safeguard the privacy rights of data subjects, processing personal data lawfully and reasonably under Section 18 of Act 843.
3) Ensuring the Prior Consent of the data subject, unless otherwise specified in Section 20 (1), (2), and (3) of Act 843, before processing their personal data.
4) Collecting Personal Data Directly from Data Subjects. In accordance with Section 21(1) and (2) of Act 843, data controllers are generally required to collect personal data directly from the data subject. However, there are exceptions outlined in Section 21(2)(a) to (g) of the same Act.
5) Data protection principles require organizations to implement robust security measures to safeguard personal data. These measures include maintaining confidentiality, adopting appropriate technical and organizational safeguards, and preventing unauthorized access, loss, or unlawful processing of personal data.
To achieve the reasonable standard of care as stipulated in Sections 17, 18, 20, 21, 28, and 30 of Act 843, the data processor and controller must take reasonable measures to;
a) Identify reasonably foreseeable internal and external risks to personal data under their possession or control.
b) Establish and maintain appropriate safeguard measures against the identified risks.
c) Regularly verify that the safeguard measures are effectively implemented and obverse generally accepted information security practices and procedures, as well as specific industry or personal rules and regulations [refer to Sections 28 and 30 of Act 843, read conjunctively].
d) Ensure that the safeguards are continually updated in response to new risks or deficiencies.
Based on the previously discussed data protection principles that a data processor must follow, it is evident that Act 843, particularly in Sections 17, 18, 20, 21, 28, and 30, clearly defines the specific and general standards required of data processors when processing the personal data of data subjects, as well as in their overall conduct as data processors.
Act 843 meticulously outlines the obligations and clearly defines both specific and general standards that data processors must adhere to when handling personal data.
Notably, Sections 17, 18, 20, 21, 28, and 30 provide explicit guidance on data processor conduct.
In these circumstances, the reasonable standard of the duty of care that D2 as a data processor handling the Plaintiff’s personal data during his registration as a prospective Bolt driver, is that standard of duty of care prescribed by the relevant provisions of Act 843.
Findings and Holdings on duty of care and the reasonable standard of that duty of care:
The court finds and holds as follows;
1. As a Data Processor, D2 had a legal obligation to exercise care and protect the rights of the Plaintiff, who is a Data Subject. This duty of care extended to the processing of the Plaintiff’s personal data during the registration process for becoming a driver on the Bolt App/platform.
2. In accordance with the Data Protection Act, 2012 (Act 843), the standard of the duty of care owed by D2 to the Plaintiff is outlined in Sections 17, 18, 20, 21, 28, and 30. These statutory provisions define the reasonable standard or scope of care expected.
These statutory provisions are captured below;
a) To comply with Section 21 of Act 843, D2 ought to have collected the personal data of the Plaintiff DIRECTLY from the Plaintiff. This is ensured by conducting a liveliness identity verification of the Applicant.
b) According to Section 20 of Act 843, the Plaintiff’s personal data ought to have been processed by D2 with his PRIOR CONSENT. Again, this is ensured by conducting a liveliness identity verification of the Applicant.
c) D2 ought to have established security measures in order to;
i. ensure the integrity of the Plaintiff’s personal data collected.
ii. adopt appropriate, reasonable, technical and organisational measures to prevent the unauthorized processing of the Plaintiff’s personal data (Sections 28 and 30 of Act 843).
d) D2 ought to have taken reasonable measures to identify both external and internal risks, associated with the personal data it held.
These measures should include;
i. establishing and maintaining appropriate safeguards against those risks,
ii. regularly verifying the effectiveness of those safeguards, and
iii. promptly updating them in response to new risks or deficiencies.
In summary, as part of safeguarding personal data, D2 should have conducted a liveliness identity verification check. This verification would have ensured the integrity of the personal data purportedly collected from the Plaintiff and addressed the risk of processing that data without the Plaintiff’s prior consent. Sections 28 and 30 of Act 843 underscore this duty.
(B) BREACH OF THE DUTY OF CARE
The central issue at hand is whether or not D2 breached its duty of care toward the Plaintiff. This determination hinges on factual evidence that must be presented in court. Specifically, we must consider all relevant circumstances, especially in light of data processing activities governed by Act 843.
The court has diligently referenced Act 843, which outlines the reasonable standard of care that data processors must adhere to when collecting, processing, and managing personal data of data subjects. Particularly, Sections 20, 21, 28, and 30 of Act 843 are relevant in assessing D2’s alleged breach of its duty of care to the Plaintiff.
In addressing the alleged breach, the issue specifically centers around the reasonable standard or scope of the duty of care, which has already been established as owed by D2 to the Plaintiff.
Did D2 breach the duty of care it owed the plaintiff at the material time?
In the instant suit, the period during which D2 (the Data Processor) collected and processed Plaintiff’s Personal Data submitted by Peter Walker for his registration as a driver on the Bolt platform is crucial. This timeframe is what the court refers to as the “material time” in this proceedings.
The court has already established that D2 must adhere to certain statutory requirements when collecting personal data from an individual. Specifically, D2 should have conducted a liveliness identity verification of the applicant driver as part of its digital identity verification process during the registration process.
So, what exactly is liveliness identity verification?
It is a process where the Data Processor assesses the vitality or “liveliness” of the data subject. This verification can occur either traditionally (in person) or digitally.
The court shall explain this further:
Traditional Liveliness Verification:
In the traditional approach, the data subject physically interacts with the data processor. This typically involves the data subject being physically present in the same location as the collector. During this interaction, the data processor confirms the following:
i. Physical Appearance: The collector visually verifies the data subject’s physical features, ensuring they match any existing records or descriptions.
ii. Biometric Data: The collector captures biometric information (such as fingerprints or facial features) to compare with the submitted personal data.
iii. Other Observations: Any additional relevant details about the data subject’s physical presence are noted.
By comparing this information with the submitted data, the data processor can accurately confirm the identity of the data subject.
Digital Liveliness Verification:
In the digital approach, the data processor assesses liveliness remotely, without physical presence. Techniques include analyzing behavioral patterns (such as mouse movements or keystrokes) during data entry or using facial recognition technology through a webcam. While this method lacks the direct physical confirmation of traditional verification, it still aims to ensure that the data subject is genuinely present and engaged.
In the context of personal data processing, particularly in Ghana, ensuring that personal data is collected directly from the data subject (the individual to whom the data pertains) and with their prior consent is crucial.
The two primary methods that achieve this with their practical examples are as follows:
Traditional Liveliness Identity Verification:
Ghanaian Passport Office Example: When individuals apply for a Ghanaian passport online, the process does not end there. Instead, they physically visit the passport office for a liveliness identity verification. During this step, the applicant’s biometric data (such as fingerprints and facial features) is collected, and their appearance is verified. This ensures that the digitally submitted personal data originates directly from the data subject.
National Identification Authority (Ghana Cards): Similar to the passport office, the National Identification Authority follows a traditional approach. Before issuing Ghana cards, they verify the identity of applicants through in-person checks.
Electoral Commission of Ghana: This organization also employs traditional liveliness identity verification before processing personal data related to voter registration, voter transfers and elections.
Digital Liveliness Identity Verification:
In the digital realm, data processors have alternative methods:
Video Calls: The data subject interacts with the processor via video call, allowing visual confirmation of identity.
Liveliness Images (Selfies): Applicants upload a liveliness guaranteed image (usually a selfie) to the data processor. The processor then compares this image with the submitted personal data to ensure consistency.
Why Is Liveliness Identity Verification Essential?
Direct Collection: The primary objective of liveliness identity verification is to establish a direct link between the data processor and the data subject. By doing so, the data processor ensures that they have collected personal data directly from the individual concerned. By verifying liveliness, data processors can be confident that the data they collect indeed originates directly from the data subject. This direct collection is essential because it signifies that the data subject has provided their prior consent for the processing of their personal data.
Prior Consent Assurance: Verifying identity ensures that personal data is processed with the explicit prior consent of the data subject. Without this step, there would be no guarantee that the data subject authorized the collection and processing of their personal data.
In the instant suit, the Data Processor D2 was handling personal data related to a prospective driver on the Bolt platform. Unfortunately, an impersonator (Peter Walker) submitted the plaintiff’s personal data to D2.
D2, similar to other organizations, could have utilized the conventional method of liveliness verification to mitigate the risk of obtaining personal data from an entity other than the data subject and subsequently processing such data without the data subject’s prior consent. Alternatively, D2 could have implemented digital liveliness verification of the purported data subject to accomplish the same goals.
Regardless of the chosen method (traditional or digital), D2 needed to ensure that the personal data was collected directly from the data subject and that the data subject’s prior consent to the processing of the said data was obtained. Thus, the Data was to be obtained explicitly and transparently. Compliance with legal requirements under the Sections 20 and 21 of Act 843, was paramount.
In fact, it is a notorious fact worthy of judicial notice that as at 2020, both traditional and digital liveliness identity verification checks were available in Ghana and indeed being utilized by various entities in their data collection, processing and management businesses. D2 ought to have leveraged these tools or measures to protect the rights of Data Subjects as well as maintain compliance with Act 843.
According to the testimony of DW1, it was only in March 2024 that D2 fully implemented the liveliness (selfie) identity verification step as part of its digital identity verification process for registering prospective Bolt drivers. This implementation occurred while the ongoing lawsuit was still pending. Notably, DW1 clarified that the selfie identity check had been tested on a pilot basis back in January 2023, barely six months after the plaintiff had complained to D2 about the unauthorized profile created with his personal details as a driver on the Bolt App.
During DW1’s testimony, an essential aspect emerged: the selfie identity verification process. As part of this process, a driver is required to take a photograph of themselves using the Bolt App. Subsequently, an API verifies this photograph against the image and biometric data stored by the Driver and Vehicle Licensing Authority (DVLA). Importantly, D2 relies on a third-party service provider to perform this verification against the DVLA’s data.
During sworn testimony, DW1 confirmed that in 2022, there was no mandatory selfie photograph verification process for driver applicants at the DVLA. Notably, even six months before January 2023, D2 had the capability to implement this selfie-based identity check but chose not to.
The court also found that D2 did not utilize the traditional verification method employed by other data processors. Notwithstanding D2’s ability to incorporate technology in its operations as a data processor, the court deemed it unacceptable that D2 did not consider the option of traditional liveliness identity verification, particularly given its business background.
Indubitably, D2 did not comply with the security measure requirements provided for at Sections 28 and 30 of Act 843, in that D2 failed to;
i. Implement reasonable measures to detect and mitigate foreseeable risks posed by impersonators and identity thieves to the integrity of the personal data collected and processed, ensuring protection against unauthorized data processing.
ii. Implement robust safeguards to mitigate the foreseeable risks posed by impersonators, such as Peter Walker.
iii. Adhere to widely recognized information security practices and industry-specific regulations. Specifically, ensure that personal data is collected directly from the data subject and processed only with their explicit prior consent, in alignment with established norms followed by other industry stakeholders.
iv. Ensure that its digital identity verification processes, which were still active as of 2022, had been adjusted to incorporate either traditional or digital liveliness identity verification safeguards as in the case of some industry players who had already implemented similar measures even before 2020.
During the registration of Peter Walker as a Bolt driver, D2 was responsible for processing the personal data of the Plaintiff. However, D2 obtained Plaintiff’s personal data from Peter Walker, rather than DIRECTLY from the Plaintiff. Consequently, D2 failed to comply with Section 21 of Act 834, which requires collecting the personal data of a data subject directly from the data subject.
Further, by not securing the Plaintiff’s prior consent for the processing of his personal data, D2 breached Section 20 of Act 843.
Findings:
1) The court therefore finds that D2 did not comply with Sections 20, 21, 28 and 30 of act 843.
2) Accordingly, the court finds that D2 breached its duty of care to the Plaintiff by failing to comply with the requirements outlined in Sections 20, 21, 28, and 30 of Act 843 during the processing of the Plaintiff’s personal data.
Is D2’s Defence plausible to offset the above findings?
The Defence which D2 asserts essentially hinges on the fact that it exercised reasonable care in collecting and processing the Plaintiff’s personal data.
This defence is grounded in Section 43(2) of Act 843 which provides as follows; “In proceedings against a person under this section, it is a defence to prove that the person took reasonable care in all the circumstances to comply with the requirements of this Act.”
This court must however, evaluate whether this position aligns with the evidence presented on record in light of the relevant provisions of Act 843, specifically Sections 20, 21, 28, and 30.
Visualize this scenario which may accurately describe the data processing procedure of D2;
D2 resides within an enigmatic house; its walls, windows, and doors all shrouded in opacity. Aspiring Bolt driver applicants diligently assemble their necessary registration documents, such as their photographs, driver’s licence, vehicle insurance documents and roadworthy certification, and approach this opaque abode. Their task is simple; to slide these documents under the door of the opaque building.
Behind that door, D2 awaits, collecting the submitted paperwork. Yet, here lies the paradox: D2 lacks certainty about whether the person who slid the documents under the door corresponds to the individual described within the documents. In the mind of D2, to resolve this uncertainty, D2 meticulously compares the names, photograph and other pertinent data, such as the birthdates, ages, and the like, across the documents. D2 further verifies the authenticity of these documents with a third party database. Once it is satisfied that the documents are genuine, D2 takes the next step of proceeding to register this enigmatic individual as a Bolt driver on the App.
However, the veil of opacity remains intact: D2 still cannot definitively confirm whether the person behind the door aligns with the person whose personal data it collected and processed.
And so, the person, whose true identity remains concealed, ventures forth, driving unsuspecting passengers, all while assuming the registered persona bestowed upon them on the Bolt platform.
Thus, say a woman named Ama Kuntor submits certain documents by sliding them under this opaque door. However, these documents actually belong to a man named Mr. Raphael Kumi. Now, picture the surprise of ride-hailing passengers who select Mr. Raphael Kumi’s driver profile on the Bolt App or platform. They expect a male driver, but when their ride arrives, they find a woman behind the steering wheel.
The lack of direct personal contact with the applicant behind that mysterious door led to this rather unexpected and, this court dare says, utterly unpleasant incident.
This is what D2 contends as amounting to it having exercised reasonable care in fulfilling its duty of care toward the Plaintiff, and invites this court to accept this assertion.
This court respectfully declines this invitation.
The court’s decision stems from Sections 28 and 30 of Act 843, which impose an obligation on D2 to implement measures that ensure the integrity of the personal data it collects and processes.
Specifically, in accordance with Sections 20 and 21 of Act 843, D2 should collect the Plaintiff’s personal data DIRECTLY from him and process it only with his PRIOR CONSENT, save for the exceptional circumstances mentioned therein. This safeguard, whether through traditional or digital means, would enhance D2’s existing digital identity verification process during the registration of prospective driver applicants.
In the context of the opaque building scenario, the absence of effective liveliness identity verification, whether through traditional or digital means, has significant repercussions.
Imagine this building as housing D2, an entity responsible for processing data. Had D2 promptly implemented robust liveliness identity safeguards, it would have at least rendered the metaphorical ‘doors and windows’ transparent.
In other words, D2 would have been able to accurately and definitively ascertain the identity of data subjects in relation to applicants.
However, D2 missed this crucial opportunity. It was not until six months after legal proceedings began (specifically in January 2023 on a pilot basis and March 2024 in a full roll-out program) that D2 addressed this oversight.
The defence therefore available to D2 per Section 43(2) of acts 843 as it has argued, cannot be supported by the evidence on record in light of Sections 20, 21, 28 and 30 of Act 843.
Finding and Holding on plausibility of D2’s Defence:
The court therefore finds and accordingly holds that D2’s defence, claiming reasonable care in discharging its duty of care toward the Plaintiff, is implausible and does not absolve D2.
Conclusion on Breach of Duty of Care and Non-compliance with Act 834.
In the circumstances, this court holds on the issues of D2’s alleged breach of the duty of care it owed the Plaintiff and D2’s non-compliance with Act 843 as follows;
1) D2 did not comply with Sections 20, 21, 28 and 30 of Act 843.
2) Accordingly, D2 breached its duty of care to the Plaintiff by failing to comply with the requirements outlined in Sections 20, 21, 28, and 30 of Act 843 during its collection and processing of the Plaintiff’s personal data.
(C) CONSEQUENTIAL INJURY OR DAMAGE SUFFERED BY PLAITNTIFF AS A RESULT OF D2’S BREACH
In order for the Plaintiff to prevail in a claim of negligence, he must demonstrate that D2’s breach of the duty of care owed to him resulted in tangible harm or damage.
The Plaintiff has extensively asserted that he suffered some consequential emotional, psychological, and financial harm due to D2’s breach.
The court after duly considering the evidence presented by the Plaintiff in its entirety, found the following facts as sufficiently proved:
i. The fact that the Plaintiff suffered emotional distress and trauma.
Let us reflect on this scenario:
A successful Co-Founder and CEO of a software solutions company suddenly finds himself registered as a Bolt driver, an identity he has never assumed. The revelation hits him like a bolt of lightning in August 2022.
Who is this Plaintiff? Well, he is no ordinary Joe. He lectures at Kumasi Technical University, chairs the Advisory Board for the Banking and Finance department of the university, and his software solutions power financial institutions across Ghana. Imagine his shock when he realizes that an unknown number of Bolt riders have seen his profile listed as a driver. It is a double life he never signed up for, one where he both is a software guru, lecturer, board chairman and a ride-hailing driver.
The court acknowledges the gravity of this situation. Being unwittingly registered as a driver can wreak havoc on anyone’s emotions and psyche. Sleepless nights, existential questions, these are the tolls exacted by such an unwelcome identity switch. And so, the Plaintiff’s distress becomes a pivotal point in the case against D2, the entity responsible for this digital negligence.
In accordance with Section 43(1) of Act 843, the law recognizes that a claimant may experience distress due to a Defendant’s failure to comply with Act 843. In the present case, the Plaintiff has explicitly described the nature of the distress he endured.
On 1st August 2022, he unexpectedly found himself downgraded from his previously esteemed status to that of a driver on the Bolt App. This sudden shift likely caused a range of non-material injuries, including shame, embarrassment, anxiety, worry, and fear.
The court acknowledges that the Plaintiff’s personal data, such as his image and name, was registered without his consent, effectively labeling him as a Bolt driver. Given that the Bolt App is accessible to anyone with a smart device, the Plaintiff understandably felt overwhelmed and concerned about the potential far-reaching consequences of having his identity associated with Peter Walker, who operated as a Bolt driver during an unspecified period in 2022.
In light of these circumstances, the court finds and accordingly holds that the Plaintiff did indeed suffer distress, encompassing emotional distress and trauma.
ii. The fact that the Plaintiff’s reputation suffered damage.
In the instant suit before us, the Plaintiff, a Co-Founder and Chief Executive Officer of Glydetek Group Ltd, finds himself at an unexpected crossroads. His professional journey has been marked by significant achievements; providing software solutions to prominent financial institutions such as Jospong Group, Bestpoint Savings and Loans, First Atlantic Bank, Letshego Ghana, and Bi Divest Microfinance. Additionally, he holds a lecturing position at Kumasi Technical University, where students study software he developed. As if that were not enough, he also chairs an advisory board in the Banking and Finance Department at the same institution. Undoubtedly, this impressive résumé has earned him an enviable reputation within Ghana’s business circles, particularly in the financial and educational sectors.
However, fate took an unforeseen turn when D2, a party directly involved in this litigation, rendered the Plaintiff a registered driver on the Bolt Platform. Suddenly, the Plaintiff’s hard-earned reputation faced an unexpected challenge.
To fully appreciate the impact, we must recognize that the chosen profession or career of a person is intrinsically linked to their personal dignity. For someone who prides himself on software development, academic leadership, and co-founding a successful software solutions company, the prospect of being known primarily as a Bolt driver, albeit temporarily, becomes disconcerting.
Now, let us delve into the heart of the matter. Being a Bolt driver, in and of itself, may not inherently damage one’s reputation. After all, many individuals pursue honest work as drivers, contributing to essential services. However, context matters.
The Plaintiff is not just any individual; he is a unique person with a distinct reputation. His community, the financial IT community, views him through a specific lens. To them, he embodies expertise, innovation, and leadership.
Therefore, the reduction of his stature to that of a Bolt driver, even temporarily, carries weight. It is not about the general reputation of all Bolt drivers; it is about the Plaintiff’s reputation, painstakingly built over years of hard work and dedication.
In summary, the court must consider the Plaintiff’s peculiar circumstances. While being a Bolt driver might not tarnish the reputation of an average person, it does impact this Plaintiff significantly. The Financial IT community, aware of his background, would undoubtedly perceive this detour as a reputational setback.
The Plaintiff’s reputational harm is significantly exacerbated by the global reach of the internet. The data protection breach incident that affected the Plaintiff has reverberated worldwide due to the pervasive nature of online information dissemination.
A straightforward Google search of the Plaintiff’s name yields a direct link to the Bolt driver saga. Considering the Plaintiff’s standing within Ghana’s finance, IT, and higher education communities, this easily accessible information, available to anyone with internet-enabled smart devices, poses a substantial threat to his esteemed reputation.
The court accordingly finds merit in this claim and holds that the Plaintiff suffered damage to his reputation due to D2’s breach.
iii. The Inconvenience suffered by the Plaintiff in addressing D2’s breach
In our internet-driven society, it is entirely conceivable that the Plaintiff faced significant challenges in addressing the breach he suffered at the hands of D2. As soon as the Plaintiff became aware of the breach, he engaged legal representation to handle all correspondence with D2. This process undoubtedly consumed valuable resources.
Specifically, the Plaintiff expended resources in the following ways:
Engaging Lawyers: The Plaintiff hired lawyers who initiated preliminary correspondence with D2 even before formally filing the lawsuit.
Online Remediation: Additionally, the Plaintiff engaged directly with D2 to ensure the prompt cessation of the continuous publication of his identity and image on the Bolt Platform/App as a Bolt driver.
The court acknowledges that rectifying the harm caused by D2’s breach required the Plaintiff to endure substantial inconvenience. This inconvenience extended to the expenditure of his attention, time, and financial resources. The Plaintiff took deliberate and precise steps to address both existing and potential future issues arising from D2’s breach.
This court, in light of these circumstances, finds that the Plaintiff’s inconvenience, both in terms of time and financial burden, was substantial and justifies holding D2 accountable for timely and adequate redress.
iv. Injury to finances of Glydetek; unproved.
The Plaintiff contends that Glydetek experienced a general downturn in business fortunes during the period when his details was being used to work as a driver on the Bolt platform.
Notably, certain projects, some valued at hundreds of thousands of dollars, experienced mysterious delays and frustration. Further investigation revealed that some of these project setbacks were linked to due diligence processes conducted by the organizations.
However, the court finds that Glydetek, as a company limited by shares, operates independently of the personal well-being or misfortune of its shareholders.
Consequently, its ability to secure contracts and generate profits or incur losses is distinct from any personal injury or other circumstances affecting its shareholders. Glydetek is not a party to this suit and operates as an independent entity. Furthermore, the Plaintiff did not present any evidence regarding the losses allegedly suffered by Glydetek.
The court therefore finds and holds that the Plaintiff’s assertion that Glydetek experienced a general downturn in business fortunes during the period when he was employed as a driver on the Bolt platform remains a claim as same is unproved.
Conclusion on Issues 3 And 4: Negligence and Non-Compliances with Act 843
From the foregone, it is evident that the elements necessary to establish negligence on the part of the Defendant have been adequately established on the preponderance of the probabilities based on the evidence presented on record.
The following key findings were made:
Duty of Care: The court determined that D2 owed a duty of care to the Plaintiff during the material time when it collected and processed his personal data. Specifically, this duty required D2 to conduct a liveliness identity verification check as part of its digital identity verification process. The liveliness identity verification ensures that Plaintiff’s personal data is collected directly from him and processed with his prior consent. This verification was crucial while processing the Plaintiff’s personal data, which had been submitted by an impersonator named Peter Walker in an attempt to register as a driver on the Bolt App platform.
Breach of Duty: Unfortunately, D2 breached its duty of care to the Plaintiff. The breach occurred because D2 failed to comply with Sections 20, 21, 28, and 30 of Act 843. These statutory provisions require that personal data be collected directly from the data subject (in this case, the Plaintiff) and processed only with the prior consent of the data subject. By not adhering to these requirements, D2 breached its duty of care during the collection and processing of the Plaintiff’s personal data.
Consequences of the Breach: As a result of this breach, the Plaintiff suffered emotional distress, anxiety, and emotional trauma. Additionally, the court recognized that the breach caused damage to the Plaintiff’s high reputation. Furthermore, the inconvenience caused to the Plaintiff, both in terms of time, attention, and financial resources, was taken into account.
Conjunctively, the court made the following determinations:
Negligence: D2, as a data processor, was negligent toward the Plaintiff, a data subject, during the collection and processing of the Plaintiff’s personal data. The Plaintiff thus, successfully established a case of negligence against D2.
Non-Compliance: D2, as the data processor, did not meet the requirements outlined in Sections 20, 21, 28, and 30 of the Data Protection Act, 2012 (Act 843) concerning the collection and processing of the Plaintiff’s personal data.
In the circumstances, the court finds and holds that D2 failed to comply with Sections 20, 21, 28, and 30 of the Data Protection Act, 2012 (Act 843).
ISSUES 5 AND 6: WAS THE PLAINTIFF NEGLIGENT AND DID HE COLLUDE WITH HIS IMPERSONATOR?
(A) Was the Plaintiff negligent in causing his impersonation by Peter Walker?
In the instant suit, D2 has raised the issue of the Plaintiff’s negligence, which allegedly led to the theft of the Plaintiff’s identity by his own employee, Peter Walker. Specifically, D2 contends that the Plaintiff’s actions contributed to the breach. This argument essentially sets up a claim of contributory negligence against the Plaintiff.
However, had D2 acknowledged partial liability for the breach while also asserting that the Plaintiff’s conduct should be taken into account to mitigate D2’s fault, this would constitute the setting up of a comparative negligence defence against the Plaintiff.
D2 asserts that it fulfilled its duty of care towards the Plaintiff and that any identity theft suffered by the Plaintiff resulted from the Plaintiff’s own carelessness or negligence. D2 contends further that the Plaintiff’s actions contributed significantly to the harm he suffered. Therefore, this case revolves around the concept of contributory negligence, rather than a comparative negligence scenario.
The legal principle of contributory negligence when raised against a Plaintiff seeks to prove that the Plaintiff contributed to his own injury through his own negligence as follows;
1. The Defence must prove that the Plaintiff owed himself a duty to take reasonable care for his own safety,
2. The Defence must prove that the Plaintiff breached this duty of care, and
3. The Defence must prove that the Plaintiff’s breach resulted in the damage suffered by him and that this damage was a reasonably foreseeable consequence of his conduct.
Refer to the following cases;
1. Sarpor vrs. Boosoruprah [2020] GHASC 66
2. Appiah vrs. Anane [2020] GHASC 27
The conduct of plaintiff complained of.
In the course of cross-examining the Plaintiff, the defence asserted an accusation. According to the Defence, since the Plaintiff is both a software expert and the owner of a data processing company like Glydetek, he should have been aware of his own duty to exercise reasonable care in safeguarding his personal data against theft by others.
Essentially, the defence contends that the Plaintiff possessed specialized knowledge regarding data security practices. Therefore, he was expected to understand the consequences of failing to protect his personal data adequately.
In legal terms, this duty of care, to safeguard one’s own information, is what the Plaintiff owed to himself.
The Court unequivocally finds that the Plaintiff, akin to all individuals, bears a fundamental duty to exercise reasonable care in safeguarding his personal data. As a result, the Plaintiff is obligated to take prudent measures to ensure the security and confidentiality of his own personal information.
Did the Plaintiff breach the duty of care he owed himself?
Regarding the Plaintiff’s profile photograph displayed on the Bolt App (referred to as “Exhibit B”), it appears to be the same photograph featured on the Glydetek Group Website.
Peter Walker contends that he inadvertently uploaded this photo because he was using the Glydetek laptop when he was registering as a driver on the Bolt App.
However, there remains no explanation from Walker as to how he obtained the driver’s licenses of both the plaintiff and Samuel Kodjo Adjetey, also an employee of Glydetek.
This is the situation D2 alleges constitutes the Plaintiff’s breach of the duty of care he owed himself.
Firstly, from the evidence before this court, there exists no nexus between anything done or left undone by Plaintiff which may have resulted in Peter Walker having access to Plaintiff’s photograph. The photograph is one of Plaintiff on the Glydetek website which is a public website and thus, accessible to anyone who visits that site. It is not a photograph one would have gone to great lengths to procure.
The court finds that Plaintiff possesses no locus of control over what people may or may not do with the said photograph if they choose to procure same from the Glydetek website.
Secondly, some documents such as a person’s driver’s license is an identification document they typically keep in their possession. It can only be assumed that Peter Walker engaged in some form of wrongdoing, bordering on criminal activity, in order to acquire these licenses.
Perhaps, he took photographs of them and subsequently placed them on the company’s laptop which had been assigned to him for work purposes. As a result, both the Plaintiff and Samuel Kodjo unwittingly became victims of Peter Walker’s unauthorized possession of their driver’s licences.
Interestingly, the Plaintiff did not realize that his driver’s licence had gone missing until 1st August, 2022. It is evident that Peter Walker must have taken these licences without the owners’ knowledge or consent.
Now, the crucial question arises: Should the Plaintiff be held responsible for somehow allowing his driver’s license to fall into Peter Walker’s possession without his knowledge and consent?
D2, in its case, alleges that the Plaintiff must have been aware of Peter Walker taking and using his license during the registration process. Essentially, D2 imputes consent to the Plaintiff.
However, this allegation lacks any supporting evidence on record. In fact, it sharply contrasts with D2’s actions when it was informed of the Plaintiff’s issue. D2 promptly petitioned the Ghana Police Service to investigate the matter (see Exhibits J and 3), yet it made no allegations against the Plaintiff. If D2 genuinely believed that the Plaintiff had willingly provided his personal data to Peter Walker, thereby facilitating Peter Walker’s impersonation, it would have taken steps to hold the Plaintiff accountable.
D2 also alleges that the Plaintiff’s actions or inaction compromised the safety of his personal data, which was registered on the Bolt App by D2 at the request of an impersonator named Peter Walker. However, the evidence on record does not substantiate this claim.
The court, therefore, concludes that the Plaintiff did not breach the duty of care owed to himself in safeguarding his personal data. As a result, the consequential harm or injury suffered by the Plaintiff due to the data protection breach committed by D2 cannot be attributed to any action or inaction on the part of the Plaintiff. To suggest otherwise would be to unfairly blame the Plaintiff for the theft of his identity.
This court opines that an identity theft occurs when a perpetrator successfully uses the identity of a victim either for the primary purpose of that document or another purpose, without the knowledge, prior consent and authorization of the victim; not when a perpetrator procures the identity document of the victim without the knowledge or prior consent or authorization of the victim.
In contrast, the act of procuring personal documents without the knowledge, prior consent and authorization of the victim amounts to a theft of that document. Therefore, the act of procuring personal documents without the knowledge, prior consent and authorization of the victim is not in itself identity theft. Rather, it is the unauthorized and non-consensual use of that personal data that constitutes identity theft.
Accordingly, the court finds that it is unjust and rightly erroneous to attribute any blame to the Plaintiff for his identity theft. The allegation against the Plaintiff lacks merit, and the court unequivocally rejects D2’s attempt to hold the Plaintiff liable for contributory negligence. The injury suffered by the Plaintiff resulted from the collection of his personal data from an impersonator and the processing of same by D2 without his prior consent, and not the mere theft of his personal documents.
Finding and Holding:
The court accordingly finds and holds that the Plaintiff is not liable for contributory negligence in the instant suit.
B) Did the Plaintiff collude with Peter Walker or abet Peter Walker’s act of Impersonation?
D2 contends that the Plaintiff colluded with his employee, Peter Walker, to perpetrate his identity theft. This allegation appears in D2’s Statement of Defence and emerged during cross-examination.
Specifically, D2 argues that because the Plaintiff is an IT expert, he likely collaborated with Peter Walker to collect the Plaintiff’s personal data, with the Plaintiff’s prior consent.
Collusion, in this context, implies secret or illegal cooperation or conspiracy between two or more individuals with the intent to defraud another.
To substantiate these allegations, D2 must establish the following elements:
1. The commission of a criminal act, specifically personation by Peter Walker.
2. Evidence of cooperation between Peter Walker and the Plaintiff, through the Plaintiff’s facilitation of Walker’s or abetment personation.
The central issue in the matter before this court, pertains to Peter Walker’s criminal conduct, specifically, his impersonation of the Plaintiff. While the fact of Peter Walker’s impersonation remains undisputed, our focus shifts to whether or not the Plaintiff cooperated or abetted him in this unlawful act.
The court analyzes the issue as follows:
Criminality of Peter Walker’s Conduct:
The evidence establishes that Peter Walker engaged in criminal conduct by impersonating the Plaintiff. Sections 131 and 134 of the Criminal and Other Offences Act, 1960 (Act 29) clearly define the offence.
Notably, Peter Walker himself is not a party to this litigation; it is solely his conduct that is under scrutiny.
Plaintiff’s alleged Cooperation or Abetment:
D2 contends that the Plaintiff collaborated with Peter Walker in the impersonation. However, no cogent evidence supports this claim.
In civil cases, even when addressing conspiracy or abetment, the burden of proof remains high, beyond reasonable doubt. Section 13(1) of the Evidence Act, 1975 (NRCD 323), underscores this standard.
Sections 20 and 23 of Act 29 further define the offences of abetment and conspiracy.
Insufficiency of D2’s Evidence:
D2’s case hinges on suspicion rather than concrete proof. Their allegations lack substance.
Specifically, D2 failed to demonstrate that the Plaintiff provided his driver’s license and personal photograph to Peter Walker, which the latter used for impersonation on the Bolt platform.
The absence of any evidence supporting D2’s claims weakens its position.
The Court’s Obligation:
Given the gravity of imputing criminality to the Plaintiff, the court must address this claim thoroughly.
To find collusion between the Plaintiff and Peter Walker, the court requires proof beyond a reasonable doubt.
However, D2’s failure to present such evidence leaves its allegation unsubstantiated. Thus, a mere suspicion.
Conclusion on Issues 5 and 6:
Without compelling evidence, D2’s claims remain mere suspicion, falling short of the legal threshold required for a finding of guilt.
In light of the evidence presented, the court refrains from making a conclusive finding that the Plaintiff colluded with Peter Walker to facilitate his impersonation on the Bolt platform. D2’s assertion of a collusion between the Plaintiff and Peter Walker remains rooted in mere suspicion, lacking substantive proof.
In furtherance of the above, the court finds and holds that D2 has failed to establish any abetment by the Plaintiff in Peter Walker’s impersonation of the Plaintiff on the Bolt platform.
Consequently, D2’s claims in this regard fail as the court finds no fault in negligence and collusion (abetment) against the Plaintiff with regards to his impersonation by Peter Walker on the Bolt Platform, owing to the negligence of D2 and further owing to D2’s non-compliance with sections 20, 21, 28 and 30 of the Data Protection Act, 2012 (Act 843).
ISSUE 7: IS THE PLAINTIFF ENTITLED TO COMPENSATION?
This court has already found in this Judgment that;
1. D2 was negligent towards the Plaintiff and
2. D2 did not comply with Sections 20,21, 28 and 30 of the Data Protection Act, 2012 (Act 843)
In legal proceedings, when a court finds that a defendant has acted negligently toward a plaintiff, the court is obligated to evaluate the damages suffered by the plaintiff and then grant general damages in favor of the Plaintiff.
The following cases are instructive on the award of these damages:
1. H. West and Sons Ltd. vrs. Shepherd [1963]2 All ER 625 @ Pg. 631.
2. Delmas Agency Ghana Ltd. vrs. Food Distribution International Ltd. [2007-08] SCGLR 748 @ 760.
3. Appiah Vrs. Kwabina Anani [J4/42/2019, Delivered on 22nd January, 2020].
4. EDG Ltd. vrs. Provident Insurance Company Ltd. & 2 Ors. [J4/31/2019, Delivered on 18th March, 2020].
5. Roach vrs. Yates [1938] 1 KB 256.
6. Philips vrs. Smith Wester Railway Co. [1879] 4QBD 406.
In the present suit, D2’s actions also constitute a violation of the Data Protection Act, 2012 (Act 843).
According to Section 43(1) of Act 843, the Plaintiff, who has suffered both damage and distress, is entitled to compensation from D2.
The Court deems Compensatory Damages as the appropriate remedy in light of the established cases of negligence and non-compliance with statute against D2. These damages serve as the balm to soothe the Plaintiff’s injury.
The Court considered various factors in determining the quantum of Compensatory Damages to award in favour of the Plaintiff.
These factors include;
1. The distress, emotional suffering and trauma suffered by the Plaintiff: Non-material damage.
2. The Reputational Damage the Plaintiff suffered: Non-material damage.
3. The inconvenience the Plaintiff has endured in seeking redress: Material Damage.
The Plaintiff per the amended writ of summons seeks compensation of GhC 2,000,000.00
However, during the pendency of this case, D2 took corrective action.
In January 2023, D2 launched a pilot program mandating prospective Bolt Drivers to complete selfie identity verification during the registration process. This digital liveliness check confirms the identity of applicants by ensuring that photographs are captured using the Bolt App camera, thereby guaranteeing the upload of a live image instead of a spoof image. These photographs are subsequently compared with the uploaded documents to verify authenticity.
The Court commends D2 for recognizing its shortcomings and implementing measures to directly collect personal data from data subjects for processing with their prior consent, a step toward safeguarding the rights of data subjects.
However, unfortunately, this corrective action is too little too late for this particular Plaintiff
The Court has already stated that in 2022, D2 had at its disposal the opportunity to either;
a) Conduct a traditional liveliness identity verification for prospective driver applicants, similar to the procedures followed by the Ghanaian Passport Office, the National Identification Authority (NIA), and the Electoral Commission when processing applicants’ personal data, or
b) Conduct a digital liveliness identity verification, which can involve either a selfie or a video call verification. Notably, offices like MTN have been utilizing video call verification.
The court finds therefore that D2’s failure to implement proper identity verification checks for prospective Bolt drivers had serious consequences for the Plaintiff. This failure was avoidable and unacceptable, especially given that other industry players had already adopted such measures before 2022.
As a country, we are all vulnerable to identity theft. As such, it is crucial for data processors and controllers to follow best practices in order to protect personal data.
D2’s negligence permitted the Plaintiff’s identity to be stolen and used on its platform to register the Plaintiff as a Bolt driver without his prior consent. Although D2 later introduced selfie verification, the harm was already done to the Plaintiff.
The court must therefore order D2 to compensate the Plaintiff accordingly.
The court assesses the compensation based on the following factors as already established:
1. Distress, Emotional Suffering, and Trauma: The court considers the extent of distress, emotional suffering, and trauma experienced by the Plaintiff as a result of the incident. This includes the psychological impact and the overall emotional toll on the Plaintiff’s well-being.
2. Reputational Damage: The court evaluates the damage to the Plaintiff’s reputation, including the negative perceptions and loss of standing in the Finance IT community and his professional circles, as a Lecture, Board Chairman and the Chief Executive Officer of Glydetek.
3. Inconvenience in Seeking Redress: The court acknowledges the inconvenience and challenges the Plaintiff has faced in pursuing legal redress. This includes the time, effort, and financial resources expended by the Plaintiff to seek justice and the impact of these efforts on his daily life.
In consequence, the court awards compensatory damages of GHC1,900,000.00 against D2.
COMMENTS AND FURTHER ORDERS
Finally, imagine this scenario:
The Honourable Lady Chief Justice of Ghana, the Rt. Honourable Speaker of Parliament of Ghana, the Honourable Attorney General of Ghana, Counsel for D2, or your mother, for any reason, requests a Bolt ride through the Bolt platform. Upon doing so, they see a photograph of themselves, which is publicly available on the internet, along with their personal details, including their name, displayed as the profile of the driver assigned to pick them up.
Crucially, you are not exempt from this scenario.
Consider the shock and disbelief you would experience. Imagine being unaware of how many Bolt App users have viewed a profile created with your personal data. Envision not knowing how long you have been listed as a Bolt driver without your knowledge, and the potential misuse of your stolen identity by the perpetrator.
Until March 2024, D2, the data processor, who had been rather lethargic when it came to ensuring the safety of the public, particularly unsuspecting passengers who hailed rides on the Bolt App, suddenly stirred from its slumber and decided to enhance its existing identity verification process. The court can undoubtedly say, this sudden consciousness was as a result of the instant suit.
Globally, regulators acknowledge the significant risks associated with identity theft and the imperative to protect personal data from potential abuse. Consequently, diverse forms of data protection frameworks have been instituted to oversee entities such as D2. While these frameworks may vary in their approaches and standards, they universally adhere to the fundamental principles of safeguarding the personal data of individuals from potential misuse.
The legislators of Ghana’s Data Protection Act, 2012 (Act 843), astutely recognized that it is impractical to rigidly define the safeguards available to and usable by data processors and controllers, given the rapidly evolving nature of data processing and control risks, procedures and technologies. Therefore, the Act imposes a duty on data processors and controllers to ensure the protection of personal data through appropriate safeguards.
The discretion of data processors and controllers in Ghana, to select the type and level of data protection safeguards is contingent upon a single incontrovertible requisition: The protection of personal data.
Obtaining, processing, and controlling personal data is a privilege that carries the weighty responsibility of protecting that data. Personal data, such as biometrics, are uniquely identifying attributes; no two individuals have the same fingerprints, and DNA information is invaluable in investigations and information gathering. The rare privilege that data processors and controllers possess in handling personal data must not be taken lightly. Data processors and controllers must be held to the highest standards of safeguarding personal data through stringent standards and regulatory compliance.
The court emphasizes that all organizations handling personal data must adhere to high standards of care to prevent such misuse, and protect citizens from unauthorized identity use.
The Data Protection Commission (DPC) of Ghana, established under the Data Protection Act, 2012 (Act 843), is yoked with the pivotal responsibility to ensure safeguarding the rights of individuals living in Ghana against data protection breaches.
Recent events, such as the situation faced by the Plaintiff at the hands of D2, underscore the urgency of this responsibility.
When a data processor’s database is evidently compromised, due to unsavory incidents similar to those in the instant case, it becomes imperative to take action.
First, an appropriate audit of the IT system and database should occur. This audit serves two essential purposes; sanitizing the database and ensuring public safety. By conducting a forensic audit, any fraudulently or falsely registered profiles can be identified and removed.
Additionally, the magnitude and process of breach can be determined to understand its root cause and implement appropriate corrective measures to prevent future occurrences, thereby maintaining the integrity of the data ecosystem.
For the overarching purpose of sanitizing the databases of all ride-hailing entities and as a public safety policy, the following orders are hereby issued and directed to the Data Protection Commission of Ghana:
1. The Data Protection Commission shall ensure that a forensic audit of D2’s systems and Data base is undertaken, with D2 (Bolt Holdings OU) conducting a liveliness identity verification check for all its drivers registered on the Bolt Platform/App prior to March 2024 registrations.
2. The Data Protection Commission shall ensure that all other ride-hailing platforms in Ghana undergo this exercise for the period they have not undertaken such liveliness identity verification process for the drivers who use their platforms.
This Order shall be drawn up and served with a copy of this Judgment on the Data Protection Commission by the Bailiff of this court. The Registrar of this Court shall attach a cover letter to same.
COST
Cost of GHC20,000 is awarded against D2. This cost includes reasonable consideration of litigation costs.
…………………………….………………………
H/H JUDGE SEDINAM AWO KWADAM (MRS.),
CIRCUIT COURT 2,
ADENTAN,
ACCRA.