- within Privacy topic(s)
- in United States
- within Energy and Natural Resources, Litigation and Mediation & Arbitration topic(s)
- in United States
- with readers working within the Technology, Media & Information and Law Firm industries
Introduction
In a Joint Investigation conducted by the Federal Competition and Consumer Protection Commission (FCCPC) and the Nigerian Data Protection Commission (NDPC), Meta Platforms Inc. and WhatsApp LLC (collectively referred to as the "Meta Parties) fined $220,000,000 (Two Hundred and Twenty Million U.S Dollars) for violations of Nigerian consumers' data privacy rights.
This focuses on the data protection breaches highlighted in the order and considers their wider significance for data governance in Nigeria.
Summary of Regulatory Findings
In the final order issued on 18 July 2024, ("the Order") they directed the Meta Parties to comply with several requirements, including:
- Ceasing the unauthorised sharing of WhatsApp user data with other Facebook companies and third parties unless voluntary, informed consent is obtained. This was deemed an infringement of the principle of purpose limitation.
- Ensuring that Meta's privacy policies conform to Nigerian data protection laws. Policies must be easily accessible, intelligible, and presented in simple language that upholds users' rights under the Nigeria Data Protection Act (NDPA). (Transparency and principle – Art 12 GDPR)
- Reinstating the 2016 'opt in' model for data sharing and ceasing to rely on the 'legitimate interest' basis for processing. Consent must be the lawful basis.
- Discontinuing the cross-platform transfer of data from WhatsApp to Facebook and other third parties without the express and informed consent of the data subject.
Although the amount of the fine surprised many observers, it is consistent with global precedents. The European Data Protection Board, for instance, has issued comparable sanctions to Meta Platforms Ireland Limited in similar circumstances.
Lawful Bases for Processing Personal Data under the NDPA
To understand the rationale behind the FCCPC and NDPC's directives, one must examine the lawful bases for data processing under Nigerian law. The NDPA outlines six primary lawful bases:
- Consent – The data subject has given clear permission for the processing of personal data for a specific purpose.
- Contractual obligations – Processing is required to fulfil a contract with the data subject.
- Legal obligations – The controller is required by law to process the data.
- Vital Interests – Processing is necessary to protect the life or wellbeing of an individual.
- Public interest – Processing is carried out in the public interest or pursuant to a statutory function.
- Legitimate interests – The controller may process data in pursuit of its own legitimate interest, provided these do not override the rights of the data subject.
In the Meta case, the order implicitly references two of the most important principles under the NDPA: Lawfulness, Fairness, and Transparency; and Purpose Limitation.
Lawfulness, Fairness and Transparency
This principle mandates that personal data must be processed in a manner that is fair (and transparent) to the data subject, with clear and accessible information. The regulators' insistence that Meta revert to an 'opt in' consent model and revise its privacy policies underscores this expectation.
Purpose Limitation
The NDPA also requires that personal data be collected for specified, legitimate purposes and not processed in ways incompatible with those purposes. The unauthorised sharing of WhatsApp data with Facebook companies was determined to be a misuse of data under this principle as data was being processed in a manner incompatible with the original purpose for its collection.
This also highlights the importance of Binding Corporate Rules (BCRs) for multinational operating across jurisdictions. BCRs are internal policies adopted by multinational companies to ensure that data protection standards are upheld when transferring personal data within the group, whether domestically or across borders. Consequently, internal data transfers between group entities must still comply with applicable national data protection laws.
Why This Matters for Nigeria
The fine issued to Meta represents more than a monetary penalty. It signals an era of stricter compliance, enabled by the NDPA and its recently released General Application and Implementation Directive (GAID), which takes effect on 19 September 2025. The GAID provides regulatory guidance for data controllers and processors, especially those in high impact sectors such as payment services, multinationals, and the oil and gas industry.
The GAID sets out mandatory obligations, including sector specific compliance tiers, prescribes audit practices, and circumstances under which consent must be obtained (such as for direct marketing or sensitive data processing). Crucially, it defines the parameters for using legitimate intertest as a basis for data processing – placing an obligation on organisations to conduct and document a legitimate interest assessment.
A Culture of Data Misuse
Beyond the Meta case, the broader context of Nigeria's data environment cannot be ignored. Data privacy breaches are alarming frequent – and often carried out with little regard for global best practices or consumer rights.
Many Nigerians receive unsolicited political campaign messages during election cycles, often via calls or SMS, without ever granting permission for their details to be used in this way. This raises serious questions about how political entities access voter or telecom subscriber data and whether these communications meet the standards for lawful processing.
Similarly, marketing messages for banks, delivery apps, and retailers routinely sent to individuals who have neither interacted with the organisation nor consented to such contact. The now famous case in which Domino's Pizza was ordered to pay damages for violation a customer's privacy through unsolicited SMS advertisements is a landmark illustration of how the courts are beginning to treat such misuse as actionable.
Other serious examples include:
- Fintech data breaches, such as the alleged exposure of over 800,000 records by the iCredit loan app, where names, phone numbers, and banking details were publicly accessible.
- Data sales on the black market, where national identity and bank verification data has reportedly been available online for as little as N500. Investigations suggest this may be linked to insider access or weak data security protocols within government agencies.
Implications and Outlook
The Meta fine may mark a watershed moment in the enforcement of privacy laws in Nigeria. It establishes that:
- Regulators will no longer tolerate discriminatory data practices by multinationals.
- The NDPA will not be a paper tiger – companies are expected to invest in data governance or face legal and financial consequences.
- Consumers have legal recourse and are beginning to assert their privacy rights through the courts.
- Nigerian regulators are aligning with global best practices and are willing to impose significant penalties where necessary.
Conclusion
The fine issued to Meta is not only justified – it is overdue. In a country where personal data is often harvested, shared, and monetised without consent, it is essential that enforcement actions carry real consequences. Privacy laws must be seen to have teeth.
The precedent set by this case will encourage other organisations to take their obligations seriously – and save their organisation money by avoiding huge fines and penalties. Furthermore, it empowers data subjects, who are no longer voiceless in the face of widespread and often brazen violations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
