Nigeria’s Federal Competition and Consumer Protection Commission (FCCPC) announced on Friday that Facebook and Instagram parent company Meta Platforms had been fined $220 million for discriminatory practices affecting Nigerian data and consumers. The final order also mandates that Meta must now comply with Nigerian laws, cease exploiting Nigerian consumers, and refrain from future conduct that undermines consumer rights.
The FCCPC’s order detailed five violations by Meta, including denying Nigerian consumers the right to self-determination, unauthorized transfer and sharing of personal data (including cross-border storage), discriminatory practices and disparate treatment of Nigerian consumers, abuse of dominant market position, and tying and bundling of services.
The penalty follows a comprehensive 38-month joint investigation by the FCCPC and the Nigeria Data Protection Commission into the practices of Meta and WhatsApp LLC from May 2021 and December 2023. The investigation found that Meta’s platforms violated the Federal Competition and Consumer Protection Act 2018 (FCCPA) and the Nigeria Data Protection Regulation 2019 (NDPR), which were in effect before the Nigeria Data Protection Act 2023 was enacted.
Specifically, WhatsApp’s updated privacy policy, effective 15 May 2021, appeared to force compliance on Nigerian users without aligning with standards of fairness, particularly concerning voluntary consent as outlined by the NDPR and FCCPA. The commission investigated whether the policy and business practices were excessive, unscrupulous, or exploitative under section 17(a) of the FCCPA and whether WhatsApp’s dominance constituted an abuse of power. Specific concerns included depriving users of control over personal data, forcing consent, and providing Nigerian users less data protection than European users.
Meta responded to document requests and summons by providing relevant information and consistently engaged with the FCCPC, with their most recent meeting occurring on April 4, 2024. Despite this engagement, the FCCPC found that Meta had neglected to engage a Data Protection Compliance Organisation and failed to submit the required audit reports for two years, despite the significant number of social media users in the country.
With 103 million internet users and 36.75 million social media users, Nigeria has heightened its focus on data protection with the introduction of the Nigeria Data Protection Act 2023. Prior to this act, data protection was mainly governed by administrative regulation (the NDPR). The new act establishes the legal framework for safeguarding personal data in Nigeria and creates the Nigeria Data Protection Commission as its regulatory authority. It requires organizations to process data in a fair and transparent manner, uphold individuals’ rights, and offer remedies for data breaches.