The FCCPC’s[1] decision (the “Decision”) to impose a $220,000,000[2] fine (the “Fine”) on WhatsApp LLC (“WhatsApp”) and Meta Platforms Inc. (“Meta”)[3] warrants an appellate review due to its unprecedented nature. This Decision affirms the powers of a competition regulator to investigate and penalize breaches of local data privacy regulations (the “NDPA/NDPR”), marking a significant development in Nigeria’s data privacy jurisprudence. Additionally, the Decision has the potential to open a floodgate of numerous similar claims against Meta, given the individual right to civil remedies outlined in section 152 of the FCCP Act and section 51 of the NDPA. Furthermore, the Decision raises concerns about the FCCPC’s view on the relevance of data transfers within the context of technology mergers and acquisitions. This legal update briefly outlines some of the legal issues arising from the Decision. In this separate Client Briefing, we have also summarized a few of the most important learning points from the Decision.
Background & Decision
The facts which appear to be largely uncontested are as follows: (a) In 2021, WhatsApp updated its privacy policy to enable the transfer of user data to Meta following Meta’s acquisition of Whatsapp (the “Updated Privacy Policy”); (b) WhatsApp notified[4] its Nigerian users about the Updated Privacy Policy, requiring their consent, with non-consenting users facing reduced access to WhatsApp features. The FCCPC ruled that, notwistanding the consent provided by Nigerian users to the Updated Privacy Policy, Meta[5] violated the NDPA and local competition and consumer protection laws (the “FCCP Act”) by not offering Nigerian users a choice to opt out of data sharing, without losing access to WhatsApp’s features. The FCCPC also decided that Meta’s actions were discriminatory because unlike Europeans, Nigerians were not given the choice to opt out of data sharing and that Whatsapp collected more personal data than its necessary to provide its services and that all these findings combined together, amounts to an abuse of Meta’s dominant position in Nigeria. The FCCPC described Meta’s conduct as “discriminatory, unfair, unscrupulous, exploitative, obnoxious, and manifestly unjust.”[6]
Some Legal Issues
1. Scope of FCCPC’s Powers in Data Privacy Regulation
The NDPC is the primary regulator for data privacy in Nigeria. Therefore, FCCPC’s decision on a data privacy breach raises questions about its authority over such matters. Further clarification from the NDPC and the FCCPC will be useful, on a number of other issues, especially from an administrative law standpoint. To wit, to what extent can the FCCPC solely determine breaches of data privacy legislation?[7] Is this the kind of administrative decision that should have been jointly issued by the NDPC and the FCCPC? Should the NDPC have issued a separate ruling on the data privacy issues, which could then be attached as an exhibit to the Decision? To what extent is a specific consumer complaint a precondition to the exercise of the FCCPC’s powers in relation to the enforcement of consumer rights?[8] To what extent can the NDPC fetter its discretion in adjudicating data privacy breaches[9]? Can Nigerian consumers still seek civil remedies under section 152 of the FCCP Act and section 51 of the NDPA?[10]. What level or amount of in-app notifications from a technology company to its users will be considered an intrusion? What is the length of time or ultimatum that the FCCPC will consider reasonable for users to comply with policy updates? Is it within a technology company’s legitimate interest to transfer the personal data of its users to a strategic acquirer (as opposed to a financial investor), following the closing of a mergers and acquisition transaction?
One possible approach to delineating the scope of FCCPC’s powers in relation to data privacy compliance issues is that the FCCPC may only address data privacy breaches if such breaches also violate specific provisions of the FCCP Act. This proposition raises further questions about whether the NDPC can still impose sanctions on Meta from a data protection law perspective and where consumers should report data privacy breaches. Should the NDPC or the FCCPC handle such breaches? It may be beneficial to restrict the FCCPC’s jurisdiction to anti-competitive conduct related to alleged data privacy breaches and allow the NDPC to address consumer protection issues related to the NDPA.
Although section 105(3) and (4) of the FCCP Act allows for cooperation between the FCCPC and other government agencies, the Decision does not clearly demonstrate such collaboration. For instance, the requirement for Meta to obtain an adequacy decision from the Attorney General, as mentioned in the Decision, seems incorrect since the NDPR uses a whitelist by the NITDA, not an adequacy decision from the AGF.
2.Discrimination Against Nigerians
The FCCPC decided that Meta’s data protection activities are discriminatory because unlike Europeans, Nigerians were not given the choice to opt out of data sharing. That Meta ought to have provided its Nigerian users with the same level of control over personal data because the NDPA is similar to the GDPR. The Decision makes several references to the issue of discrimination, suggesting that, the allegation of discrimination is one the key ratios of the Decision. We think the relevant question is whether or not Meta’s data protection practices are compliant with Nigerian law and not, whether or not the privacy policy applicable in Nigeria is similar to the one applicable in Europe. As a general rule of administrative law, a public authority must both disregard irrelevant considerations and take into account relevant considerations when exercising its powers[11]. As a practical matter, FCCPC’s stance establishes the viewpoint that, when processing the personal data of Nigerians, technology companies must comply not only with the NDPA but also with the GDPR as well as the decisions of EU courts on the GDPR.[12] This stance is problematic as it reduces legal certainty and creates more ambiguity around the scope of data privacy compliance. Also, data privacy is primarily a statutory matter, meaning that, in the absence of specific legislation, Meta was only obligated to adhere to the provisions of the NDPA regarding its data processing activities in Nigeria. Thirdly, discriminatory practices are often considered as a treatment of customers in a similar situation, differently. On this premise, it is doubtful whether Nigerians in Nigeria and Europeans in Europe, who are subject to different legal norms and regimes can be considered to be in a similar or comparable situation. Whilst there is some level of regulatory contiguity as between the nations that make up the EU, the same cannot be said of Nigeria and the EU. Additionally, technology platforms generally make privacy policies (and related terms of service) accessible only in the jurisdictions to which they apply and tailor privacy policies to comply with jurisdictional legal requirements. Therefore, the FCCPC’s conclusion that Meta deliberately restricted access to the privacy policy covering Europe to further its intent of discriminating against Nigerians, is doubtful. The finding on discrimination is also unprecedented and appears to be of the kind that should have been clearly communicated to the operators in the digital market in advance.
3. Consent as a Lawful Basis
The Decision primarily relies on the assumption that WhatsApp used consent as the lawful basis for processing user data and that the circumstances in which Nigerian users provided that consent was unlawful. One key point to be made here is that, requesting consent to a policy update from a user is not always conclusive on the lawful basis which a data controller is relying on for the processing of personal data, because technology companies may often require user consent to an update, either as a matter of contract or best practice. For instance, it is plausible that a data controller relies on legitimate interest as the lawful basis for processing personal data but may still seek consent from its users to policy updates. Based on the information available in the Decision, it appears that Meta indicated that its lawful basis was the “necessity to meet other obligations including legal, public interest, and contractual obligations”. However, this lawful basis, was not thoroughly examined in the Decision. It is plausible that the FCCPC was unable to reach a decision on this lawful basis, given the allegation that Meta refused to provide the requested information. However, the question that arises from this proposition is whether or not, under the circumstances, the FCCPC should still have proceeded to render its decision on the basis of the validity of consent or based on the validity of other lawful basis pleaded by Meta. As a general rule of administrative law, errors of law which affect an administrative decision will always be amenable to judicial review[13]. Also, errors of fact which may be jurisdictional or not, and which affect an administrative decision can be amenable to judicial review.[14]
4. Post-Completion Transfer of Personal Data
“On the contrary, what is apparent from the conduct is that the business combination and the opportunity to access personal data that was not the case before the combination was the motivation. It demonstrates the intentionality of Meta Parties, including perhaps an objective in the acquisition which includes gaining control over user data by a device otherwise appearing as a merger or acquisition while depriving users of the autonomy and control that prevailing regulations and law intended, and did grant to users. That such a device was also discriminatory is an aggravating factor in the violation”
The above excerpt from the Decision suggests that the FCCPC considers Meta’s motivation in acquiring WhatsApp to be the need to access user data in Whatsapp’s custody, which it deems concerning and to be an aggravating factor. This perspective merits review as accessing the user data in the custody of a seller, is often a primary consideration in technology mergers and acquisitions and appears to be a key motivation in the acquisition of Whatsapp by Meta[15]. It is perhaps useful to note that user consent would not generally be legally required, where a data controller/seller relies on other lawful basis, like legitimate interest[16], for sharing personal data with a buyer within the context of a mergers and acquisition transaction. In this case, the subject data transfers were primarily between Whatsapp and Meta, which carries on a similar business model.[17]
5. Abuse of Dominance
A full analysis of the finding of the FCCPC on abuse of dominance is outside the scope of this review. However, a few points are notable. Firstly, a successful review of the data protection findings in the Decision, may prove fatal for the finding on abuse of dominance, since the validity of the consent provided by Nigerian users forms the substance of the FCCPC’s conclusions on abuse of dominance. Secondly, the concept of abuse is specifically enumerated under section 72(2) (a-v) of the FCCP Act. It is doubtful whether the abusive conduct attributable to Meta is contemplated under section 72(a)(a-v). Thirdly, whilst Meta may avail itself of a number of the statutory defences applicable to abuse of dominance decisions,[18] it is not clear from the Decision, whether these defences were submitted by Meta.
6. FCCPC’s Enforcement Strategy for Emerging Areas of Competition Regulation
Moving forward, one issue which requires some debate is whether the FCCPC should have imposed the Fine, on first impression, given the novelty of the legal issues and without a prior market guidance clarifying its regulatory stance and approach, as well as the circumstances under which data protection activities can give rise to a finding of abuse of dominance in digital markets[19]. It is not clear from the Decision, whether, this was a mitigating factor. However, such formal guidance on emerging areas of competition law, has the benefit of increasing legal certainty and the predictability of regulatory action. Is this case for which the FCCPC should have issued a commitment decision? The Bundeskartellamt’s[20] approach in a similar case[21] is instructive. Commenting on why it did not impose fines on Meta in that case, the regulator noted as follows:
“The Bundeskartellamt often conducts its abuse of dominance proceedings as so-called administrative proceedings, not as fine proceedings. This is because the issue here is to achieve changes in the future behaviour of companies to the benefit of competitors and users and to oblige companies to adhere to this. Imposing fines to punish infringements is possible as an additional measure, but mostly the focus of the proceedings is not on fines. In particular if the case in question is complex and involves a number of legal and economic issues, administrative proceedings are a suitable approach. The Bundeskartellamt may, however, decide to initiate a fine proceeding in the case of recurrent abusive behaviour or in cases with a high potential for significant harm.”
Additionally, given the provisions of Schedule 1 of the FCCPC’s Administrative Penalties Regulations,[22] and the wide discretion which the FCCPC possesses in regard to the amount of administrative fines to be issued for infractions, a breakdown of the components of the Fine would have increased legal certainty around the exercise of FCCPC’s discretion in relation to the imposition of administrative penalties[23]. For instance, which component of the Fine is attributable to abuse of dominance, to data privacy breaches or to a violation of the consumer rights provisions in the FCCPA or to aggravating factors?
Final Remarks
The FCCPC has demonstrated commendable consistency in exercising its regulatory powers. However, an appellate review of the administrative law issues raised by the Decision, as well as the FCCPC’s assessment of the data privacy breach allegations, would not only enhance data privacy and competition law jurisprudence in Nigeria but also offer companies subject to the FCCPC’s oversight, greater legal certainty around the scope of the FCCPC’s regulatory powers and the nature of competition law issues within digital markets. Given the nascent stage of data privacy and competition law in Nigeria, and the Decision’s implications for data privacy, corporate law, and technology law, an appellate review with the benefit of submissions from amici curiae can prove very useful.
[1] The FCCPC is Nigeria’s competition and consumer protection regulator.
[2] In addition, Meta Platforms Inc & Whatsapp LLC are also required to pay the sum of $35,000 (Thirty-Five Thousand U.S. Dollars) only, as reimbursement for the cost of FCCPC’s investigation.
[3] Although the investigation primarily relates to the provision of Whatsapp services, the FCCPC’s position is that, Meta (previously known as Facebook) ought to be included in the investigation and made jointly and severally liable because (a) Meta is WhatsApp’s parent company, and, exercises control over the business practices of WhatsApp and because (b) Meta stands to benefit from particular updates in Whatsapp’s Privacy Policy, through various technical integrations. This legal update will not examine the corporate laws issues thrown up by FCCPC’s position here.
[4] The FCCPC took the view that these notifications were persistent and intrusive and the repeated notifications combined with the ultimatum set by Whatsapp, amounted to a form of coercion.
[5] Meta Platforms Inc & Whatsapp LLC are jointly referred to as “Meta” in this legal update.
[6] In the Decision, the FCCPC claims that Meta failed to provide requested information and deliberately misrepresented facts. These are significant allegations. This legal update does not examine these allegations or other factual details
[7] Based on section 105(2) of the FCCP Act, the FCCPC has concurrent jurisdiction with the NDPC in relation to consumer protection matters under the NDPA. The FCCPC is expressed to have “precedence” over such other government agencies.
[8] While the FCCPC has general investigative powers, section 149 of the FCCPA implies that enforcement of consumer rights should follow a consumer complaint, but the Decision does not specify any complaints received.
[9] See Lavender & Sons v Minister of Housing and Local Government [1970] 1 WLR 1231. As a general rule, if the legislature provides a public body with a discretionary power, the courts will not permit that body to restrict or fetter its discretion.
[10] Ordinarily, these sections entitle consumers/users to seek compensation from a data controller or service provider, for privacy/consumer rights breaches
[11] Roberts v Hopwood [1925] AC 578
[12] If this finding survives the appellate process, we expect that this would a rule of conduct applicable to only global technology companies.
[13] Anisminic v Foreign Compensation Commission [1969] 2 AC 147
[14] R v Secretary of State of the Home Department, ex p Khawaja [1984] AC 74
[15] The transaction consists of the acquisition of WhatsApp by Facebook for a purchase price of USD 19 billion on a value-per-user basis. Pursuant to an Agreement and Plan of Merger and Reorganization signed on 19 February 2014, WhatsApp will successively merge with and into wholly-owned subsidiaries of Facebook. As a result of the Transaction, Facebook will solely control the entity into which WhatsApp will have merged. The purchase price comprises: (i) USD 12 billion in Facebook stock shares; (ii) USD 4 billion in cash; (iii) USD 3 billion in Facebook restricted stock units after closing of the Transaction.
[16] There could be other legal conditions applicable to the relevant lawful basis. For instance, in relation to legitimate interest, the conduct of a legitimate interest analysis. It is not clear from the Decision that Meta sought to rely on legitimate interest. Although the NDPR omitted “legitimate interest” as a lawful basis for processing data, parties may still rely on legitimate interest as a basis for processing data based on the Implementation Framework of the NDPR which permits companies subject to the NDPR to apply GDPR principles where the NDPR does not make a provision for such principle.
[17] Meta and Whatsapp are both active in the market for consumer communications apps for smartphones. The FCCPC characterized the relevant market as the “Contact-Based Instant Messaging Service”. Whilst Whatsapp is operated as a stand-alone consumer communication service, Facebook also offers consumer communications services as a feature of a broader social networking platform offering.
[18] The defenses of objective justification and technological efficiency, the promotion of technological and economic progress, amongst others, are generally tenable under the FCCP Act
[19] The UK has set up a new competition regime for digital markets and recently passed into law, the Digital Markets, Competition and Consumers Act, 2024, to address the novel competition law issues thrown up on account of the structure of the digital marketsand the nature of the services rendered through digital platforms.
[20] The Bundeskartellamt is the German national competition law regulator
[21] In its decision, the Bundeskartellamt prohibited Facebook from stipulating in its terms of service that the use of the social network Facebook.com is subject to the company being able to collect and use data generated by the use of Facebook-owned services such as WhatsApp and Instagram.
[22] This schedule specifies the base sum which the FCCPC may impose as fines for each infraction of the FCCP Act.
[23] An abuse of dominant position attracts a specific fine of not less than 10% of the turnover of an offending company in the preceding business year. It appears that, a conviction by a court, is a necessary condition for the imposition of a fine of up to %10 of a company’s turnover. Directors can also be held criminally liable to an imprisonment terms of up to 3 years or a monetary fine of up to N50,000,000. See Section 72 of the FCCP Act.
This publication is not intended to provide legal advice and is not prepared with a specific client in mind. Kindly seek professional advice specific to your situation. You may also reach out to your usual Balogun Harold contact or contact us via support@balogunharold.com for support.
