The FCCPC[1] recently imposed a fine of $220,000,000[2] (the “Fine”) on Whatsapp LLC (“Whatsapp”) and Meta Platforms Inc for violating the provisions of the extant Nigeria Data Protection Act and the Federal Competition & Consumer Protection Act (the “FCCP Act”) (the “Decision”). The FCCPC commenced investigations in 2021, culminating in the imposition of the Fine in July 2024. The Decision has wide-ranging implications for tech companies and online platforms, operating in digital markets. Until the Decision is successfully appealed, the legal principles enumerated in the decision as well as the conclusions reached therein are generally legally binding on businesses operating in Nigeria. We think that some aspect of the Decision merits an appellate review. We provide some analysis of a possible review, here. In this client update, we highlight some of the key learnings from the Decision.
Key Learnings from the Decision
1. The FCCPC is signalling its intention to intensify regulatory scrutiny in Nigeria’s digital markets. Tech platforms need to re-assess the structure and scope of their operations in the digital markets with a view aligning with the latest regulatory developments in this area.
2. The Decision derives from three core legal frameworks: namely, data privacy regulations, fair contract regulations and competition regulation. At the very minimum, an effective compliance strategy should rest on these three levers. It is useful to note that, the FCCPC has wide-ranging investigative powers which allows the FCCPC to enforce consumer protection standards across sectors, with the effect that the FCCPC will not necessarily be operating outside the remit of its regulatory powers, where the FCCPC decides to evaluate a company’s compliance with sectoral regulations, which are aimed at protecting consumers. The key learning here is for technology companies to take steps to identify and fully comply with all applicable sectoral regulation.
3. The Decision identified some disparities between the privacy policy used by Meta in Europe compared to the one applicable in Nigeria and considered this to be evidence of some discrimination against Nigerian users. The key learning here is that, within the realm of data privacy compliance, FCCPC expects global technology companies to treat their users in Nigeria, in the same way as they treat consumers in Europe or elsewhere, in so far as the practice in question benefits the Nigerian user. Thus, adopting a global privacy compliance program which offers the same standards of privacy protection regardless of where users are anywhere in the world may be prudent. For many reasons, a one-size-fits-all may not be feasible. In those situations, prudence dictates that companies seek legal advice.
4. The sharing of user data between companies in the same group or with third-party entities, as well as the merging of user data across platforms for advertising and personalization purposes are regulatory flashpoints. The key lesson here is for companies to seek additional/explicit consent from users in those events and to ensure that the process of obtaining consent is fair, reasonable, transparent and generally compliant with the NDPA. Additionally, a data protection impact assessment (“DPIA”) is often advisable as DPIAs can help to clarify the relevant lawful basis for sharing data and to address project-related privacy compliance risks.
5. A data protection compliance audit is increasingly a key component of the legal due diligence to be conducted by investors prior to the completion of a mergers & acquisition transaction.
6. The loss of control or choice over one’s personal data constitutes a form of harm to consumers, even if the service (in this case, WhatsApp) is provided free of charge. Such loss of control or choice, can amount to an abuse of dominance under the FCCP Act.
7. The Decision is a precedent for the view that collecting excessive personal data and potentially, any breach of the NDPA ( or any law for that matter), may lead to a finding of abuse of dominance, so long as the FCCPC is able to establish the dominant status of a company and as well as evidence of abuse which is attributable to a company’s dominant status.
8. The FCCPC may levy of up 2% of a company’s annual turnover or more than depending on the duration of the violation and other aggravating factors.[3] Some of the aggravating factors which can impact the amount of a fine, imposed by the FCCPC, includes, a lack of transparency, misinformation, non-responsiveness, retaliatory actions by the subject of an investigation and timely acceptance of responsibility. It appears that some or all of these aggravating factors may have played a role in the amount of the Fine imposed on Meta.
9. The Decision highlights the need for a nuanced public policy and government affairs strategy. Additionally, where the legal issues raised in an investigation are complex, of first impression and cuts across different areas of law, which are also, in a relative sense, emergent, it may be strategic for companies to consider engaging a panel of lawyers to bring a range of specialized knowledge, diverse views and skills to the table.
This publication is not intended to provide legal advice and is not prepared with a specific client in mind. Kindly seek professional advice specific to your situation. You may also reach out to your usual Balogun Harold contact or contact us via support@balogunharold.com for support.
[1] The FCCPC is Nigeria’s consumer protection and competition regulator
[2] In addition, Meta Platforms Inc & Whatsapp LLC are also required to pay the sum of $35,000 (Thirty-Five Thousand U.S. Dollars) only, as reimbursement for the cost of FCCPC’s investigation.
[3] An abuse of dominant position attracts a specific fine of not less than 10% of the turnover of an offending company in the preceding business year, upon conviction.