Assessing the Competition & Consumer Protection Tribunal’s Judgment in Meta Platforms Inc/Whatsapp LLC v FCCPC.

Did the Judgment Address the Evidentiary and Interpretational Challenges in Nigeria’s Data Protection Enforcement?

The increasing integration of digital platforms into everyday life has raised substantial concerns about the intersection of data protection and competition law. Globally, regulators are grappling with the challenges of ensuring data privacy while also maintaining fair competition in digital markets. This dual objective is particularly pressing in jurisdictions where institutional and legislative frameworks are still evolving. Nigeria is one such jurisdiction, where the Federal Competition and Consumer Protection Commission (FCCPC) and the newly established Nigeria Data Protection Commission (NDPC) are asserting their authority to regulate tech giants such as Meta Platforms Inc. and WhatsApp LLC.

This article critically assesses the April 25, 2025 decision of the Competition and Consumer Protection Tribunal (the Tribunal) in the case of Meta v FCCPC, wherein the Tribunal upheld a $220 million fine imposed by the FCCPC for breaches of the Nigeria Data Protection Regulation (NDPR) 2019. The decision marks a turning point in Nigeria’s approach to data protection enforcement and reflects a broader trend toward regulatory assertiveness in digital markets. However, the judgment also raises important questions about the evidentiary and interpretational standards applied by the FCCPC and endorsed by the Tribunal.

Background to the Dispute.

The case against Meta arose from a 38-month joint investigation conducted by the FCCPC and the NITDA, which began in 2020. This investigation scrutinised the data collection and privacy practices of WhatsApp LLC and its parent company, Meta Platforms Inc. The FCCPC found that Meta’s business model relied on the excessive and unjustified collection of user data, including metadata beyond what was necessary for the delivery of WhatsApp services in Nigeria.

Following its findings, the FCCPC issued a Final Order on 19 July 2024, imposing a $220 million fine on Meta and WhatsApp for violating the Nigeria Data Protection Regulation (NDPR) 2019 and the Federal Competition and Consumer Protection Act (FCCPA) 2018. The Commission cited sections 17(a) and 104 of the FCCPA to justify its authority, stating that the data practices constituted ‘unscrupulous’ and ‘exploitative’ conduct in violation of consumer protection standards.

Meta and WhatsApp appealed the FCCPC’s Final Order to the Competition and Consumer Protection Tribunal, disputing both the jurisdictional authority of the FCCPC and the evidentiary basis of the Commission’s findings. The Tribunal, in a landmark judgment on 25 April 2025, upheld majority of the FCCPC’s determinations, including affirming the $220 million administrative penalty.

Interpretational Challenges: Data Minimisation and Consent Under the NDPR.

One of the central interpretational issues in Meta v. FCCPC, concerned the principle of data minimisation under the NDPR 2019. Article 2.1(1)(b) of the NDPR stipulates that personal data must be ‘adequate, accurate and without prejudice to the dignity of human person.’ The FCCPC interpreted this provision to mean that any personal data collected must be limited to what is strictly necessary to achieve the stated purpose. This concept aligns with the principle of data minimisation found in global data protection frameworks, such as Article 5(1)(c) of the GDPR.

The FCCPC’s analysis drew comparisons between WhatsApp and other messaging platforms like Signal and Telegram, noting that WhatsApp collected 44 distinct metadata points, whereas the latter collected only 4. However, the Commission failed to clearly articulate how each metadata point constituted personal data within the meaning of Article 1.3(xix) of the NDPR. This definitional gap raises significant evidentiary concerns.

Although the Commission relied on input from the National Information Technology Development Agency (NITDA), which confirmed that some data collected were not necessary for WhatsApp’s core functions, the FCCPC did not thoroughly analyse or categorise these data points. This lack of a granular assessment left open to question whether all the alleged excessive data points indeed fell foul of the NDPR.

Additionally, the FCCPC’s reliance on ‘consent’ as a remedial legal foundation, even for data that is not essential for service provision, seems to conflict with the broad applicability of the data minimisation principle. This is because consent cannot justify the collection of unnecessary data when the necessity principle is embedded in all legal grounds under the NDPR.

This interpretational ambiguity is expected to be clarified under the new Nigeria Data Protection Act (NDPA) 2023 and its General Application and Implementation Directive (GAID) 2025, which provides clear definitions for ‘adequate’, ‘relevant’, and ‘minimum necessary’ data. These clarifications aim to provide more robust evidentiary standards for future enforcement actions.

Jurisdictional Contest: FCCPC’s Mandate vs. NITDA’s Authority (Which has now Evolved Into NDPC’s Purview)

A core issue in Meta’s appeal was the jurisdictional competence of the FCCPC to adjudicate matters pertaining to data protection. Meta contended that the Nigeria Data Protection Regulation (NDPR) 2019 was issued by the National Information Technology Development Agency (NITDA), thereby vesting data protection oversight solely in NITDA’s purview.

The FCCPC, however, invoked Section 104 of the FCCPA 2018, which provides that “the Act shall override other laws on matters relating to competition and consumer protection”. Additionally, Section 17(a) empowers the FCCPC to enforce other enactments on consumer protection, an authority it relied on to treat NDPR violations as consumer harm.

The Tribunal, in addressing Issue 4 of the appeal, affirmed that the FCCPC acted within its statutory authority. It held that Section 104 of the FCCPA allows the Commission to regulate data practices that amount to exploitative or unfair conduct, even in sectors subject to regulation by other specialised agencies. By reinforcing this view, the Tribunal clarified the concurrent jurisdictional relationship between the FCCPC and other sector-specific regulators.

Although the Nigeria Data Protection Commission (NDPC) was formally established under the Nigeria Data Protection Act 2023 as the principal regulator of data protection, its operationalisation came after the events leading to the FCCPC’s investigation and order. The Tribunal therefore upheld the FCCPC’s jurisdiction without prejudice to the emerging role of the NDPC. This affirmation sets an important precedent, recognising that overlapping regulatory functions can coexist in a cooperative federal framework.

Nonetheless, the decision leaves unresolved how future inter-agency conflicts will be navigated, especially when both the FCCPC and the NDPC lay claim to enforcement authority over digital privacy matters. The GAID 2025 will likely necessitate a Memorandum of Understanding or similar legal instrument to clarify agency boundaries.

Evidentiary Weaknesses and the Standard of Proof.

One of the most significant criticisms of the FCCPC’s approach in Meta v FCCPC is the inadequacy of its evidentiary analysis, particularly in substantiating claims of excessive data collection under the NDPR. Although the Commission cited comparative statistics—such as WhatsApp’s collection of 44 metadata points versus Signal and Telegram’s collection of 4—it failed to convincingly establish that each of those metadata points constituted “personal data” as defined under Article 1.3(xix) of the NDPR 2019.

The NDPR defines personal data as any information relating to an identified or identifiable natural person. Thus, to assert a violation of data minimisation principles, the FCCPC bore the burden of demonstrating not only that data was collected, but that it was (i) personal in nature and (ii) unnecessary to the purpose of service delivery. In this regard, the Commission’s reliance on generalised comparisons, without technical analysis of the data points involved, fell short of the evidentiary standard required under Nigerian law. As the Nigerian courts have consistently held, he who asserts must prove.

Furthermore, the Commission’s determination that device fingerprinting involved excessive data collection is open to scrutiny. Device fingerprinting gathers technical details like browser settings or screen resolution, but the investigation report did not identify this as part of the actual metadata collected, nor did it adequately clarify its relevance to WhatsApp’s operational requirements in Nigeria.

The Commission also placed partial reliance on information from NITDA suggesting that some data collected was necessary while other data was optional or unnecessary. However, neither agency offered detailed classification nor provided a robust technical basis for this conclusion. This deficiency undermines the objective assessment of whether WhatsApp’s practices truly violated the requirement of adequacy under Article 2.1(1)(b) of the NDPR.

In this context, the evidentiary weaknesses in the FCCPC’s case exposed a critical gap in Nigeria’s enforcement framework. Future regulatory actions must be supported by detailed forensic analysis and independent technical assessments that can withstand appellate scrutiny. This is especially vital when dealing with sophisticated global tech entities capable of challenging enforcement actions on procedural and substantive grounds.

The Tribunal’s Reasoning: Deference or Diligence?

The Tribunal’s April 2025 judgment in Meta v FCCPC offers a rare window into judicial attitudes toward data protection enforcement in Nigeria. While the decision affirmed the FCCPC’s administrative fine and investigative processes, it left legal scholars/pundits questioning whether the Tribunal conducted a truly rigorous analysis or merely deferred to regulatory authority.

The Tribunal resolved all but one of the seven appeal issues in favour of the FCCPC. In Issue 3, for instance, Meta alleged a breach of fair hearing, claiming the Commission had not allowed sufficient opportunity to respond to the allegations. The Tribunal dismissed this, holding that the FCCPC had afforded Meta ample time to engage during the investigation and adjudication process. This finding underscores the recognition of the FCCPC’s quasi-judicial capacity and its compliance with the principles of natural justice.

In Issue 4, concerning jurisdiction, the Tribunal reaffirmed the FCCPC’s powers under section 104 of the FCCPA to override conflicting provisions of other laws on matters of consumer protection, even where other regulators are involved. This is a significant doctrinal endorsement that strengthens the FCCPC’s hand, especially in the absence of settled inter-agency coordination mechanisms.

Issue 5 was perhaps the most consequential in the context of data protection. It directly challenged the FCCPC’s conclusions regarding Meta’s privacy policies. The Tribunal held that there was no error in the Commission’s findings and that Meta’s policies indeed violated Nigerian law. However, the Tribunal offered limited elaboration on how it assessed the legality of the privacy policies. There was no detailed discussion of data minimisation or the contextual relevance of collected data. This suggests a deferential stance toward the FCCPC’s technical order, rather than an independent and probing review of the underlying data practices.

The Tribunal’s only substantive deviation came in Issue 7, where it set aside Order 7 of the Commission’s Final Order for lacking sufficient legal basis. Unfortunately, the decision did not explain the content of Order 7 in detail, nor did it clarify the threshold it applied to evaluate legal sufficiency. This omission leaves stakeholders guessing about the standards of review employed in data-related decisions.

Overall, while the Tribunal affirmed the regulatory direction Nigeria is taking, its decision arguably prioritised administrative compliance over substantive inquiry. Whether this approach can sustain long-term credibility for data protection enforcement remains to be seen. Judicial engagement with technical standards, contextual purpose, and proportionality is necessary if the Tribunal is to develop a jurisprudence fit for the data-driven economy.

Conclusion.

The Tribunal’s decision in Meta v FCCPC is a landmark precedence in Nigeria’s evolving data protection and digital competition jurisprudence. By upholding the FCCPC’s $220 million fine, cost of investigation at $35,000 and validating its jurisdiction under the FCCPA, the Tribunal signaled a strong institutional commitment to consumer data rights and fair digital market practices. However, a closer examination reveals that while the judgment endorsed key regulatory positions, it did not adequately resolve some of the evidentiary and interpretational challenges inherent in Nigeria’s enforcement regime under the NDPR 2019.

The case exposed the limitations of the FCCPC’s evidentiary framework, particularly its failure to provide a granular and technically sound justification for its findings on excessive data collection. The Tribunal, in turn, appeared to prioritise administrative deference over rigorous judicial scrutiny, particularly in its treatment of complex data processing questions. This approach, while expedient, raises concerns about whether Nigeria’s enforcement mechanisms are sufficiently robust to handle the nuances of digital regulation.

Yet, the judgment also serves as a catalyst for reform. The subsequent enactment of the Nigeria Data Protection Act 2023 and the issuance of the GAID 2025 provide the legislative and procedural tools necessary to address past shortcomings. These instruments clarify core principles like data minimisation and consent and elevate the standard of regulatory clarity and precision expected in future enforcement actions.

Looking ahead, effective regulation of digital platforms in Nigeria will depend on several critical factors. First, there must be improved inter-agency collaboration between the FCCPC and NDPC to avoid jurisdictional conflicts and duplicative enforcement. Second, regulators must adopt more technically grounded and evidence-based methodologies in investigations and adjudications. Finally, the judiciary must develop greater capacity to engage with the substantive complexities of data protection and platform regulation, moving beyond procedural adequacy to substantive correctness.

In summary, Meta v FCCPC may be viewed as a foundational case—imperfect yet pioneering. It underscores Nigeria’s readiness to hold powerful digital actors accountable while also revealing the institutional and legal reforms required to make such accountability both fair and sustainable.

Written by Adeola Osifeko LLB, LLM, ACIS, ABR. Partner, Corporate Commercial Group, at AEO Law Practice

References

1. Violations: Tribunal Upholds FCCPC’s $220 million Fine Against Meta Platforms Inc/ Whatsapp LLC <https://fccpc.gov.ng/violations-tribunal-upholds-fccpcs-220-million-fine-against-meta-whatsapp/>
2. The Federal Competition and Consumer Protection Act 2018 (FCCP Act 2018).
3. The Nigeria Data Protection Regulation 2019 (NDPR 2019)
4. The Nigeria Data Protection Act General Application and Implementation Directive 2025 (NDPA GAID 2025)
5. EU 2016/679: General Data Protection Regulation in the current version of the OJ L 119, 04.05.2016