Tag: data-privacy

Case Review: Incorporated Trustees of Personal Data Protection Awareness Initiative v. Nizamiye Hospital Limited.

aeolawpractice

Introduction

On April 10, 2025, Honourable Justice Abubakar Hussaini Musa of the Federal Capital Territory High Court, Abuja, delivered a landmark judgment in Incorporated Trustees of Personal Data Protection Awareness Initiative v. Nizamiye Hospital Limited (Suit No. FCT/HC/GAR/CV/187/2024). This case, initiated by the Claimant via an Originating Summons dated February 20, 2024, sought to enforce compliance with Nigeria’s data protection framework, specifically Sections 24 and 27 of the Nigeria Data Protection Act (NDPA) 2023 and Article 2.5 of the Nigeria Data Protection Regulation (NDPR) 2019. The Claimant, a public interest organization, challenged the defendant’s, alleged failure to deploy privacy notices for its CCTV surveillance and website tracking, conduct a Data Protection Impact Assessment (DPIA), and adequately inform data subjects, including the Claimant’s Country Director, Ozoemena Nwogbo, about the collection and processing of their personal data. Seeking declaratory reliefs, mandatory orders, and substantial damages, the suit tests the boundaries of data privacy obligations in Nigeria’s evolving digital landscape, raising critical questions about enforcement, compliance, and the role of public interest litigation in safeguarding personal data.

In response, the Defendant challenged the suit primarily on the grounds of the Claimant’s locus standi and disclosure of a reasonable cause of action. The Court, in its determination, framed three key issues:

  1. Whether the Claimant had the requisite locus standi
  2. Whether the facts of the case constitute a reasonable cause of action against the defendant
  3. Whether the Defendant breached the Claimant’s privacy under the NDPA 2023.

Key Legal Issues Addressed:

1. Locus Standi to Institute Action under the NDPA 2023.

The court addressed the issue of locus standi by determining whether the Claimant, a corporate entity, had the legal capacity to institute and prosecute the suit as a public interest group in the light of the Defendant’s argument that the Claimant lacked a direct legal relationship with the Defendant and had not demonstrated how its own civil rights were adversely affected.

The court, relying on Centre for Oil Pollution Watch v. NNPC (2019) 5 NWLR (Pt. 1666) 518, held that the Claimant had locus standi because the suit was a public interest litigation. The court reasoned that public interest litigation allows non-governmental organizations (NGOs) to sue on behalf of groups or individuals who may lack the resources or awareness to seek redress themselves. The Claimant’s objectives, as outlined in its Constitution (Exhibit B), include educating the public on data protection and advocating for data security, which aligned with the suit’s purpose of safeguarding public data privacy rights.

However, the court noted that the Claimant, as a juristic person, could not directly suffer a data breach. The suit was based on the experience of the Claimant’s Country Director, who visited the Defendant’s facility. The court clarified that public interest litigation does not require the Claimant to have a personal stake but rather a broader interest in protecting public rights, as supported by the Supreme Court’s reasoning in Centre for Oil Pollution Watch.

Legal Implications:

The NDPA 2023 does not explicitly define locus standi for public interest litigation, but the court’s reliance on Centre for Oil Pollution Watch establishes that NGOs with objectives related to data protection can sue to enforce compliance with the NDPA, even without direct personal injury.

  • The decision expands access to justice under the NDPA by recognizing the role of advocacy groups in holding data controllers accountable, particularly for vulnerable data subjects.
  • However, the court’s caution that the Claimant’s objectives do not explicitly include litigating breaches suggests that NGOs must clearly align their constitutional mandates with the reliefs sought to avoid challenges to their standing.

While the court’s recognition of public interest litigation is progressive, it did not fully address whether the NDPA imposes specific requirements for locus standi beyond general principles. Section 46 of the NDPA allows a “data subject” to lodge complaints with the Nigeria Data Protection Commission (NDPC), but it is silent on whether non-data subjects, like NGOs, can directly initiate court actions. Future cases may need to clarify whether NGOs must first exhaust administrative remedies with the NDPC before approaching the courts.

2. Gaps in Nigeria’s Data Governance Landscape.

The judgment highlights several gaps in Nigeria’s data governance framework, as revealed through the Claimant’s allegations and the court’s findings:

a. Lack of Clear Enforcement Mechanisms:

  • The NDPA establishes the NDPC as the primary regulatory body (Section 6) with powers to investigate complaints and issue compliance orders (Sections 46–48). However, the judgment reveals a gap in enforcement, as the Claimant bypassed the NDPC and directly approached the court. The court noted that the NDPA provides for administrative remedies (e.g., lodging complaints with the NDPC under Section 46) and judicial review only after exhausting these remedies (Section 50). This suggests a lack of clarity or awareness among litigants about the NDPA’s procedural requirements.
  • The absence of evidence that the Claimant engaged the NDPC before filing the suit underscores a gap in public awareness and institutional capacity to handle data protection complaints efficiently.

b. Ambiguity in Privacy Notice Requirements:

The Claimant alleged that the Defendant failed to deploy privacy notices on its website and at its physical facility, as required by Section 27 of the NDPA. The court, however, found that the Defendant’s website (Exhibit D) contained a notice regarding third-party data sharing, which the Claimant overlooked. This points to a gap in standardizing what constitutes a “clear, concise, transparent, intelligible, and easily accessible” privacy notice under Section 27(3). Without specific NDPC regulations or guidelines on privacy notice formats, organizations like the Defendant may adopt inconsistent practices, leading to disputes.

c. Data Protection Impact Assessments (DPIAs):

The Claimant’s second issue alleged that the Defendant failed to conduct a Data Protection Impact Assessment (DPIA) as required under Section 28 of the Nigeria Data Protection Act (NDPA) 2023. The court did not extensively address this issue, due to the Claimant’s failure to substantiate claims of high-risk data processing activities that would necessitate a DPIA. The Nigeria Data Protection Commission’s (NDPC) issuance of the General Application and Implementation Directive (GAID) 2025 on March 20, 2025, provides critical clarity on DPIA obligations, addressing gaps highlighted in the judgment.

Article 28 of the NDP Act-GAID 2025 mandates that data controllers and processors conduct a DPIA when processing is likely to result in high risks to data subjects’ rights and freedoms, particularly for activities involving sensitive personal data, automated processing, or large-scale data collection. Schedule 4 of the GAID outlines a comprehensive DPIA template, requiring assessments of processing purposes, data categories, lawful bases, risks (e.g., data breaches, unauthorized access), and mitigation measures. It further specifies that DPIAs must evaluate necessity, proportionality, and data subject rights, with a final assessment determining whether processing should proceed, be modified, or be halted. The frequency of DPIA reviews (e.g., monthly, quarterly, or annually) must also be justified based on risk levels.

The absence of NDPC regulations at the time of the judgment contributed to uncertainty, as Section 28(3) of the NDPA empowers the NDPC to issue such guidelines, but none were cited. The GAID 2025 rectifies this by providing clear criteria and a structured process, reducing ambiguity for data controllers like the Defendant. For instance, the Defendant’s use of CCTV surveillance and patient data collection could trigger a DPIA if deemed high-risk under Schedule 4, particularly if involving vulnerable data subjects (e.g., minors or patients with health conditions, per Schedule 6’s Data Subject Vulnerability Indexes). The Claimant’s failure to demonstrate such risks likely weakened their case, but the GAID’s framework now enables more precise evaluations.

Despite this progress, the GAID reveals a lingering implementation gap: the need for widespread awareness and capacity building to ensure organizations understand and apply DPIA requirements. Article 7(o) of the GAID mandates DPIAs when required by the NDPA or directed by the NDPC, emphasizing proactive compliance. Future litigation will benefit from these guidelines, but the NDPC must prioritize training and enforcement to ensure data controllers consistently meet these obligations, fostering a robust data protection regime in Nigeria

d. Limited Judicial Precedent:

The NDPA is a relatively new statute, and this case is among the early judicial interpretations of its provisions. The court’s reliance on environmental law precedents (e.g., Centre for Oil Pollution Watch) rather than data protection-specific authorities indicates a gap in local jurisprudence. This reliance may limit the development of nuanced data protection law tailored to Nigeria’s digital context.

e. Public Awareness and Compliance:

The Claimant’s allegations about CCTV surveillance and patient forms suggest a broader gap in public and organizational awareness of NDPA obligations. The Defendant’s defense that CCTV was installed for security purposes (aligned with Section 3(2) exemptions) was accepted without scrutiny of whether the Defendant complied with transparency requirements (e.g., signage indicating CCTV use). This reflects a gap in ensuring that exemptions are balanced with data subject rights.

Recommendations to Address Gaps:

  • The Nigeria Data Protection Commission (NDPC) has addressed the need for clarity in data protection compliance through the issuance of the General Application and Implementation Directive (GAID) 2025 on March 20, 2025, which provides detailed guidance on privacy notices, Data Protection Impact Assessments (DPIAs), and exemptions under the Nigeria Data Protection Act (NDPA) 2023. Set to take effect on 19 September 2025, the GAID’s comprehensive frameworks, including Articles 7(l–m) and 27 for privacy notices, Article 28 and Schedule 4 for DPIAs, and Article 5 for exemptions, aim to ensure data controllers and processors have clear, actionable obligations. To maximize compliance, the NDPC should focus on robust awareness campaigns and capacity-building initiatives before and after the GAID’s implementation to support organizations in aligning with these enhanced standards, thereby strengthening Nigeria’s data protection regime
  • Strengthening the NDPC’s capacity to investigate and resolve complaints could reduce premature litigation and enhance administrative enforcement.
  • Developing a robust body of data protection case law will help clarify the NDPA’s application and address novel issues in Nigeria’s digital economy.

3. Judicial Reasoning on Privacy in the Digital Age.

The court’s reasoning on privacy in the digital age, as articulated in the judgment, reflects a cautious approach to balancing data protection with practical realities:

a. Interpretation of NDPA Provisions:

  • The court meticulously reproduced and analyzed Sections 24, 25, 27, and 28 of the NDPA, adopting a literal interpretation as advocated by the Claimant. It emphasized that data controllers must process personal data fairly, lawfully, and transparently (Section 24) and inform data subjects of processing details (Section 27). However, the court found no evidence that the Defendant’s data collection was unlawful or not transparent, as the data subject (Ozoemena Nwogbo) consented to data collection by completing the Patient Information Form (Exhibit C) and paying for registration.
  • The court’s finding that the Defendant’s website notice satisfied Section 27 suggests a practical approach to digital privacy, recognizing that explicit consent mechanisms (e.g., clicking an icon for third-party data sharing) meet statutory requirements.

b. CCTV and Security Exemptions:

The court accepted the Defendant’s argument that CCTV surveillance was justified for security purposes under Section 3(2)(a)–(c) of the NDPA, which exempts data processing for crime prevention, public health emergencies, or national security. This reflects judicial recognition of the need to balance privacy with public safety in the digital age, particularly in a security-conscious context like Nigeria. However, the court did not explore whether the Defendant provided visible CCTV warnings, which could have strengthened its analysis of transparency obligations.

c. Constitutional Privacy Rights:

The Claimant invoked Section 37 of the 1999 Constitution, which guarantees privacy of citizens’ homes, correspondence, and communications. The court, citing Hon. Peter Nwali v. Ebonyi State Independent Electoral Commission (2014), clarified that Section 37 protects specific aspects of privacy (e.g., homes, telephone conversations) but found no evidence that the Defendant’s actions violated these rights. This reasoning underscores a narrow interpretation of constitutional privacy in the digital context, limiting its application to data protection unless a clear breach is demonstrated.

d. Absence of Data Breach Evidence:

The court’s central reasoning was that the Claimant failed to show an actual breach of the data subject’s privacy under Section 40 of the NDPA. It emphasized that a cause of action under the NDPA requires evidence of harm, loss, or injury (Section 51), which was absent. This approach aligns with digital age privacy principles that prioritize tangible harm over speculative concerns, reflecting a pragmatic judicial stance.

The court’s reasoning is grounded in statutory interpretation but lacks engagement with emerging digital privacy challenges, such as automated data processing or profiling, which are referenced in Section 27(1)(g) of the NDPA. The judgment could have explored whether the Defendant’s CCTV or patient data systems involved automated decision-making, which requires specific disclosures.

Also, the court’s reliance on consent (via the Patient Information Form) overlooks potential power imbalances in healthcare settings, where patients may feel compelled to provide data without fully understanding its implications.

Furthermore, the acceptance of security exemptions for CCTV without requiring evidence of compliance with transparency measures (e.g., signage) risks undermining data subject rights in the digital age.

4. Implications for the Future of Legal and Policy Advancement

The judgment has significant implications for the development of data protection law and policy in Nigeria:

a. Strengthening Public Interest Litigation:

  • By recognizing the Claimant’s locus standi, the judgment sets a precedent for NGOs to advocate for data protection compliance, fostering a culture of accountability. This could encourage more public interest litigation to enforce NDPA provisions, particularly for marginalized groups who lack access to legal recourse.
  • However, the court’s dismissal of the suit as premature highlights the need for clearer guidelines on when public interest litigation is appropriate under the NDPA. Future policy should clarify the interplay between NDPC complaints and direct court actions.

b. Enhancing NDPC’s Role:

The judgment underscores the NDPC’s role as the primary enforcer of data protection laws. The court’s reference to Sections 46–50 suggests that litigants should exhaust administrative remedies before approaching courts, except in cases of clear harm (Section 51). This implies a need for the NDPC to strengthen its investigative and enforcement mechanisms to handle complaints efficiently.

c. Clarifying Compliance Obligations:

The acceptance of CCTV exemptions suggests that policy must balance security needs with data subject rights, possibly through mandatory signage or public awareness campaigns about surveillance.

d. Building Judicial Precedent:

  • As one of the early NDPA cases, this judgment contributes to Nigeria’s data protection jurisprudence but reveals a reliance on non-data-specific precedents. Future cases should develop principles tailored to digital privacy, addressing issues like automated processing, cross-border data transfers, and data breach remedies.
  • Courts should engage more with international data protection frameworks, such as the EU’s General Data Protection Regulation (GDPR), to align Nigeria’s jurisprudence with global standards, as referenced by the Claimant’s citation of RW v. Osterreichische (C-154/21).

e. Promoting Digital Economy Growth:

  • The NDPA aims to strengthen Nigeria’s digital economy (Section 1(h)). The judgment’s dismissal of speculative claims ensures that organizations are not unduly burdened by frivolous litigation, fostering a business-friendly environment. However, robust enforcement of NDPA provisions is essential to build public trust in digital services, encouraging participation in Nigeria’s digital economy.
  • Policy should prioritize capacity building for data controllers, particularly in sensitive sectors like healthcare, to ensure compliance without stifling innovation.

f. Addressing Speculative Litigation:

  • The court’s characterization of the suit as “speculative” and “premature” warns against fishing expeditions in data protection litigation. Future litigants must provide concrete evidence of harm or non-compliance to succeed, reinforcing the need for factual grounding in NDPA claims.
  • This could prompt policy reforms to streamline NDPC complaint processes, ensuring that legitimate grievances are addressed administratively before escalating to courts.

Conclusion

The judgment in Incorporated Trustees of Personal Data Protection Awareness Initiative v. Nizamiye Hospital Limited is a significant step in Nigeria’s evolving data protection landscape. It affirms the role of public interest litigation in enforcing NDPA compliance, highlights gaps in enforcement and awareness, and adopts a pragmatic approach to digital privacy. However, the dismissal of the suit as premature underscores the need for clearer regulatory frameworks, enhanced NDPC capacity, and robust judicial precedent to address emerging digital challenges. For Nigeria to advance its data governance, policymakers must prioritize standardized compliance measures, public education, and international alignment to foster a trusted and secure digital economy.

Written by Adeola Osifeko LLB,LLM,ACIS, ABR. Partner Corporate Commercial Group at AEO Law Practice

Assessing the Competition & Consumer Protection Tribunal’s Judgment in Meta Platforms Inc/Whatsapp LLC v FCCPC.

aeolawpractice

Did the Judgment Address the Evidentiary and Interpretational Challenges in Nigeria’s Data Protection Enforcement?

The increasing integration of digital platforms into everyday life has raised substantial concerns about the intersection of data protection and competition law. Globally, regulators are grappling with the challenges of ensuring data privacy while also maintaining fair competition in digital markets. This dual objective is particularly pressing in jurisdictions where institutional and legislative frameworks are still evolving. Nigeria is one such jurisdiction, where the Federal Competition and Consumer Protection Commission (FCCPC) and the newly established Nigeria Data Protection Commission (NDPC) are asserting their authority to regulate tech giants such as Meta Platforms Inc. and WhatsApp LLC.

This article critically assesses the April 25, 2025 decision of the Competition and Consumer Protection Tribunal (the Tribunal) in the case of Meta v FCCPC, wherein the Tribunal upheld a $220 million fine imposed by the FCCPC for breaches of the Nigeria Data Protection Regulation (NDPR) 2019. The decision marks a turning point in Nigeria’s approach to data protection enforcement and reflects a broader trend toward regulatory assertiveness in digital markets. However, the judgment also raises important questions about the evidentiary and interpretational standards applied by the FCCPC and endorsed by the Tribunal.

Background to the Dispute.

The case against Meta arose from a 38-month joint investigation conducted by the FCCPC and the NITDA, which began in 2020. This investigation scrutinised the data collection and privacy practices of WhatsApp LLC and its parent company, Meta Platforms Inc. The FCCPC found that Meta’s business model relied on the excessive and unjustified collection of user data, including metadata beyond what was necessary for the delivery of WhatsApp services in Nigeria.

Following its findings, the FCCPC issued a Final Order on 19 July 2024, imposing a $220 million fine on Meta and WhatsApp for violating the Nigeria Data Protection Regulation (NDPR) 2019 and the Federal Competition and Consumer Protection Act (FCCPA) 2018. The Commission cited sections 17(a) and 104 of the FCCPA to justify its authority, stating that the data practices constituted ‘unscrupulous’ and ‘exploitative’ conduct in violation of consumer protection standards.

Meta and WhatsApp appealed the FCCPC’s Final Order to the Competition and Consumer Protection Tribunal, disputing both the jurisdictional authority of the FCCPC and the evidentiary basis of the Commission’s findings. The Tribunal, in a landmark judgment on 25 April 2025, upheld majority of the FCCPC’s determinations, including affirming the $220 million administrative penalty.

Interpretational Challenges: Data Minimisation and Consent Under the NDPR.

One of the central interpretational issues in Meta v. FCCPC, concerned the principle of data minimisation under the NDPR 2019. Article 2.1(1)(b) of the NDPR stipulates that personal data must be ‘adequate, accurate and without prejudice to the dignity of human person.’ The FCCPC interpreted this provision to mean that any personal data collected must be limited to what is strictly necessary to achieve the stated purpose. This concept aligns with the principle of data minimisation found in global data protection frameworks, such as Article 5(1)(c) of the GDPR.

The FCCPC’s analysis drew comparisons between WhatsApp and other messaging platforms like Signal and Telegram, noting that WhatsApp collected 44 distinct metadata points, whereas the latter collected only 4. However, the Commission failed to clearly articulate how each metadata point constituted personal data within the meaning of Article 1.3(xix) of the NDPR. This definitional gap raises significant evidentiary concerns.

Although the Commission relied on input from the National Information Technology Development Agency (NITDA), which confirmed that some data collected were not necessary for WhatsApp’s core functions, the FCCPC did not thoroughly analyse or categorise these data points. This lack of a granular assessment left open to question whether all the alleged excessive data points indeed fell foul of the NDPR.

Additionally, the FCCPC’s reliance on ‘consent’ as a remedial legal foundation, even for data that is not essential for service provision, seems to conflict with the broad applicability of the data minimisation principle. This is because consent cannot justify the collection of unnecessary data when the necessity principle is embedded in all legal grounds under the NDPR.

This interpretational ambiguity is expected to be clarified under the new Nigeria Data Protection Act (NDPA) 2023 and its General Application and Implementation Directive (GAID) 2025, which provides clear definitions for ‘adequate’, ‘relevant’, and ‘minimum necessary’ data. These clarifications aim to provide more robust evidentiary standards for future enforcement actions.

Jurisdictional Contest: FCCPC’s Mandate vs. NITDA’s Authority (Which has now Evolved Into NDPC’s Purview)

A core issue in Meta’s appeal was the jurisdictional competence of the FCCPC to adjudicate matters pertaining to data protection. Meta contended that the Nigeria Data Protection Regulation (NDPR) 2019 was issued by the National Information Technology Development Agency (NITDA), thereby vesting data protection oversight solely in NITDA’s purview.

The FCCPC, however, invoked Section 104 of the FCCPA 2018, which provides that “the Act shall override other laws on matters relating to competition and consumer protection”. Additionally, Section 17(a) empowers the FCCPC to enforce other enactments on consumer protection, an authority it relied on to treat NDPR violations as consumer harm.

The Tribunal, in addressing Issue 4 of the appeal, affirmed that the FCCPC acted within its statutory authority. It held that Section 104 of the FCCPA allows the Commission to regulate data practices that amount to exploitative or unfair conduct, even in sectors subject to regulation by other specialised agencies. By reinforcing this view, the Tribunal clarified the concurrent jurisdictional relationship between the FCCPC and other sector-specific regulators.

Although the Nigeria Data Protection Commission (NDPC) was formally established under the Nigeria Data Protection Act 2023 as the principal regulator of data protection, its operationalisation came after the events leading to the FCCPC’s investigation and order. The Tribunal therefore upheld the FCCPC’s jurisdiction without prejudice to the emerging role of the NDPC. This affirmation sets an important precedent, recognising that overlapping regulatory functions can coexist in a cooperative federal framework.

Nonetheless, the decision leaves unresolved how future inter-agency conflicts will be navigated, especially when both the FCCPC and the NDPC lay claim to enforcement authority over digital privacy matters. The GAID 2025 will likely necessitate a Memorandum of Understanding or similar legal instrument to clarify agency boundaries.

Evidentiary Weaknesses and the Standard of Proof.

One of the most significant criticisms of the FCCPC’s approach in Meta v FCCPC is the inadequacy of its evidentiary analysis, particularly in substantiating claims of excessive data collection under the NDPR. Although the Commission cited comparative statistics—such as WhatsApp’s collection of 44 metadata points versus Signal and Telegram’s collection of 4—it failed to convincingly establish that each of those metadata points constituted “personal data” as defined under Article 1.3(xix) of the NDPR 2019.

The NDPR defines personal data as any information relating to an identified or identifiable natural person. Thus, to assert a violation of data minimisation principles, the FCCPC bore the burden of demonstrating not only that data was collected, but that it was (i) personal in nature and (ii) unnecessary to the purpose of service delivery. In this regard, the Commission’s reliance on generalised comparisons, without technical analysis of the data points involved, fell short of the evidentiary standard required under Nigerian law. As the Nigerian courts have consistently held, he who asserts must prove.

Furthermore, the Commission’s determination that device fingerprinting involved excessive data collection is open to scrutiny. Device fingerprinting gathers technical details like browser settings or screen resolution, but the investigation report did not identify this as part of the actual metadata collected, nor did it adequately clarify its relevance to WhatsApp’s operational requirements in Nigeria.

The Commission also placed partial reliance on information from NITDA suggesting that some data collected was necessary while other data was optional or unnecessary. However, neither agency offered detailed classification nor provided a robust technical basis for this conclusion. This deficiency undermines the objective assessment of whether WhatsApp’s practices truly violated the requirement of adequacy under Article 2.1(1)(b) of the NDPR.

In this context, the evidentiary weaknesses in the FCCPC’s case exposed a critical gap in Nigeria’s enforcement framework. Future regulatory actions must be supported by detailed forensic analysis and independent technical assessments that can withstand appellate scrutiny. This is especially vital when dealing with sophisticated global tech entities capable of challenging enforcement actions on procedural and substantive grounds.

The Tribunal’s Reasoning: Deference or Diligence?

The Tribunal’s April 2025 judgment in Meta v FCCPC offers a rare window into judicial attitudes toward data protection enforcement in Nigeria. While the decision affirmed the FCCPC’s administrative fine and investigative processes, it left legal scholars/pundits questioning whether the Tribunal conducted a truly rigorous analysis or merely deferred to regulatory authority.

The Tribunal resolved all but one of the seven appeal issues in favour of the FCCPC. In Issue 3, for instance, Meta alleged a breach of fair hearing, claiming the Commission had not allowed sufficient opportunity to respond to the allegations. The Tribunal dismissed this, holding that the FCCPC had afforded Meta ample time to engage during the investigation and adjudication process. This finding underscores the recognition of the FCCPC’s quasi-judicial capacity and its compliance with the principles of natural justice.

In Issue 4, concerning jurisdiction, the Tribunal reaffirmed the FCCPC’s powers under section 104 of the FCCPA to override conflicting provisions of other laws on matters of consumer protection, even where other regulators are involved. This is a significant doctrinal endorsement that strengthens the FCCPC’s hand, especially in the absence of settled inter-agency coordination mechanisms.

Issue 5 was perhaps the most consequential in the context of data protection. It directly challenged the FCCPC’s conclusions regarding Meta’s privacy policies. The Tribunal held that there was no error in the Commission’s findings and that Meta’s policies indeed violated Nigerian law. However, the Tribunal offered limited elaboration on how it assessed the legality of the privacy policies. There was no detailed discussion of data minimisation or the contextual relevance of collected data. This suggests a deferential stance toward the FCCPC’s technical order, rather than an independent and probing review of the underlying data practices.

The Tribunal’s only substantive deviation came in Issue 7, where it set aside Order 7 of the Commission’s Final Order for lacking sufficient legal basis. Unfortunately, the decision did not explain the content of Order 7 in detail, nor did it clarify the threshold it applied to evaluate legal sufficiency. This omission leaves stakeholders guessing about the standards of review employed in data-related decisions.

Overall, while the Tribunal affirmed the regulatory direction Nigeria is taking, its decision arguably prioritised administrative compliance over substantive inquiry. Whether this approach can sustain long-term credibility for data protection enforcement remains to be seen. Judicial engagement with technical standards, contextual purpose, and proportionality is necessary if the Tribunal is to develop a jurisprudence fit for the data-driven economy.

Conclusion.

The Tribunal’s decision in Meta v FCCPC is a landmark precedence in Nigeria’s evolving data protection and digital competition jurisprudence. By upholding the FCCPC’s $220 million fine, cost of investigation at $35,000 and validating its jurisdiction under the FCCPA, the Tribunal signaled a strong institutional commitment to consumer data rights and fair digital market practices. However, a closer examination reveals that while the judgment endorsed key regulatory positions, it did not adequately resolve some of the evidentiary and interpretational challenges inherent in Nigeria’s enforcement regime under the NDPR 2019.

The case exposed the limitations of the FCCPC’s evidentiary framework, particularly its failure to provide a granular and technically sound justification for its findings on excessive data collection. The Tribunal, in turn, appeared to prioritise administrative deference over rigorous judicial scrutiny, particularly in its treatment of complex data processing questions. This approach, while expedient, raises concerns about whether Nigeria’s enforcement mechanisms are sufficiently robust to handle the nuances of digital regulation.

Yet, the judgment also serves as a catalyst for reform. The subsequent enactment of the Nigeria Data Protection Act 2023 and the issuance of the GAID 2025 provide the legislative and procedural tools necessary to address past shortcomings. These instruments clarify core principles like data minimisation and consent and elevate the standard of regulatory clarity and precision expected in future enforcement actions.

Looking ahead, effective regulation of digital platforms in Nigeria will depend on several critical factors. First, there must be improved inter-agency collaboration between the FCCPC and NDPC to avoid jurisdictional conflicts and duplicative enforcement. Second, regulators must adopt more technically grounded and evidence-based methodologies in investigations and adjudications. Finally, the judiciary must develop greater capacity to engage with the substantive complexities of data protection and platform regulation, moving beyond procedural adequacy to substantive correctness.

In summary, Meta v FCCPC may be viewed as a foundational case—imperfect yet pioneering. It underscores Nigeria’s readiness to hold powerful digital actors accountable while also revealing the institutional and legal reforms required to make such accountability both fair and sustainable.

Written by Adeola Osifeko LLB, LLM, ACIS, ABR. Partner, Corporate Commercial Group, at AEO Law Practice

References

  1. Violations: Tribunal Upholds FCCPC’s $220 million Fine Against Meta Platforms Inc/ Whatsapp LLC <https://fccpc.gov.ng/violations-tribunal-upholds-fccpcs-220-million-fine-against-meta-whatsapp/>
  2. The Federal Competition and Consumer Protection Act 2018 (FCCP Act 2018).
  3. The Nigeria Data Protection Regulation 2019 (NDPR 2019)
  4. The Nigeria Data Protection Act General Application and Implementation Directive 2025 (NDPA GAID 2025)
  5. EU 2016/679: General Data Protection Regulation in the current version of the OJ L 119, 04.05.2016