Meta is facing a $220 million fine in Nigeria under data protection laws passed in 2023, the first major fine for the company in the region. The fine follows an extensive investigation that lasted 38 months, dating back to well before the current Data Protection Act was signed into law.
The investigation results cite a wide variety of violations by the company, but focus particularly on “abusive and invasive practices against data subjects in Nigeria.” The Federal Competition and Consumer Protection Commission (FCCPC) determined that Meta did not allow Facebook users a real alternative to opting in to collection of their personal data to use the service, and that this constituted an abuse of their dominant position in the market.
Tech firms face new challenges as global data protection laws come online
The FCCPC’s investigation reflects findings from the EU and other regions in determining that Meta is not providing users with a real choice under the terms of their data protection laws; they must either agree to expansive data collection or stop using the services. It also reflects broad sentiment that Meta has a monopoly status in social media and messaging between Facebook, WhatsApp and Instagram.
The extensive investigation began in May 2021 in response to complaints about WhatsApp’s privacy policy. This led to Meta proposing a “remedy package” to resolve the situation, which the FCCPC found was inadequate to resolve these concerns. Though violation of the 2023 data protection laws was a central factor, the company also failed to comply with the prior Nigeria Data Protection Regulation (NDPR) terms and did not file annual audit reports that the regulation required. The company was also accused of violations of the Federal Competition and Consumer Protection Act (FCCPA).
Meta has told media outlets that it disagrees with the fine and will be appealing it; it has been given 60 days to pay. The company has long been dealing with regulatory issues and penalties in the EU and US, but is now seeing similar challenges pop up in new areas around the world due to emerging data protection laws. The company was recently fined 1.2 billion lira in Turkey, or about $36.5 million USD, for data sharing violation across its various services. It also very recently announced that it would suspend availability of its AI tools in Brazil due to regulatory concerns, and South Africa’s antitrust watchdog has recently announced it will be investigating Meta and other big tech platforms for possible competition violations against more traditional news publishing outlets.
Firms calculating new regulatory and compliance costs around the world
Nigeria is something of a unique market for Meta for several reasons. While Facebook has seen a downturn in recent years in some other parts of the world, it remains very commonly used as a cornerstone of the daily internet experience across Africa. WhatsApp is also very frequently used. And Nigeria is particularly connected, with almost 75% of its total population of about 200 million being under 24 years old and an estimated 164 million people having an internet subscription. The country has long been Meta’s largest individual market on the continent.
Facebook became a staple service in Africa primarily due to its rollout of a service called “Free Basics” in the region in 2015. Telecoms on the continent sometimes require phone credit to access certain websites, and Free Basics ensured that Facebook could be always be accessed (in an audio- and video-free format) at no extra cost and that ran well on the low-cost mobile phones that are most common on the continent. Since Facebook and its messaging service are always available even when monthly phone credits run out, much of Africa’s business and daily socializing has shifted to it.
The ruling indicates that the Nigeria Data Protection Act 2023 (NDPA) will be used to pursue major adtech outfits going forward. Signed into law in June of last year, the new data protection laws built on the prior NDPR’s terms by establishing the Nigeria Data Protection Commission as the country’s lead regulatory body and established new requirements for transparency in data processing, remedies for data breaches and rights for data subjects. The NDPR does remain in place, but the terms of the NDPA take precedence whenever there is a conflict.
Meta and similar adtech-reliant outfits thus continue to face potential fines for the “sins of the past” in numerous countries around the world as data protection laws continue to come online and be refined, even as the regulatory battleground shifts to the development and use of AI by these tech leaders. On that front, the 55-member African Union (AU) published a draft policy in February that is expected to be used as a blueprint to develop standards and certification practices for the industry. Mauritius, Kenya and Egypt have already introduced some AI policy, and Nigeria is formally in the initial discussion phase.