Data Protection in Nigeria: Lessons From the Meta vs FCCPC Matter

Meta Platforms Inc. and Whatsapp LLC, together referred to as Meta, have come under the spotlight of the Federal Competition and Consumer Protection (the FCCCP). An investigation was launched by the FCCPC into Meta’s practices relating to user data privacy and competition. This move underscores the growing global trend of increased regulatory oversight on tech giants, and the emphasis on stringent compliance with data protection rules and competitive fairness.

​​

This article provides a brief summary of the matter between Meta and the FCCPC, and highlights key lessons to be gleaned by tech founders/companies in improving their data protection practices.

Background

 

According to the FCCPC, investigations were carried out into Meta’s data protection practices on grounds of contravention of the provisions of the Federal Competition and Consumer Protection Act, 2018 (FCCPA) and the Nigerian Data Protection Regulation 2019 (NDPR) (now the Nigeria Data Protection Act, 2023).

Following this investigation, the FCCPC imposed a penalty of $220million on Meta and stated in a report that Meta’s data protection practices, were amongst others- discriminatory against Nigerian data subjects compared to other jurisdictions; and that Meta had abused its dominant market position by forcing exploitative and non-compliant privacy policies which appropriated consumer information/data without the option for self-determination or withholding of consent.

In addition to the penalty imposed, the FCCPC has also ordered that Meta should, amongst other things, immediately reinstate the right of Nigerian users to determine by themselves and control the use, processing and sharing of their data; ensure that the privacy policy complies with applicable data protection laws in Nigeria; and to cease the tying and transfer of data from its Whatsapp market to its Facebook market.

Key Lessons for Technology Founders

 

While conversations and appeals are still ongoing on this matter, there are various key lessons that technology founders can learn from this and implement in their technology businesses, especially as it relates to data protection and compliance:

  1. Integrate Data Protection by Design:
    This involves incorporating privacy and security measures throughout the lifecycle of technology products and services- from conception to deployment. This approach ensure that privacy considerations are incorporated in your systems and processes, thereby ensuring compliance with data protection laws. This can involve conducting early risk assessments to identify potential privacy issues; collecting on data necessary for the functionality of the product or the service; providing users the option to opt-in for any additional data collection or sharing features; offering users control over their data including option to access, correct or delete their data; ensuring that employees including developers and management understand data protection principles and their obligations thereunder; continuously gather user feedback on privacy features and make necessary improvements, etc.
  2. Understand and Implement Local Data Protection Laws:
    It cannot be overemphasized the need for you to understand the various data protections laws and regime governing each region or jurisdiction where your product or service is being marketed or sold. You should familiarize yourself with these laws and model your data handling practices in compliance with these laws. A regular review of these practices will also be necessary as these local data protection laws are amended or updated to ensure constant alignment with the evolving regime.
  3. Stay Engaged with Regulatory Developments
    Data protection laws and regulations are continuously evolving. You should stay informed about changes in the regulatory landscape and adapt your data protection practices accordingly. It will be helpful to engage the services of data protection and/or legal experts to help you stay ahead of regulatory developments and implement necessary adjustments timely.
  4. Enhance User Control and Access
    This is important if you are aiming to build trust with your users and ensure compliance with data protection laws. You should provide users with control over their data, including options to access, correct, or delete their information. This can be achieved by doing the following- providing users with clear consent mechanisms; developing user-friendly privacy settings that allow for accessibility and customizable options; notify users of significant changes to your privacy policy, etc.
  5. Transparency is Key
    Clear communications about data handling practices can build trust with users and regulators. Design interfaces that provide clear  and understandable information about data collection, use and sharing practices. Also be prepared to explain your data practices to users and regulators when called upon to do so.
  6. Monitor Market Dynamics
    It is necessary that you are aware of how your position in the market affects competition generally. There has been an increased level of scrutiny by regulators on the impact of tech giants on market competition, so maintaining fair market practices, especially in light of data protection requirements is essential. It is also important to know and analyse how competitors are addressing data protection to help you identify gaps and opportunities for improvement in your own practice.


Conclusion

 

The Meta and FCCPC case serves as a reminder of the critical importance of regulatory compliance and ethical data practices in the tech industry. For technology founders, it is a call to integrate robust compliance frameworks and maintain transparency in all aspects of data management and competition. 

 

--

Read the original publication at Pavestones