FCCPC Meta Fine
The Federal Competition and Consumer Protection Commission (FCCPC), in collaboration with the Nigerian Data Protection
Introduction
The Federal Competition and Consumer Protection Commission (FCCPC), in collaboration with the Nigerian Data Protection Commission, conducted a joint investigation into the activities of WhatsApp LLC and Meta Platforms Inc [1]. (collectively referred to as the "Meta Parties"). This investigation led to the imposition of a $220 million fine [2] on the Meta Parties for violations of the Federal Competition and Consumer Protection Act 2018 (FCCPA) and the Nigerian Data Protection Regulations 2019 (NDPR). Specifically, the Meta Parties were found to have engaged in abusive practices, including the exploitation of consumer data without proper consent, tying and bundling practices, and discriminatory conduct against Nigerian consumers compared to other jurisdictions [3]. The case also highlights ongoing legal debates in Nigeria regarding the extent of regulatory agencies' power to impose fines. While some court rulings affirm these powers, others argue that only courts have the constitutional authority to impose penalties, thus raising questions about the FCCPC's decision [4].
The Decision
The FCCPC in collaboration with the Nigeria Data Protection Commission (NDPC) launched an investigation into potential violations of Nigerian consumer rights by WhatsApp LLC and Meta Platforms, Inc. following WhatsApp's Updated Privacy Policy in May 2021. The investigation scrutinized the impact of the policy on Nigerian users, particularly focusing on data protection, informed consent, and fair dealings under the FCCPA 2018 and NDPR 2019 [5].
Despite receiving a proposed remedy from the Meta Parties after extensive correspondence and meetings, the FCCPC found the remedies inadequate to address the concerns raised. Consequently, the FCCPC issued a final order mandating that the Meta Parties immediately reinstate Nigerian users' rights to control their data without losing access to the WhatsApp service. The order emphasized that any data sharing must be based on explicit, voluntary consent from users, with policies updated in compliance with Nigerian data protection laws.
The FCCPC also required that data sharing practices revert to the 2016 standards and prohibited tying WhatsApp data with Facebook data without express consent. Additionally, the Meta Parties were instructed to implement the remedy package proposed during the investigation within 15 days, with the package being made accessible to Nigerian users.
Furthermore, they were ordered to reimburse the FCCPC for the investigation costs amounting to $35,000 and to pay a penalty of $220 million within 60 days. This decision shows the FCCPC's commitment to enforcing consumer protection laws in Nigeria, particularly in the digital space where data privacy and user rights are paramount.
Legal Issues
1. The Authority of the FCCPC
The Federal Competition and Consumer Protection Commission (FCCPC) derives its authority to impose fines and make regulatory decisions, such as the one against Meta Platforms Inc. and WhatsApp LLC, from several key legal provisions.
Firstly, Section 72(1) of the Federal Competition and Consumer Protection Act (FCCPA) explicitly prohibits the abuse of dominance by any firm holding a dominant position in the market. This includes, but is not limited to, engaging in exclusionary practices such as tying and bundling, where the sale of a good or service is conditioned on the purchase of another, unrelated product [6]. Additionally, the Act prohibits forcing a buyer to accept conditions unrelated to the primary object of a contract. [7]
Moreover, the FCCPC’s powers are reinforced under the Protocol to the Agreement Establishing the African Continental Free Trade Area (AfCFTA) on Competition Policy. This Protocol prohibits dominant entities, particularly those classified as “gatekeepers,” from abusing economic dependence. Such abuses include restricting data portability or combining personal data sourced from different services offered by the gatekeeper, which are practices relevant to the case against Meta [8].
In terms of enforcement, the FCCPA empowers the Commission to establish regulations concerning the imposition of administrative penalties, as outlined in the FCCPC’s Administrative Penalties Regulations 2020. These regulations define "Administrative Penalties" as monetary penalties or fines prescribed for violations of the FCCPA [9]. The penalties are typically calculated as a percentage of the offending entity’s turnover. Specifically, the fine for abuse of dominance is set at 1% of the company’s turnover, which suggests that the $220 million fine imposed on Meta was calculated based on this percentage, although the specific basis for turnover—whether global or limited to Nigerian operations—was not clarified in the FCCPC’s release [10].
It is also crucial to recognize that there have been conflicting rulings in Nigerian courts regarding the powers of regulatory agencies to impose fines. Some judicial decisions uphold the authority of regulators like the FCCPC to impose penalties. However, other rulings assert that the power to impose fines is reserved exclusively for the judiciary, as established under Section 6 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) [11].
2. Deprivation of User Choice and Consent
Meta Parties were found to have coerced users into accepting the Updated Privacy Policy by gradually degrading service functionality for those who did not accept the terms [12]. This led to users accepting the policy under duress, which deprived them of their right to freely give consent, as required by law.
They, in return, argued that the collection of data, even without explicit user consent, was necessary for the performance of a contract, compliance with legal obligations, or for public interest tasks. They emphasized that consent is not the only legal basis for processing data, referring to provisions similar to those under Europe's General Data Protection Regulation (GDPR) [13] that justify data processing on grounds other than consent [14].
However, what is worthy of note is that FCCPC's decision appears to hinge on the premise that users were deprived of free and informed consent, a cornerstone of data protection laws. While consent is indeed crucial, it is not the only lawful basis for processing under the NDPR [15]. Through a predominant focus on consent, the FCCPC may have overlooked Meta's legal argument that their data processing activities could be justified on other lawful grounds, such as contract performance and legal obligations.
Also, the FCCPC's failure to thoroughly consider Meta's defense [16] potentially constitutes an error of law, which is amenable to judicial review under administrative law principles. Errors of law occur when an administrative body misinterprets or fails to apply the correct legal principles, and such errors can render a decision reviewable by the courts [17]. The FCCPC's possible oversight in this case could be seen as an error of law, particularly if it did not fully engage with the legal nuances presented by Meta.
3. Discrimination Against Nigerian Users
WhatsApp's policy and data protection practices were found to be discriminatory towards Nigerian users compared to those in Europe [18]. While European users had greater control and transparency over their data, Nigerian users were denied similar rights, despite the Nigerian Data Protection Regulation (NDPR) being similar to the GDPR in Europe.
The FCCPC's criticism of Meta for depriving Nigerian users of equal rights to consent, compared to European users, appears to rely heavily on GDPR standards rather than the specific provisions of the NDPR. Under the GDPR [19], consent must be freely given, specific, informed, and unambiguous, with a clear entitlement for users to withdraw consent at any time without negative consequences. This is a core aspect of the GDPR’s consent mechanisms.
However, the NDPR [20] also mandates that consent must be freely given but does not explicitly guarantee the same level of freedom to withdraw consent as the GDPR. The NDPR lacks detailed guidance on how withdrawal should be facilitated, which the GDPR extensively provides. Therefore, the FCCPC's decision may be critiqued for applying GDPR standards rather than assessing Meta's actions within the specific legal framework of the NDPR, which does not enforce identical provisions for consent withdrawal.
Additionally, the FCCPC pointed out that Meta provided stronger privacy protections to European users than to Nigerian users, classifying this as discriminatory. The GDPR [21] offers a comprehensive range of user rights, including stringent transparency obligations that require data controllers to inform users in detail about data processing activities and their rights. While the NDPR [22] provides similar protections, it is less detailed and prescriptive in certain areas, such as the processing of special categories of personal data and the recognition of legitimate interest as a legal basis for processing, which is recognized under the GDPR but not under the NDPR [23]. The FCCPC's classification of Meta's actions as discriminatory might overlook the fact that the NDPR does not impose the same comprehensive obligations as the GDPR. This could suggest that Meta's practices, though less protective than those required under the GDPR, were still compliant with the local NDPR regulations. The FCCPC’s decision could thus be critiqued for potentially exceeding the actual legal requirements set by the NDPR, applying a standard more reflective of GDPR expectations than the realities of Nigerian data protection law.
4. Abuse of Dominance
The FCCPC investigation highlights that WhatsApp's practice of requiring users to accept the updated privacy policy under threat of reduced functionality is coercive and constitutes an abuse of dominance. This critique holds weight when contrasted with WhatsApp's own assertions in the privacy policy. The policy emphasizes user control, such as allowing users to manage their data and communications settings [24]. However, the FCCPC's findings suggest that this control is superficial when users are compelled to accept the terms or face diminished service, thereby undermining WhatsApp's claims of respect for user privacy and choice.
5. Bundling of Necessary and Non-essential data
Also, Meta Parties bundled necessary data with non-essential data in its Updated Privacy Policy without providing an option for users to opt out [25]. This practice was considered an unfair and unscrupulous trading practice under Nigerian law [26]. WhatsApp’s privacy policy details various types of data collected and provides information on how users can manage certain settings. However, the policy does not give users the ability to refuse the collection of non-essential data while still using the service, which supports the FCCPC’s findings [27]. The policy articulates a need to collect specific data to provide and improve services, and it allows users to manage some aspects of their data through settings. However, the lack of an opt-out for non-essential data collection, as identified by the FCCPC, suggests a disregard for nuanced consent. Users are compelled to agree to broad data collection practices if they wish to continue using the service, again indicating a potentially unfair business practice.
The $220 Million Fine on Meta: A Double-Edged Sword Amid Nigeria's Foreign Exchange Crisis
The $220 million fine imposed on Meta Platforms Inc. and WhatsApp LLC by the Federal Competition and Consumer Protection Commission (FCCPC) and the Nigerian Data Protection Commission has significant implications for Nigeria, particularly in the context of the ongoing foreign exchange (FX) shortages and economic challenges.
Nigeria is currently facing a severe FX crisis characterized by a sharp depreciation of the naira, scarcity of foreign currency, and volatility in exchange rates. This has led to the exit of major MNCs like Procter & Gamble, GlaxoSmithKline, and Unilever, which in turn exacerbates job losses and weakens the economy. The departure of these companies reduces competition and limits consumer choices, which could drive up prices and further strain the purchasing power of Nigerians, leading to increased production costs, reduced import volumes, and overall economic strain. The fine on Meta comes at a time when the country is struggling to attract foreign investment and stabilize its economy.
Imposing such a substantial fine could have a dual impact. On one hand, it asserts Nigeria’s commitment to enforcing data protection and consumer rights, which could enhance regulatory credibility. On the other hand, it could deter foreign companies from investing or continuing operations in Nigeria, especially if they perceive the regulatory environment as unpredictable or excessively punitive.
The fine could also indirectly impact Nigeria's broader economic recovery efforts. As the country struggles with inflation, rising poverty rates, and a challenging business environment, any additional strain on foreign businesses could slow down economic growth and recovery, particularly in sectors that are crucial for generating FX, such as oil and gas.
–––––––––––––––––––––––––
[1] The FCCPC maintains that although the investigation is primarily focused on WhatsApp’s services, Meta (formerly known as Facebook) should also be included and held jointly and severally responsible. This position is because (a) Meta, as the parent company of WhatsApp, exerts significant control over WhatsApp’s business operations, and (b) Meta derives benefits from specific updates to WhatsApp’s Privacy Policy, especially through various technical integrations between the two platforms.
[2] In addition, Meta Platforms Inc & Whatsapp LLC are also required to pay the sum of $35,000 (Thirty Five Thousand U.S. Dollars) only, as reimbursement for the cost of FCCPC’s investigation.
[3] Federal Competition and Consumer Protection Commission, "Press Release on the Investigation into WhatsApp LLC and Meta Platforms Inc.," July 19, 2024.
[4] SPDC v. MPR & 2 Ors; NOSRA v. Mobil Producing Nigeria Unlimited; Shell Nigeria Exploration and Production Co. Ltd v. National Oil Spill Detection and Response Agency.
[5] Federal Competition and Consumer Protection Commission, Final Order and Notice < https://fccpc.gov.ng/wp-content/uploads/2024/07/Final-order-FCCPC-Meta-18072024.pdf>
[6] Federal Competition and Consumer Protection Act, 2018, s. 72(1).
[7] Federal Competition and Consumer Protection Act, 2018, s. 72(2)(d)(iii)
[8] Protocol to the Agreement Establishing the African Continental Free Trade Area on Competition Policy, Art. 13
[9] Federal Competition and Consumer Protection Commission, Administrative Penalties Regulations, 2020, Reg. 2
[10] Federal Competition and Consumer Protection Commission, Administrative Penalties Regulations, 2020, Schedule 1.
[11] SPDC v. MPR & 2 Ors; NOSRA v. Mobil Producing Nigeria Unlimited; Shell Nigeria Exploration and Production Co. Ltd v. National Oil Spill Detection and Response Agency
[12] Section 17 of the FCCPA mandates the FCCPC to eliminate anti-competitive practices and unfair business conduct, including misleading and deceptive practices.
[13] GDPR articles 5-10, 49, Recitals 39-48
[14] The investigative report < https://fccpc.gov.ng/wp-content/uploads/2024/07/Investigative-Report-FCCPC-WhatsApp-13.11.23.pdf >
[15] Section 6 of the NDPR
[16] The investigative report < https://fccpc.gov.ng/wp-content/uploads/2024/07/Investigative-Report-FCCPC-WhatsApp-13.11.23.pdf >
[17] In the cases of Governor of Oyo State v Folayan, it was held that where a tribunal or authority proceeds on a mistaken view of the law, it is open to judicial review.
[18] Meta provided false and misleading information during the investigation, violating section 112, by presenting a modified version of the 2019 privacy policy to the FCCPC, which was not the actual prevailing policy at the time.
[19] Article 7 and Recital 32
[20] Section 2.3
[21] Articles 12-22
[22] Sections 3.1 and 2.3(2)(c)
[23] Section 6
[24] The policy states that "respect for your privacy is coded into our DNA"
[25] Section 127 of the FCCPA prohibits the supply of services under terms that are unfair, unreasonable, or unjust.
[26] Section 18 (3) (e) addresses unfair business practices and prohibits any condition that ties the acceptance of unrelated services or terms to the provision of a primary service.
[27] The privacy policy provides that Our Services have optional features which, if used by you, require us to collect additional information to provide such features. You will be notified of such collection, as appropriate. If you choose not to provide the information needed to use a feature, you will be unable to use the feature.”
