To understand the rationale behind the FCCPC and NDPC’s directives, one must examine the lawful bases for data processing under Nigerian law. The NDPA outlines six primary lawful bases:

• Consent – The data subject has given clear permission for the processing of personal data for a specific purpose.
• Contractual obligations – Processing is required to fulfil a contract with the data subject.
• Legal obligations – The controller is required by law to process the data.
• Vital Interests – Processing is necessary to protect the life or wellbeing of an individual.
• Public interest – Processing is carried out in the public interest or pursuant to a statutory function.
• Legitimate interests – The controller may process data in pursuit of its own legitimate interest, provided these do not override the rights of the data subject.

In the Meta case, the order implicitly references two of the most important principles under the NDPA: Lawfulness, Fairness, and Transparency; and Purpose Limitation.

Lawfulness, Fairness and Transparency

This principle mandates that personal data must be processed in a manner that is fair (and transparent) to the data subject, with clear and accessible information. The regulators’ insistence that Meta revert to an ‘opt in’ consent model and revise its privacy policies underscores this expectation.

Purpose Limitation

The NDPA also requires that personal data be collected for specified, legitimate purposes and not processed in ways incompatible with those purposes. The unauthorised sharing of WhatsApp data with Facebook companies was determined to be a misuse of data under this principle as data was being processed in a manner incompatible with the original purpose for its collection.

This also highlights the importance of Binding Corporate Rules (BCRs) for multinational operating across jurisdictions. BCRs are internal policies adopted by multinational companies to ensure that data protection standards are upheld when transferring personal data within the group, whether domestically or across borders. Consequently, internal data transfers between group entities must still comply with applicable national data protection laws.

Why This Matters for Nigeria

The fine issued to Meta represents more than a monetary penalty. It signals an era of stricter compliance, enabled by the NDPA and its recently released General Application and Implementation Directive (GAID), which takes effect on 19 September 2025. The GAID provides regulatory guidance for data controllers and processors, especially those in high impact sectors such as payment services, multinationals, and the oil and gas industry.

The GAID sets out mandatory obligations, including sector specific compliance tiers, prescribes audit practices, and circumstances under which consent must be obtained (such as for direct marketing or sensitive data processing). Crucially, it defines the parameters for using legitimate intertest as a basis for data processing – placing an obligation on organisations to conduct and document a legitimate interest assessment.

A Culture of Data Misuse

Beyond the Meta case, the broader context of Nigeria’s data environment cannot be ignored. Data privacy breaches are alarming frequent – and often carried out with little regard for global best practices or consumer rights.

Many Nigerians receive unsolicited political campaign messages during election cycles, often via calls or SMS, without ever granting permission for their details to be used in this way. This raises serious questions about how political entities access voter or telecom subscriber data and whether these communications meet the standards for lawful processing.

Similarly, marketing messages for banks, delivery apps, and retailers routinely sent to individuals who have neither interacted with the organisation nor consented to such contact. The now famous case in which Domino’s Pizza was ordered to pay damages for violation a customer’s privacy through unsolicited SMS advertisements is a landmark illustration of how the courts are beginning to treat such misuse as actionable.

Other serious examples include:

• Fintech data breaches, such as the alleged exposure of over 800,000 records by the iCredit loan app, where names, phone numbers, and banking details were publicly accessible.
• Data sales on the black market, where national identity and bank verification data has reportedly been available online for as little as N500. Investigations suggest this may be linked to insider access or weak data security protocols within government agencies.

Implications and Outlook

The Meta fine may mark a watershed moment in the enforcement of privacy laws in Nigeria. It establishes that:

• Regulators will no longer tolerate discriminatory data practices by multinationals.
• The NDPA will not be a paper tiger – companies are expected to invest in data governance or face legal and financial consequences.
• Consumers have legal recourse and are beginning to assert their privacy rights through the courts.
• Nigerian regulators are aligning with global best practices and are willing to impose significant penalties where necessary.

Conclusion

The fine issued to Meta is not only justified – it is overdue. In a country where personal data is often harvested, shared, and monetised without consent, it is essential that enforcement actions carry real consequences. Privacy laws must be seen to have teeth.

The precedent set by this case will encourage other organisations to take their obligations seriously – and save their organisation money by avoiding huge fines and penalties. Furthermore, it empowers data subjects, who are no longer voiceless in the face of widespread and often brazen violations.