Introduction
On 19 July 2024, the Federal Competition and Consumer Protection Commission (FCCPC or Commission) in Nigeria imposed a fine of $220 million on Meta Platforms Inc (Meta), the parent company of WhatsApp LLC (WhatsApp), for violations of both the Federal Competition and Consumer Protection Act 2018 (FCCPA) and the Nigeria Data Protection Regulation 2019 (NDPR). In the investigation report that served as the basis for this penalty, the FCCPC formulated three main issues for determination. One of these issues was whether WhatsApp's 'business practices with respect to its data collection and management processes are excessive, unscrupulous, obnoxious and a deliberate tactic to exploit Nigerian consumers, contrary to the FCCPA and NDPR'. The FCCPC ruled in the affirmative on this issue.
In this article, I examine this particular aspect of the FCCPC's determination in relation to the provisions of the NDPR. Readers should note that in this review, I will endeavour to provide an objective and impartial analysis of this determination. My aim is to offer insights into the underlying analysis that informed the FCCPC's determination on this issue and to assess whether this analysis is consistent with the proper interpretation of the NDPR in the light of evolving data processing operations.
The legal basis for FCCPC's determination
The FCCPC in reaching this particular determination exercised among others, its section 17 (a) power under the FCCPA. This provision charges the FCCPC with the responsibility of enforcing any other enactment related to competition and consumer protection in Nigeria. In exercising this authority, the FCCPC interpreted the NDPR as a consumer protection law. Although this interpretation of the FCCPC's statutory function is novel in Nigeria and may be subject to scrutiny in appellate courts, there are persuasive case laws from the United States (U.S) where courts have recognised the Federal Trade Commission (FTC), the lead consumer protection agency in the U.S., as having broad data protection enforcement authority in instances where consumers are exploited. This authority is derived from section 5 of the FTC Act, which prohibits 'unfair or deceptive acts or practices'—a phrase that closely parallels the term 'obnoxious practices or the unscrupulous exploitation of consumers' found in section 17(s) of the FCCPA.
While the scope of the FCCPC's power to enforce the NDPR and address data privacy infringements as a form of consumer harm remains uncertain in Nigeria, the following U.S. cases may offer some guidance: FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014); FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 609 (D.N.J. 2014); and FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 247–48 (3d Cir. 2015). These cases originated from a single matter in which Wyndham Worldwide Corp., a hotel chain, contested FTC's authority to enforce data security practices following a series of data breaches suffered by the hotel. Upon appeal to the U.S. Court of Appeals for the Third Circuit, the court upheld the FTC's authority, holding that lax cybersecurity practices leading to a data breach fall within the 'unfairness' prong of the FTC Act. This decision affirmed the FTC's jurisdiction to address and enforce violations related to data privacy.
It is crucial to emphasise that when the FCCPC chooses to exercise its consumer protection authority to enforce the NDPR, any subsequent determinations or outcomes resulting from such enforcement actions must be in strict adherence to both the spirit and letter of the NDPR.
Excessive data collection under the NDPR
Under the NDPR, one of the governing principles of data processing provided for in article 2.1 (1) b) is that personal data (processed) shall be 'adequate, accurate and without prejudice to the dignity of human person'. The reference to the word 'adequate' means that personal data collected must be limited to the minimum necessary to achieve the intended processing purpose, ensuring that the data collected is proportionate to the purpose pursued by the processing operation.
This principle is otherwise referred to as data minimisation under the General Data Processing Regulation (GDPR) and in most jurisdictions with a data protection framework. This principle (and others provided for in the NDPR and in the Nigeria Data Protection Act 2023) must be complied with whenever personal data is processed irrespective of the lawful base. In essence, data minimisation requires that data controllers and processors collect and process only the personal data that is directly relevant and essential to accomplishing the specific purpose of the processing operation. Consequently, data controllers and processors must exercise diligence to refrain from collecting excessive personal data from data subjects (in this case WhatsApp users in Nigeria) beyond what is necessary to achieve the intended purpose of the data processing operation
To view the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.