INTRODUCTION
In the digital economy, data fuels innovation, personalization, and business growth—but it also raises serious concerns around consumer privacy and market fairness. Companies with access to large volumes of personal data may use this advantage to entrench market dominance, restrict competition, or impose unfair terms on users.
This article examines Nigeria's legal framework—anchored by the Nigerian Data Protection Regulation (NDPR), the Nigeria Data Protection Act (NDPA), and the Federal Competition and Consumer Protection Act (FCCPA)—and how it addresses exploitative and anti-competitive data practices. It also draws from global judicial precedents to guide Nigeria's enforcement priorities and shape its compliance expectations.
REGULATORY FRAMEWORK ON DATA PRIVACY IN NIGERIA
- The Nigerian Constitution
The foundation of data privacy in Nigeria is embedded in the Constitution. Section 37 of the 1999 Constitution of the Federal Republic of Nigeria (as amended) guarantees the right to privacy, including the privacy of homes, correspondence, and communications. Over the years, Nigerian courts have actively interpreted this provision to affirm that data privacy is an intrinsic constitutional right. For instance, in the case of Incorporated Trustees of Digital Rights Lawyers Initiative v. L. T. Solutions & Multimedia Limited,1 the court affirmed that data privacy is protected under Section 37. Similarly, in Emerging Markets Telecommunications Services Ltd v. Eneye,2 the Court of Appeal highlighted the illegality of sharing personal data without consent, reinforcing that modern technological communication (e.g. messaging services) are protected under the constitutional right to privacy.
- The NDPR and NDPA: Statutory Framework for Data Protection
The NDPR (2019) marked Nigeria's first formal step toward comprehensive data protection. The NDPA (2023) builds on this foundation, establishing a detailed legal and institutional framework, including the creation of the Nigeria Data Protection Commission (NDPC).
Key provisions under both legislative instruments:
- Scope of Protection: Personal data is broadly defined to include online identifiers like IP addresses and device information.3
- Consent Requirements: Consent must be specific, informed, freely given, and unambiguous.4
- Rights of Data Subjects: Individuals can object to processing, especially for marketing, and retain control over how their data is used.5
- Obligations of Data Controllers: Data controllers must ensure transparency, accountability, and process data only for lawful and legitimate purposes.6
- FCCPA and FCCPC: Bridging Consumer Protection and Competition Law
The FCCPA is Nigeria's primary law on consumer rights and market competition. It empowers the Federal Competition and Consumer Protection Commission (the FCCPC) to enforce its provisions and any related legislation, including the NDPA, where data privacy issues overlap with consumer rights.
- Consumer Enforcement: Consumers who are also data subjects can pursue remedies under both the FCCPA and NDPA for data misuse.
- Anti-Competitive Oversight: The FCCPC is also mandated to prevent and address anti competitive practices, including those arising from data misuse by dominant firms.
- Inter-Agency Coordination: Although the FCCPA takes precedence over other competition and consumer protection laws, there is a collaborative approach in the regulatory framework. The FCCPC may consult with the NDPC in handling complaints or issuing directives involving data-related consumer harm.
ADDRESSING EXPLOITATIVE DATA PRACTICES IN NIGERIA
Exploitative data practices involve the improper collection, processing, or sharing of consumer data, often by dominant firms. These practices can undermine privacy rights and distort competition. Recognizing and addressing them is critical to ensuring both data protection and market fairness.
- Coercive Consent: Coercive consent arises when users are forced to accept broad data processing terms that are neither informed nor voluntary—contrary to the NDPR's requirements that consent be freely given, specific, informed, and unambiguous.
Common examples include:
- E-commerce pressure: Retailers requiring users to accept data-sharing terms (e.g. for targeted ads) as a condition for completing a purchase. This "take-it-or-leave-it" approach forces consumers to accept invasive practices or forfeit their ability to shop
- Pop-up enforcement: Streaming services that block access to content until users accept revised data policies, breaching NDPR Regulation 2.3(2).
- Bundled consent: Apps combining consent for unrelated services, such as a fitness app sharing health data with insurers without separate approval—violating NDPR Regulation 2.1(1)(a).
Globally, these practices have faced scrutiny. The Irish Data Protection Commission fined WhatsApp Ireland €225 million for similar consent violations.7 Nigerian regulators are empowered to take similar action under the NDPR and FCCPA to prevent coercion and uphold consumer autonomy.
- Discriminatory Data Practices: These practices involve applying different data protection standards based on user location or profile. For instance, some companies may offer GDPR-level protections to European users while limiting rights for users in markets like Nigeria, despite comparable local laws. Nigerian users may be denied the option to opt out of targeted advertising or must accept extensive data-sharing just to access core services. Such unequal treatment undermines the principles of fairness and transparency and violates both legal and ethical standards.
- Exclusive and Restrictive Data Practices: Exclusive and restrictive data practices involve companies manipulating access to and control over data in ways that unfairly limit competition and consumer choice. These practices enable dominant companies to maintain and enhance their market positions by preventing competitors from accessing critical data necessary for innovation and competitive service offerings.
Examples of Exclusive and Restrictive Practices:
- Exclusive Agreements with Advertisers: A large social media platform might enter into exclusive agreements with specific advertisers or data analytics firms, granting them unique access to user data for targeted advertising. This exclusivity denies other businesses, particularly smaller or newer competitors, the opportunity to compete effectively in the advertising space due to a lack of similar data access.
- Restrictive Cloud Service Agreements: A cloud service provider might implement restrictive use agreements that limit how clients can share or utilize their collected For example, a provider may prohibit clients from sharing their data with competing cloud services, effectively locking them into using a single service. This restrictiveness not only hampers competition but also forces client dependence on one provider, stifling innovation and reducing market diversity.
These tactics entrench dominance by concentrating control over essential data, stifling innovation, and raising entry barriers for new players.
- Data-Driven Collusion: Data-driven collusion occurs when companies use shared data analytics to align market behaviour without direct communication. Through real-time pricing tools or common platforms, firms can predict and mirror each other's actions, maintaining stable prices or limiting consumer choice.
Example of Data-Driven Collusion
Online retailers using the same analytics service might observe and match each other's prices, leading to a coordinated price floor without any formal agreement. As such coordination happens algorithmically, it is difficult to detect and enforce using traditional antitrust tools. Regulators must adopt more sophisticated methods to monitor and respond to these subtle but harmful practices.
Regulatory Approach to Anti-Competitive Data Practices
The FCCPA and the Abuse of Dominance Regulations provide clear legal tools for addressing exploitative data practices that also amount to abuse of dominance or consumer harm. Under Section 72(1) of the FCCPA, dominant firms are prohibited from engaging in conduct that distorts competition or harms consumer welfare. A firm is considered dominant when it operates independently of market pressures—and in this context of data, where it is due to exclusive control over large volumes of personal data.
Two categories of exploitative conduct are particularly relevant in the data context: tying and bundling practices, and unfair contractual terms.
Tying and Bundling of Data Services
Section 72(2)(d)(iii) and Regulation 12(1)(a) prohibit dominant firms from making access to a core service conditional on accepting unrelated terms. This includes compelling users to share personal data with affiliated services where such sharing is not necessary.
For example, if a messaging app requires users to agree to share data with its parent company before granting access, this would constitute prohibited contractual tying. It undermines user autonomy and creates artificial barriers for competitors offering more privacy-conscious alternatives. 4
Section 119 of the FCCPA further bars companies from imposing additional transactions or obligations unless they clearly benefit the consumer. Cross-platform data bundling—especially without justification—may violate this provision and entrench dominance under the guise of user agreement. Unfair Contractual Terms The FCCPA also addresses one-sided or exploitative terms in digital service agreements:
- Section 127(1)(a) prohibits service terms that are manifestly unfair, unjust, or unreasonable—such as mandatory, non-negotiable data collection with no opt-out.
- Sections 127(2)(a) and (b) further prohibit terms that disproportionately favour businesses over consumers, such as broad consent clauses that strip users of meaningful control over their data.
These provisions reinforce the FCCPA's role in curbing digital exploitation by ensuring that dominant firms cannot use contract terms to embed anti-competitive effects or strip users of meaningful control over their personal data.
FCCPC v. Meta Platforms, Inc. (Nigeria, 2024–2025)
A recent enforcement victory by the FCCPC, in collaboration with the NDPC, illustrates Nigeria's growing vigilance. In FCCPC v. Meta Platforms, the Competition Tribunal found that Meta violated provisions of the FCCPA and NDPA by deploying coercive consent mechanisms, engaging in opaque cross-platform data sharing, and leveraging its dominant market position to exclude rivals. Meta's conduct breached Section 72(2)(d)(iii) by tying service access to unrelated data conditions and violated NDPA provisions requiring voluntary and informed consent. This case affirms that Nigerian regulators are not only recognizing the competition risks of exploitative data practices but are also actively enforcing the law to address them.
COMPARATIVE CASE STUDIES
Global precedent further reinforces the need to address exploitative data practices through both competition and privacy law. The following international cases provide useful guidance as Nigeria strengthens its enforcement framework under the FCCPA, NDPA, and NDPR:
- Competition Commission of India (CCI) v. Bharti Airtel Limited & Others (2019): The Indian Supreme Court upheld the Competition Commission of India's jurisdiction over privacy-related conduct when it intersects with competition law. The Court affirmed that consumer data is a critical economic asset and that its misuse by dominant firms can distort market competition.
- Bundeskartellamt v. Meta Platforms, Inc. (Germany): Germany's Federal Cartel Office found that Meta (formerly Facebook) abused its dominant position by collecting and 5 combining user data across its platforms (e.g. WhatsApp, Instagram) without valid consent—contravening the GDPR and reinforcing its market dominance. The case aligns closely with Nigeria's Section 72(2)(d)(iii) and highlights the anti-competitive risk of forced cross-platform data sharing.
- UK Information Commissioner's Office (ICO) v. Facebook: The UK Information Commissioner's Office fined Facebook for giving third-party developers access to user data without proper consent. The ICO ruled that data collection must be limited to what is necessary for the stated purpose and rejected Facebook's reliance on "legitimate interest" as justification. Section 2.1(1)(a) of Nigeria's NDPR mirrors this principle, requiring that personal data be collected for specific, lawful, and justifiable purposes. Where companies use excess data to entrench their market position, this raises both privacy and competition concerns—reinforcing the need for Nigerian regulators to scrutinize unjustified data-sharing arrangements.
- German Federal Supreme Court v. Facebook (2020): The German Federal Supreme Court upheld findings that Facebook abused its dominant position by collecting data without valid consent, particularly from activities outside its core services. The court found that such conduct distorted competition and reinforced Facebook's dominance. This decision mirrors Nigeria's Section 72 FCCPA standard. In Nigeria, similar data harvesting practices—especially where consent is bundled or non-transparent—may not only breach the NDPR/NDPA but also limit competition by excluding rivals. The case affirms the importance of monitoring how data exploitation reinforces dominance in digital markets.
CONCLUSION
As data becomes central to how firms compete and scale, its misuse is no longer just a privacy issue—it is a competition concern with real market consequences. Nigeria's legal framework, anchored in the NDPR, NDPA, and FCCPA, is increasingly being used to address these dual challenges. The recent FCCPC v. Meta decision shows that Nigerian regulators are not only aware of these risks but are actively enforcing the law to tackle them. The case also signals Nigeria's alignment with global enforcement trends and its readiness to hold dominant digital players accountable.
For businesses, the message is clear: data practices must comply not only with privacy standards but also with competition law. Responsible data governance is no longer optional— it is essential to sustaining consumer trust and fair market outcomes in Nigeria's digital economy. For further guidance on data protection compliance, please contact us at info@scp law.com.
Footnotes
1 Suit No. HCT/262/2020
2 (2018) LPELR-46193(CA)
3 Regulation 1.3(iv) NDPR; Section 65 NDPA
4 Regulation 1.3(iii) NDPR; Section 26 NDPA
5 Regulation 2.8 NDPR; Section 36 NDPA
6 Regulations 2.1(2) and (3) NDPR; Section 29 NDPA; Section 24(1)(b) NDPA
7 Data Protection Commission announces decision in WhatsApp inquiry | 02/09/2021 | Data Protection Commission
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.