Intermediary Liability, Data Protection, And Platform Responsibility: Appellate Considerations In Femi Falana, SAN v. Meta Platforms Inc. (Suit No: LD/17783MFHR/2025)

Introduction

The decision of the High Court of Lagos State in Femi Falana, SAN v. Meta Platforms Inc. raises significant legal questions concerning the relationship between constitutional privacy rights, the Nigeria Data Protection Act 2023 (NDPA or the Act), and the responsibility of online intermediaries for user generated content. The case arose from the publication of a video on Facebook by an unidentified third-party user falsely suggesting that the Femi Falana, SAN, the Claimant was suffering from a medical condition. Although the content was generated by a user and removed once the platform became aware of it, the Court held Meta liable for invasion of privacy and unlawful processing of personal data.

While the protection of personal dignity and informational privacy is an important constitutional objective, the reasoning adopted by the Court raises doctrinal concerns. In particular, the judgment appears to expand the scope of Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (the Constitution), blur the statutory distinction between data controllers and data processors under the NDPA, and depart from widely recognised principles of intermediary liability governing online platforms.

In this article, I argue that the decision is vulnerable to appellate challenge. In my view, a proper application of the NDPA, read alongside relevant comparative jurisprudence from European and United States courts, indicates that Meta should not have been classified as a joint data controller or as a data processor acting as an agent of the third-party user who uploaded the disputed content. Rather, I contend that Meta's role is more accurately characterised as that of a hosting intermediary in respect of the user generated material at issue.

Constitutional Dimensions of Privacy Protection

At the constitutional level, the Court's reasoning engages the scope of Section 37 of the Constitution. The Court construed the constitutional guarantee of privacy to include protection against the unauthorised dissemination of sensitive health information. However, Section 37 does not expressly refer to medical or health data.

The Court's interpretation therefore reflects a purposive and expansive reading of the provision. Although such an approach may align with evolving notions of informational privacy in contemporary digital environments, it remains open to debate whether the framers of Section 37 intended its protection of privacy to extend beyond spatial, communicational, and correspondence based privacy to encompass sensitive personal data such as medical information in the absence of explicit textual support.

This interpretative move carries broader implications for the development of constitutional privacy jurisprudence in Nigeria. By extending Section 37 into the domain of sensitive personal data regulation, the judgment effectively overlays constitutional doctrine onto an area that is already governed by a specialised statutory regime in the form of the Act. Whether such constitutional expansion is doctrinally justified is therefore a question that may properly warrant appellate clarification.

Statutory Framework of the Nigeria Data Protection Act 2023

The NDPA establishes Nigeria's primary statutory framework governing the processing of personal data. The Act regulates entities that determine the purposes and means of processing personal data and creates the Nigeria Data Protection Commission as the supervisory authority responsible for enforcement.

Section 65 and related interpretative provisions of the NDPA define key actors within the data protection ecosystem. A "data controller" is defined as an individual, private entity, public Commission, agency or any other body who, alone or jointly with others, determines the purposes and means of processing of personal data. A "data processor" is defined an individual, private entity, public authority, or any other body, who processes personal data on behalf of or at the direction of a data controller or another data processor. These definitions mirror the functional approach adopted in modern data protection law internationally. Responsibility under the Act therefore attaches to the entity that exercises decision-making authority over why and how personal data are processed.

Importantly, the statutory scheme distinguishes between entities that originate or direct data processing activities and those that merely provide technological infrastructure. Where an entity neither determines the purpose of processing nor processes personal data on behalf of another controller, it does not fall within either classification.

Application of the NDPA to User Generated Content

The facts of the Falana case indicate that the disputed video was created and uploaded by an independent Facebook user. The purpose of the processing, namely the creation and dissemination of the video, was determined exclusively by that user. There is no evidence that Meta instructed the user to create the content or participated in its production.

Under the statutory definitions contained in the NDPA, this distinction is decisive. Because Meta did not determine the purpose or essential means of the processing, it cannot properly be characterised as a data controller in relation to the publication. Likewise, Meta cannot be classified as a data processor because it did not process the data on behalf of the user acting as a controller. Instead, the platform functioned as a hosting intermediary providing the technological infrastructure through which users may communicate.

The Court's determination that Meta is a joint controller, and therefore liable for the alleged breach of the Claimant's privacy rights on the basis that the individual who uploaded the video was not identified or joined as a party to the proceedings, risks blurring the statutory distinction between the creator of the content and the intermediary that provides the technological platform through which that content is transmitted. Such an approach may obscure the functional differences between those who originate or determine the content of a communication and those whose role is limited to providing the infrastructure that enables user generated material to be disseminated.

If adopted more broadly, such an approach could substantially expand the scope of liability under the NDPA beyond what the statutory language appears to contemplate, with important implications for the allocation of responsibility between content originators and online intermediaries.

The judgment also appears to proceed on the assumption that Meta, as the operator of Facebook, acted as an agent of an unknown and undisclosed principal, namely the unidentified third party who uploaded the disputed content. On this basis, the Court reasoned that, under established principles of agency law, the acts of an agent bind the principal and vice versa, and that an aggrieved party may elect to proceed against either the agent or the principal. In the present case, the Court observed that the Claimant had elected to proceed against the alleged agent, Meta.

This characterisation, however, raises important doctrinal concerns. The presumption of an agency relationship in these circumstances appears to depart from orthodox principles of agency law. Traditionally, the existence of an agency relationship requires clear evidence of authority,1 consent,2 or control between the principal and the alleged agent. On the facts of the case, there was no indication that the unidentified uploader authorised Meta to act on their behalf, nor that Meta exercised control over the purpose or content of the publication.

Absent such indicia of authority or control, treating the platform as an agent of the uploader risks extending established agency principles beyond their conventional limits. If applied more broadly, such reasoning could introduce considerable legal uncertainty for online intermediaries that operate at scale and whose role is primarily to provide technological infrastructure for user generated communications, rather than to act on behalf of users in a representative legal capacity.

The Court's characterisation also presents an additional conceptual difficulty when considered within the framework of modern data protection law. If Meta were indeed acting as an agent under the control of the third-party uploader, the relationship would closely resemble that between a data processor and a data controller within the meaning of the NDPA. Under the Act, a data processor processes personal data on behalf of, and under the instructions or control of, a data controller.

However, the facts of the case do not appear to support such a conclusion. There was no evidence suggesting that the unidentified uploader exercised control over Meta's data processing operations or that Meta processed the data pursuant to the uploader's instructions, whether express or implied. In the absence of such elements of authority or direction, it becomes difficult to sustain the proposition that Meta acted as a processor on behalf of the uploader as controller.

Accordingly, characterising Meta as an agent operating under the control of the uploader appears conceptually inconsistent with the structure of the NDPA itself. Without evidence that Meta processed the personal data under the direction or authority of the uploader, the statutory criteria for classification as a data processor are not satisfied. In this respect, the agency analysis adopted by the Court risks conflating distinct legal concepts and may not accurately reflect the functional role of an online platform whose primary function is to provide the technological infrastructure through which user generated communications are disseminated.

To view the full article clickhere

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.