What Nigeria’s Challenge to WhatsApp’s Data Policy Means for Global Majority Countries

Since July 2024, Meta has been locked in a dispute over data privacy violations with Nigeria’s Federal Competition and Consumer Protection Commission (FCCPC). The Commission imposed, among other sums, a $220 million fine on Meta, the highest penalty so far instituted against a major tech platform by a global majority country. Meta challenged the imposition and sought reprieve from Nigeria’s Competition and Consumer Protection Tribunal. The Tribunal ruled on April 25, 2025, upholding the fine imposed by the FCCPC, and ordered Meta to pay the sum within 60 days, which expired on June 24. Meta has not complied, and the stalemate continues, with implications for data privacy protections and regulatory capacity outside the US and Europe.

At the heart of the issue is a January 4, 2021 WhatsApp privacy policy update, which had global coverage. The update required users to accept that “As part of the Meta Companies, WhatsApp receives information from, and shares information…with, the other Meta Companies.” The policy violated the General Data Protection Regulation (GDPR), which led European regulators to mandate the Irish Data Protection Commission to impose a €225 million fine on the platform.

WhatsApp responded by updating its privacy policy on November 22, 2021, but only for users in Europe and the UK. From then onwards, WhatsApp has effectively had two data privacy regimes – one that is relatively strong and GDPR-compliant (for the European Region and the UK) and another, relatively weaker, for the rest of the world. Users in Europe and the UK have seen several updates ever since, the latest being the March 20, 2025 version, while other users are still governed by the January 4, 2021 policy.

Considering all these, the FCCPC investigated WhatsApp between May 2021 and December 2023. The conclusion was that Meta’s actions, in relation to WhatsApp, constituted “multiple and repeated, as well as continuing infringements” of the 2018 Federal Competition and Consumer Protection Act (FCCPA) and the 2019 Nigeria Data Protection Regulation (NDPR). The FCCPC found Meta guilty of data protection violations such as appropriating users’ personal data without consent, discriminatory practices compared to users in other jurisdictions (namely Europe), and abuse of Meta’s dominant market position by compelling users to accept Meta’s decision to share data among Meta Companies, such as WhatsApp and Facebook.

Relevant sections that Meta is accused of violating include Section 72 of the FCCPA, which prohibits the abuse of market dominance and Section 119, which proscribes the type of tying and bundling that WhatsApp’s privacy policy allows. For the NDPR, some of the relevant provisions include Regulation 2.3, which requires consent for processing user data and Regulation 2.11, which stipulates conditions for data transfers to foreign jurisdictions.

The investigation led to a July 19, 2024 final order, which specified a number of obligations regarding users’ data rights on Meta and imposed a financial penalty of $220 million on the platform and $35,000 for the cost of the investigation. Added to these is a $37.5 million fine by the Advertising Regulatory Council of Nigeria (ARCON) for unapproved adverts, and a $32.8 million fine by the Nigerian Data Protection Commission (NDPC) for data privacy violations.

In response, Meta threatened to pull Facebook and Instagram out of Nigeria, reflecting previous threats to exit major markets such as in Europe over data transfer disputes. If this threat holds, it will affect Meta’s market in Nigeria, where there are 51.2 million Facebook users, 51 million WhatsApp users, and 12.6 million Instagram users. But whatever happens, the case will set a precedent for regulatory action by global majority countries against Big Tech going forward.

Previous global majority attempts to rein in Big Tech

Before now, previous moves by global majority countries to impose financial penalties on Big Tech platforms have been few and far between. Examples include a case in India, where the Competition Commission of India fined Meta $25.4 million in November 2024 for sharing users’ WhatsApp data with other Meta platforms.

South Korea also fined Meta $15 million in November 2024 for collecting sensitive private data and sharing them with advertisers. In February 2025, South Africa also proposed that Big Tech companies such as Google, Meta, and X should compensate local news media for hosting their content, with a possibility that Google will be asked to pay $27 million annually.

Of all these, the Nigerian fine is the largest financial penalty imposed by an entity outside the US or Europe on a major Western tech platform. It highlights the increasing willingness among countries in the majority world to hold Big Tech platforms to account in the drive towards co-regulation.

Pivot towards co-regulation

The imposition of final penalties on Big Tech highlights a turn towards co-regulation, as I noted in a journal article on Nigeria’s recent digital policy emphasis. It represents an approach different from the legacy practice of direct-user regulation, which involves imposing punitive measures such as fines and imprisonment on users. Examples of regulation of this sort include the Nigerian 2015 Cybercrimes Act and the ill-fated 2019 Internet Falsehood Bill, which proposed prison terms of up to three years for users who post misleading content online.

An instance of the co-regulatory emphasis is the 2022 Code of Practice for Interactive Computer Service Platforms, which requires internet platforms to abide by duty of care standards. Regulators may prefer this approach because it targets a manageable number of platforms as opposed to the huge burden of regulating all internet and social media users in Nigeria.

The FCCPC fine also represents a pivot towards greater emphasis on data privacy and protection control measures as opposed to internet content regulation. The focus on data privacy became more pronounced in the period after 2019, and is perhaps more clear-cut than content moderation measures, which require individual content-by-content evaluation, compared to the aggregate ‘class-action’ type measures that apply to data protection and competition measures – where regulators can act on behalf of all users.

Balance of power dynamics & future implications

But there are balance of power issues to consider with the penalty that the FCCPC has imposed on Meta. That is, compared to US or EU regulators, does the FCCPC have sufficient powers to not just impose data protection and anti-competition measures on Big Tech platforms, but also secure compliance?

A previous example suggests that the FCCPC may struggle to secure compliance from Meta if it doesn’t stand its ground. This was the case of the 2021 Twitter ban, where Nigeria agreed to lift the ban if Twitter (now X) abides by certain conditions, one of which was that Twitter would set up an office in the country. Twitter didn’t comply and nothing happened by way of consequence.

As the court deadline for Meta’s compliance with the FCCPC order lapses, Meta’s plan may be to follow what Twitter did: refuse to comply and hope that the dispute will be overtaken by events. Meta may also fulfill its threat to pull out from Nigeria if it feels backed into a corner. While this will no doubt adversely affect Nigerian users, especially if Meta goes further to cut WhatsApp off, the consequences will equally be severe for Meta, for which Nigeria serves as a major market. It will also mean that Meta will have to agree to concessions before re-entry into Nigeria is allowed, and it is very likely that Meta will have to adhere more strictly to local data protection and consumer rights laws, as some researchers have noted.

But having chosen to take on Meta, the FCCPC must be determined to hold out and ensure that Meta complies. Otherwise, it will signal that global majority countries lack the power to rein in Big Tech platforms and enforce regulatory standards against them. Success for the FCCPC could also mean that Meta will have to harmonize its dual WhatsApp data privacy regimes by updating the January 4, 2021 policy for the rest of the world – many of whom will be watching the FCCPC/Meta dispute as a precedent to guide their regulatory relations with Big Tech.