Meta Platforms Incorporated, the social media giant and parent company of Facebook, has been fined $220 million by the Competition and Consumer Protection Tribunal.
The fine was linked to its discriminatory data privacy practices against users from Nigeria.
The tribunal upheld the $220 million fine earlier imposed on Meta Platforms Incorporated by the Federal Competition and Consumer Protection Commission (FCCPC).
In a three-member panel ruling led by Thomas Okosun, Meta was also ordered to pay $35,000 to the FCCPC for the cost of its investigation, according to FCCPC’s director of corporate affairs, Ondaje Ijagwu, in a statement on Friday.
Last July, the federal government, through the FCCPC, imposed a $220 million fine on Meta for alleged data privacy breaches.
According to the commission, the company was found to be denying Nigerian data subjects the right to self-determination, unauthorised transfer and sharing of Nigerian data, including cross-border storage in violation, discrimination and disparate treatment, abuse of dominance, and tying and bundling.
Reacting to the fine, the tech giant challenged this fine on 22 grounds on the argument that the FCCPC’s directives were vague, technically unfeasible, and unsupported by Nigerian law.
Meta also claimed that it was denied a fair hearing and had no opportunity to respond to how the fine was calculated.
However, the tribunal rejected these claims, stating that Meta and WhatsApp had been given sufficient opportunity to defend themselves but failed to provide convincing evidence to challenge the Commission’s conclusions.
“The appellants were given ample opportunity to be heard,” said Okosun, rejecting allegations of procedural unfairness.
The FCCPC stated that the fine was the result of a thorough investigation into Meta’s treatment of Nigerian user data, which revealed exploitative practices enabling unauthorised access to personal information. According to the commission, Meta’s actions breached constitutional privacy rights and exacerbated disparities in data governance.
In response, Meta’s legal team, led by Professor Gbolahan Elias (SAN), contended that the FCCPC was overly reliant on foreign legal standards that are not applicable within the Nigerian legal context.
“There is no abuse of dominance since users can choose from other providers such as TikTok and Google Meet,” Elias said, calling the directives burdensome and excessive.
Babatunde Irukera (SAN), former Executive Vice Chairman of the Commission, emphasised that while foreign rulings are not legally binding, they can be persuasive and relevant in comparable legal situations. He defended the fine as a corrective measure rather than a punitive one, aimed at eliminating discriminatory practices and ensuring user consent is respected.
The tribunal concurred, stating that the FCCPC had acted within its legal mandate. It confirmed that the Commission’s final and supplementary orders were issued under both the FCCPC Act and Nigeria’s Evidence Act. The tribunal further held that Meta’s transfer of user data to third parties without explicit consent constituted a violation of Nigeria’s data protection laws.
“The tribunal finds no error in the overall orders of the FCCPC,” the panel held. “The administrative penalties were lawfully imposed.”
In addition to upholding the fine, the tribunal issued a series of compliance directives. Meta is required to immediately reinstate Nigerian users’ ability to control how their data is shared and revert to its 2016 data-sharing policy.
Within 10 days, the company must also submit a revised data policy to both the FCCPC and the Nigerian Data Protection Commission (NDPC), and make the policy publicly available.
The tribunal also ordered Meta must stop linking WhatsApp data to Facebook or any third party without obtaining clear, informed user consent, and is obligated to provide proof of compliance.
It went ahead to order the company to submit a formal compliance letter by July 1, 2025.
This ruling is not the first time Meta has faced regulatory scrutiny.
In 2023, the company was fined €1.2 billion by the European Data Protection Board for violating EU privacy laws—the largest penalty ever imposed under the GDPR.
