In February 2025, Nigeria announced a $32.8 million fine for data privacy violations against Meta Platform Inc., the parent company of Facebook and Instagram. However, the government became silent after reversing its stance by writing off the fine following a deal reached with the tech giant in October of the previous year.
Under the terms of the settlement agreement, Nigeria consented to release Meta from all liabilities concerning the alleged violations, allowing the company to avoid any financial penalty.
In exchange for Nigeria waiving the fine, which stemmed from approximately 17 months of investigation by the Nigeria Data Protection Commission (NDPC), Meta committed to ethical practices in handling Nigerian data moving forward.
The tech company incurred no financial liability, other than agreeing to cover the legal expenses Nigeria incurred in the lawsuit it initiated to contest the NDPC's “Final Orders.”
When Nigeria levied the fine last year, it joined a growing number of countries, including the United States, the United Kingdom, and the European Union (EU), that have imposed substantial fines on Meta and other tech firms for data privacy breaches and other safety risks associated with their platforms. Companies have been compelled to regularly address policy deficiencies to better ensure data privacy and mitigate safety concerns linked to social media exposures. Governments have also updated their laws and regulations and increased oversight to counter emerging threats, enhancing compliance and enforcement.
Nigeria's action was considered a significant development and one of the first of its kind on the African continent. However, the confidence it generated diminished when Nigeria rescinded the sanctions last year.
“Regulatory action is strongest when there is a clear finding of a breach, backed by penalties and the risk of further sanctions. Setting aside the earlier orders removed that weight, leaving the commitments with little additional force,” commented Iliya-Ezekiel Ndatse, a data protection lawyer.
Nigeria, through the NDPC, entered into a settlement agreement with Meta on October 30, 2025. Details of this agreement have not been previously made public. This settlement involved waiving the $32.8 million fine that was imposed in the Final Orders issued by the agency against the company on February 18, 2025.
PREMIUM TIMES has obtained certified true copies of the settlement agreement between the NPDC and Meta, along with the consent judgment delivered by the Federal High Court in Abuja on November 3, 2025, based on this agreement. Media outlets, including PREMIUM TIMES, reported the delivery of the judgment in November of the preceding year, but not the specifics of the agreement.
Months after the NPDC finalized the agreement and the court granted it judicial approval, the agency and the government have continued to keep the details confidential. This situation is reminiscent of the lack of transparency surrounding the deal the Nigerian government claimed to have reached with Twitter (now X) following the ban on the platform in Nigeria in June 2021.
How it started
Acting under its authority granted by the Nigeria Data Protection Act, 2023 (NDP Act), the NPDC, Nigeria's data regulatory body, commenced an investigation on September 20, 2023, into Meta's operations within Nigeria.
The inquiry focused on Meta's alleged contraventions of Nigeria's data protection laws and the privacy rights of more than 60 million Nigerian data subjects.
The NPDC and Meta engaged in written correspondence, and their representatives held multiple in-person meetings throughout the investigation period.
Following a 17-month investigation, the NPDC issued its “Final Orders” on February 18, 2025, detailing comprehensive findings and mandatory corrective actions.
The commission stated that it found Meta had “not sought express, specific and unambiguous consent” from users for behavioral advertising.
It also mandated a halt to the transfer of Nigerian personal data abroad without authorization, prohibited the collection of non-users' data, and restricted the company's use of algorithms that “could expose data subjects to health and financial risks.”
To protect the data privacy and rights of Nigerians, the NPDC directed Meta to obtain proper user consent, conduct a Data Processing Impact Assessment on the human rights and democratic implications of its systems, and revise its privacy policy to include the risks associated with profiling.
Furthermore, the NPDC ordered the company to cease transferring data internationally without NDPC approval, stop collecting non-users’ data, and provide educational resources on the dangers of unlawful data processing.
The commission also mandated the company to ensure equitable access for Nigerian users and businesses, implement robust technical and organizational safeguards for data protection, and remit the Naira equivalent of $32.8 million as a remedial fee.
However, after the NDPC's final orders and notification, Meta initiated legal proceedings against the sanctions at the Federal High Court in Abuja and even threatened to suspend its operations in Nigeria.
On March 4, 2025, the company’s legal representative, Fred Onuofia, a Senior Advocate of Nigeria (SAN), requested Judge James Omotosho to issue an interim order to stay the enforcement of the NPDC’s final orders. However, the judge declined the request and opted to hear arguments from all parties comprehensively.
Subsequently, Meta filed a substantive lawsuit on March 19, 2025, alleging that the NDPC had denied it a fair hearing and due process. The company sought to nullify the enforcement orders, contending they violated its right to a fair hearing as guaranteed by section 36 of the Nigerian constitution.
In response, the NDPC submitted a preliminary objection, arguing that the suit was inadmissible and that the court lacked the jurisdiction to hear the case.
The settlement
On October 3, when the court was scheduled to deliver its ruling, both parties announced they had reached an amicable resolution to the dispute.
Within a month, they finalized a settlement agreement dated October 30, 2025, which they submitted to the court the following day. The document was signed by Babatunde Bamigboye, NDPC’s Head of Legal, Enforcement, and Regulations, and Anna Benckert, Meta’s Vice President and Associate General Counsel, International Legal. The legal representatives for both parties also signed the document; Fred Onuobia, a Senior Advocate of Nigeria (SAN), represented Meta, while Adeola Adedipe, also a SAN, represented the NDPC.
On November 3, 2025, the court adopted the settlement agreement as a consent judgment, effectively nullifying the $32.8 million awarded in the Final Orders, which had been designated as a “remedial fee.”
The settlement terms were based on two fundamental principles:
· Meta offered to provide “specific remedial considerations in support of protecting the rights of data subjects in Nigeria”; and
· The NPDC agreed to set aside and waive any rights to enforce or take enforcement actions against Meta concerning the Final Orders.
The settlement agreement absolved both parties of all liabilities.
The agreement stipulates that its execution does not constitute either “an admission of liability or wrongdoing on the part of either party” nor does it imply “conceding their legal positions expressed in connection with the Matters.”
In another provision of the settlement agreement, Meta committed to “use its best endeavors to continuously improve its technical and organizational measures, taking into account the applicable obligations and/or principles set out in the Nigeria Data Protection Act, 2023 (NDP Act).”
In doing so, the company agreed to adhere to “the obligations under the NDP Act to process personal data lawfully, fairly and transparently; and to rely on an appropriate lawful basis when processing personal data, including for the purpose of behavioural advertising.”
It also agreed to meet the “requirements under the NDP Act for conducting a Data Privacy Impact Assessment in Nigeria; and safeguards for cross-border transfers of personal data.”
Consequently, Meta “wholly and completely terminates, abandons, withdraws, and discontinues the Originating Summons as well as any and all claims against the Respondent connected to or arising from the Matters or the subject matter thereof, except as the parties have otherwise agreed.”
It also agreed to directly pay the legal fees of the NPDC's counsel for the lawsuit.
For its part, the NPDC “sets aside the Final Orders” issued against Meta.
Furthermore, it “fully and firmly releases and discharges Meta from any and all claims, demands, actions, causes of action, contracts, obligations, suits, debts, costs, liabilities” which the agency “may ever have, may now have, or may hereafter claim to have against Meta in respect of the matters” as defined in the agreement.
However, the settlement agreement includes a clause permitting the NPDC to take further action against the company in the event of future violations.
“For the avoidance of doubt, paragraph 9.2 above will not restrict the Respondent from engaging in its statutory duties under the Nigeria Data Protection Act, 2023 with respect to the Applicant so long as it does not enforce or take steps to enforce the Final Orders or initiate new proceedings or issue new orders concerning the Matters as defined in paragraph 5 above,” the agreement states. Paragraph 5 refers to the lawsuit filed by Meta.
The parties agreed that the terms of the settlement agreement would have the force of a contract, “notwithstanding that they shall also be a judgement of the honourable court.”
Nigeria’s trade-offs
A REVIEW by PREMIUM TIMES of the settlement terms juxtaposed with the Final Orders reveals that the $32.8 million was not the sole concession Nigeria made in the deal.
In a significant reversal, Nigeria not only waived the fine and absolved Meta of liabilities but also agreed to replace the specific privacy and safety measures mandated by the Final Orders with more general, vague terms. At best, the directives were rephrased in broad, undefined language.
For instance, the final orders required Meta to “immediately seek express, specific and unambiguous consent of data subjects in Nigeria in all circumstances where their personal information will be processed for behavioural advertising”.
It also requested Meta to conduct a “Data Processing Impact Assessment” on how its algorithms or other methods facilitate and increase the processing of personal data—considering “the impact of this processing on human rights and peaceable, democratic development of Nigeria.”
Meta was also ordered to “immediately update its Privacy Policy and provide information relating to expert opinions on the consequences of profiling or and how processing of personal data may expose users to specific risks, particularly health risks.”
In place of these specific measures outlined in the Final Orders, the settlement agreement urged Meta to “use its best endeavors” to continuously enhance its technical and organizational measures in accordance with the Nigeria Data Protection Act, 2023 (NDP Act) and comply with other obligations and requirements under the law.
While the final orders also directed that “Meta shall cease and desist from transferring data out of Nigeria without the approval of the Commission in line with the NDP Act,” the settlement agreement merely asked Meta to ensure “safeguards for cross-border transfers of personal data.”
The Final Orders further mandated Meta to “cease and desist from collecting the personal data of non-users from its users,” adding that the consent of its users “is not a lawful basis for collecting and uploading the personal data of non-users to its servers outside Nigeria.” However, the settlement agreement did not specifically address the collection of non-users’ data. The closest provision is a statement urging Meta to rely on an appropriate lawful basis when processing personal data, including for behavioural advertising.
More directives were totally removed
Certain directives included in the Final Orders were entirely omitted from the settlement agreement.
Meta had initially been ordered to provide “an appropriate icon as a link to educative videos on the dangers of manipulative, unlawful or unfair data processing which might expose data subjects to health and financial risks or other destructive or fatal risks.” This directive was based on “the scale and impact” of Meta’s processing involving over 60 million data subjects in Nigeria. However, it was removed from the settlement agreement.
The Final Orders also directed Meta to develop educational programs through active collaboration with educational institutions and non-profit organizations approved by the commission. This measure was also not included in the settlement agreement.
Meta was also ordered to ensure that data subjects and businesses in Nigeria received comparable opportunities to benefit from Meta Platforms as their counterparts in Europe and the United States. This was intended to support the NDP Act's objective of fostering Nigeria's digital economy. Nevertheless, the settlement agreement remained silent on this point.
The Final Orders also mandated the tech giant to “put in place adequate technical and organisational measures including collaboration with educational and civil society organisations for the protection of data privacy on its platforms.” “Such measures shall involve prompt deletion of unlawful personal data posted on its platforms,” the Final Orders stated. This was also omitted from the settlement agreement, apart from inferences drawn from the obligations the NDP Act imposes on all social media platforms.
‘It’s remediation strategy’ – NDPC
Despite the significant discrepancies between the Final Orders and the settlement agreement reached by the NDPC with Meta, the agency asserts that it was a favourable outcome.
In a conversation with PREMIUM TIMES, NDPC spokesperson, Itunu Dosekun, praised the settlement agreement, stating that it “reflects” the commission’s broader strategy for engaging with tech companies.
Mr. Dosekun explained that the commission's objective is “to promote businesses, not to spoil businesses… but also ensure organisations respect people’s privacy.” He added that the decision to settle prioritized a balance between regulation and economic growth.
“It’s not just about paying fines but also doing the right thing… creating initiatives and awareness on data protection and privacy,” he remarked, noting that the commission adopted a remedial approach, focusing on rectifying breaches rather than solely relying on penalties.
Regarding compliance, he stated that the commission “is working hand in hand with them to ensure that they are doing the right thing, which they are complying with.” He highlighted awareness campaigns conducted across Meta’s platforms, mentioning, “They posted different content regarding awareness and privacy in collaboration with the commission.”
Concerns mount
However, many Nigerians are not as optimistic or confident about the commission's actions as Mr. Dosekun.
Tracy Keshi, project manager at the Tech Justice and Digital Governance Programme of the Centre for Journalism Innovation and Development (CJID), believes the settlement agreement weakens the NDPC's negotiating power. She commented, “The withdrawal of the fine and suspension of enforcement orders reduces immediate regulatory pressure, which can set a precedent that large tech companies can negotiate around penalties.”
Mr. Ndatse, the data protection lawyer, pointed out that obligations stipulated in the agreement, such as lawful processing, user consent, data impact assessments, and safeguards for cross-border data transfers, are already mandated by the NDP Act.
However, he asserted that the settlement agreement “weakens the earlier regulatory action and does not provide the same level of protection.”
Consequently, the lawyer maintained that setting aside the initial orders merely “reduces the impact of enforcement.”
Mr. Ndatse added that the agreement now relies primarily on future monitoring rather than immediate enforcement, making it less effective in practice.
Ms. Keshi echoed this concern, noting that the “key difference is enforceability; regulatory teeth are dulled. Compliance is now reliant on Meta’s voluntary cooperation.”
She did, however, identify a positive aspect, stating that the settlement demonstrates the “NDPC can engage major platforms and secure commitments from them, which sets a positive precedent.”
Similarly, Israel Boboye, a monitoring and evaluation officer at CJID, observed that while the NDP Act provides a legal framework, there was previously no clear consensus between regulators and companies on the practical application of these rules.
He further noted that data protection in Nigeria extends beyond the Meta case, highlighting broader deficiencies in data handling and understanding.
“Many users and organizations still do not fully understand and are not complying with basic standards,” Mr. Boboye stated.
‘No shift’
Many observers have yet to witness any clear benefits for Nigerian data subjects resulting from the settlement agreement.
Mr. Ndatse commented that Meta's existing data protection features on its social media platforms, including privacy notices and consent options, are part of its global system, influenced by more stringent regulations in jurisdictions like Europe.
“From a public perspective, there is no strong evidence of a noticeable shift in how Nigerian users’ data is treated,” he said, adding that there are still no “Nigeria-specific privacy policies or tailored consent mechanisms reflecting local legal requirements.”
Even if Nigerian users perceive some improvements in interface transparency, Ms. Keshi noted, the deeper structural and procedural changes essential for meaningful data protection remain largely unverified. “Cross-border data flows, the area of highest risk, remain opaque, and without third-party audits or NDPC disclosures on behavioral advertising, it is difficult to assess real change,” she remarked.
To determine if Meta has become more accountable and transparent in processing data from Nigeria, she suggested that “users should see clear prompts before behavioural ads are displayed rather than buried in fine print.” She also stated that “Meta should publish updates or reports on its data processing in Nigeria.”
She emphasized that users must have control over the data collected and whether it is shared internationally.
She also proposed that Meta should actively participate in campaigns, training, or partnerships to educate Nigerians about their digital rights, while ensuring “transferred data should have contractual or technical safeguards such as encryption or binding corporate rules.”
For Mr. Boboye, data protection in Nigeria encompasses more than just the Meta case, reflecting widespread deficiencies in how data is managed and comprehended.
“Many users and organizations still do not fully understand and are not complying with basic standards,” he concluded.
Comments (0)
You must be logged in to comment.
Be the first to comment on this article!