On 19 July 2024, the Federal Competition and Consumer Protection Commission in Nigeria imposed a fine of $220 million on Meta Platforms Inc, the parent company of WhatsApp LLC, for violations of both the Federal Competition and Consumer Protection Act 2018 and the Nigeria Data Protection Regulation 2019.
In the investigation report that served as the basis for this penalty, the FCCPC formulated three main issues for determination. One of these issues was whether WhatsApp’s ‘business practices with respect to its data collection and management processes are excessive, unscrupulous, obnoxious and a deliberate tactic to exploit Nigerian consumers, contrary to the FCCPA and NDPR’. The FCCPC ruled in the affirmative on this issue.
The FCCPC in reaching this particular determination exercised among others, its section 17 (a) power under the FCCPA. This provision charges the FCCPC with the responsibility of enforcing any other enactment related to competition and consumer protection in Nigeria. In exercising this authority, the FCCPC interpreted the NDPR as a consumer protection law. Although this interpretation of the FCCPC’s statutory function is novel in Nigeria and may be subject to scrutiny in appellate courts, there are persuasive case laws from the United States (U.S) where courts have recognised the Federal Trade Commission (FTC), the lead consumer protection agency in the U.S., as having broad data protection enforcement authority in instances where consumers are exploited. This authority is derived from section 5 of the FTC Act, which prohibits ‘unfair or deceptive acts or practices’—a phrase that closely parallels the term ‘obnoxious practices or the unscrupulous exploitation of consumers’ found in section 17(s) of the FCCPA.
While the scope of the FCCPC’s power to enforce the NDPR and address data privacy infringements as a form of consumer harm remains uncertain in Nigeria, the following U.S. cases may offer some guidance: FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014); FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 609 (D.N.J. 2014); and FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 247–48 (3d Cir. 2015). These cases originated from a single matter in which Wyndham Worldwide Corp., a hotel chain, contested FTC’s authority to enforce data security practices following a series of data breaches suffered by the hotel. Upon appeal to the U.S. Court of Appeals for the Third Circuit, the court upheld the FTC’s authority, holding that lax cybersecurity practices leading to a data breach fall within the ‘unfairness’ prong of the FTC Act. This decision affirmed the FTC’s jurisdiction to address and enforce violations related to data privacy.
It is crucial to emphasise that when the FCCPC chooses to exercise its consumer protection authority to enforce the NDPR, any subsequent determinations or outcomes resulting from such enforcement actions must be in strict adherence to both the spirit and letter of the NDPR.
--
Read the full publication at Streamsowers and Kӧhn