Corporate Commercial
Corporate Commercial
Nov 17, 2025
Nigeria & Meta: What the US$32.8 Million Data Settlement Means for Businesses
Background
On February 18, The Nigeria Data Protection Commission (NDPC) imposed both a remedial fee of 32,800,000 US Dollars and eight corrective orders on Meta inc. Their claim was that Meta has violated the fundamental privacy rights of Nigerian users by:
the use of behavioral advertisements without explicit consent,
processing personal data of non-users,
failing to file mandatory compliance audits and
transferring user data abroad without authorization.
Unsatisfied with the sanction, Meta filed a motion ex-parte dated and filed on February 26, dragging the NDPC to court as sole respondent.
In the motion (Suit No. FHC/ABJ/CS/355/2025),
heard on March 4, Justice James Omotosho granted leave for Meta to commence judicial review proceedings, seeking an order of certiorari to quash the NDPC’s compliance and enforcement directives.
However, the court declined to stay all proceedings related to the NDPC’s “Final Orders” pending the outcome of the judicial review, opting instead for an accelerated hearing.
Settlement Discussions
NDPC, represented by Adeola Adedipe, SAN (Alpha & Rohi Law Firm), filed a preliminary objection challenging the competence of Meta’s suit.
The regulatory agency, in its objection dated April 10 and filed April 11 by Adedipe, urged the court to either strike out or dismiss the case.
Adedipe, in two grounds of argument, submitted that the originating summons filed by the company is incompetent for non-compliance with the mandatory provision of Order 34 Rule 6(1) of the FHC (Civil Procedure) Rules, 2019.
Quoting the provision, the lawyer said: “No ground shall be relied upon or any relief sought at the hearing, except the grounds and reliefs sought in the statement.”
He also argued that the suit, as presently constituted, is grossly incompetent and academic, the reliefs sought therein, not being capable of activating the jurisdiction of the court.
“The suit is liable to be struck out/dismissed, in limine,” Adedipe had argued.
During the hearing, Meta’s counsel, Fred Onuofia, SAN, informed the court that both parties had reached an advanced stage of settlement, requesting adjournment to allow finalization of terms.
Justice Omotosho, on October 3rd, noting the court’s preference for amicable resolution, adjourned the matter until October 31 for either ruling or adoption of the settlement terms.
Final Resolution of the Case
By late October 2025, both parties reached full agreement on settlement terms.
On 3 November 2025, the Federal High Court adopted the settlement as a consent judgment, effectively closing the case.
Key outcomes include:
Meta agreed to pay the US$32.8 million remedial fee in accordance with the NDPC’s enforcement action.
Meta agreed to implement enhanced compliance, reporting, and data-governance measures in Nigeria.
The NDPC withdrew its earlier “Final Orders” and replaced them with the terms of settlement.
The judicial review proceedings were terminated following the consent judgment.
This settlement represents one of the largest data-protection–related remediation payments in Africa to date.
Legal and Regulatory Context
The NDPC’s enforcement powers derive from the Nigeria Data Protection Act (NDPA), 2023, which replaced the earlier Nigeria Data Protection Regulation (NDPR, 2019).
The Act empowers the NDPC to:
Impose fines and remedial orders,
Enforce compliance audits, and
Regulate cross-border data transfers.
This development underscores the NDPC’s commitment to strengthening Nigeria’s data protection framework and holding global technology firms accountable for local compliance.
What This Means for Businesses in Nigeria
The fine against Meta came as one of the measures by the Nigeria Data Protection Commission (NDPC) to protect Nigerians’ data under the Nigeria Data Protection Act(NDPA), signed into law by President Bola Tinubu in June 2023.
For Foreign Multinationals and Tech Platforms
Foreign entities processing Nigerian data should expect heightened scrutiny. There is now an increasing emphasis on:
Local data processing,
User consent protocols, and
Mandatory compliance filings with the NDPC.
Failure to comply could result in heavy fines, litigation, or reputational harm.
For Domestic Businesses
Sectors such as fintech, ad-tech, e-commerce, and digital marketing rely heavily on user data. These businesses must ensure:
Transparent data collection and usage practices,
Explicit consent from data subjects, and
Compliance with NDPC guidelines on cross-border data transfer.
For Contracting and Partnerships
Businesses should incorporate data compliance obligations in service and vendor contracts to mitigate regulatory risk.
(See also: Understanding Contracts in Nigeria: What Makes an Agreement Legally Binding?)
Compliance Checklist
To avoid being on the wrong side of enforcement actions, organizations should:
Conduct periodic data protection audits
Update privacy policies and data consent mechanisms
Review cross-border data transfer processes for NDPC approval
Engage local data protection officers and legal advisers
Include regulatory change and data-processing clauses in contracts
Ensure vendor and third-party compliance across their supply chain.
Broader Context in Africa
Nigeria’s move mirrors similar enforcement trends across the continent.
Countries like Kenya, South Africa, and Ghana have increased penalties for non-compliance with local data protection frameworks.
Meta itself has faced similar regulatory scrutiny in the European Union, where Ireland’s Data Protection Commission imposed a record €1.2 billion fine for cross-border data violations in 2023.
This signals that Nigeria is aligning its regulatory enforcement with global best practices.
Conclusion
The Meta case demonstrates that data protection is no longer a procedural compliance issue, it is a key business imperative.
For Nigerian and foreign entities alike, the NDPC’s growing assertiveness highlights the importance of embedding privacy governance, consent management, and lawful data transfer mechanisms within all operations.
Transparent and accountable data practices will not only ensure compliance but also enhance consumer trust and position Nigeria as a credible digital economy player.
Sources
Nigeria Data Protection Commission (NDPC) — Public Statement on Enforcement Action against Meta Platforms Inc. (February 2025)
Nigeria Data Protection Act (NDPA), 2023
Federal High Court of Nigeria (Abuja Division) — Meta Platforms Inc. v. Nigeria Data Protection Commission, Suit No. FHC/ABJ/CS/355/2025
Publicly available judicial and regulatory filings relating to NDPC’s enforcement actions and settlement proceedings (February–October 2025)
Media coverage and verified legal reports on the NDPC–Meta settlement (October 2025)
Background
On February 18, The Nigeria Data Protection Commission (NDPC) imposed both a remedial fee of 32,800,000 US Dollars and eight corrective orders on Meta inc. Their claim was that Meta has violated the fundamental privacy rights of Nigerian users by:
the use of behavioral advertisements without explicit consent,
processing personal data of non-users,
failing to file mandatory compliance audits and
transferring user data abroad without authorization.
Unsatisfied with the sanction, Meta filed a motion ex-parte dated and filed on February 26, dragging the NDPC to court as sole respondent.
In the motion (Suit No. FHC/ABJ/CS/355/2025),
heard on March 4, Justice James Omotosho granted leave for Meta to commence judicial review proceedings, seeking an order of certiorari to quash the NDPC’s compliance and enforcement directives.
However, the court declined to stay all proceedings related to the NDPC’s “Final Orders” pending the outcome of the judicial review, opting instead for an accelerated hearing.
Settlement Discussions
NDPC, represented by Adeola Adedipe, SAN (Alpha & Rohi Law Firm), filed a preliminary objection challenging the competence of Meta’s suit.
The regulatory agency, in its objection dated April 10 and filed April 11 by Adedipe, urged the court to either strike out or dismiss the case.
Adedipe, in two grounds of argument, submitted that the originating summons filed by the company is incompetent for non-compliance with the mandatory provision of Order 34 Rule 6(1) of the FHC (Civil Procedure) Rules, 2019.
Quoting the provision, the lawyer said: “No ground shall be relied upon or any relief sought at the hearing, except the grounds and reliefs sought in the statement.”
He also argued that the suit, as presently constituted, is grossly incompetent and academic, the reliefs sought therein, not being capable of activating the jurisdiction of the court.
“The suit is liable to be struck out/dismissed, in limine,” Adedipe had argued.
During the hearing, Meta’s counsel, Fred Onuofia, SAN, informed the court that both parties had reached an advanced stage of settlement, requesting adjournment to allow finalization of terms.
Justice Omotosho, on October 3rd, noting the court’s preference for amicable resolution, adjourned the matter until October 31 for either ruling or adoption of the settlement terms.
Final Resolution of the Case
By late October 2025, both parties reached full agreement on settlement terms.
On 3 November 2025, the Federal High Court adopted the settlement as a consent judgment, effectively closing the case.
Key outcomes include:
Meta agreed to pay the US$32.8 million remedial fee in accordance with the NDPC’s enforcement action.
Meta agreed to implement enhanced compliance, reporting, and data-governance measures in Nigeria.
The NDPC withdrew its earlier “Final Orders” and replaced them with the terms of settlement.
The judicial review proceedings were terminated following the consent judgment.
This settlement represents one of the largest data-protection–related remediation payments in Africa to date.
Legal and Regulatory Context
The NDPC’s enforcement powers derive from the Nigeria Data Protection Act (NDPA), 2023, which replaced the earlier Nigeria Data Protection Regulation (NDPR, 2019).
The Act empowers the NDPC to:
Impose fines and remedial orders,
Enforce compliance audits, and
Regulate cross-border data transfers.
This development underscores the NDPC’s commitment to strengthening Nigeria’s data protection framework and holding global technology firms accountable for local compliance.
What This Means for Businesses in Nigeria
The fine against Meta came as one of the measures by the Nigeria Data Protection Commission (NDPC) to protect Nigerians’ data under the Nigeria Data Protection Act(NDPA), signed into law by President Bola Tinubu in June 2023.
For Foreign Multinationals and Tech Platforms
Foreign entities processing Nigerian data should expect heightened scrutiny. There is now an increasing emphasis on:
Local data processing,
User consent protocols, and
Mandatory compliance filings with the NDPC.
Failure to comply could result in heavy fines, litigation, or reputational harm.
For Domestic Businesses
Sectors such as fintech, ad-tech, e-commerce, and digital marketing rely heavily on user data. These businesses must ensure:
Transparent data collection and usage practices,
Explicit consent from data subjects, and
Compliance with NDPC guidelines on cross-border data transfer.
For Contracting and Partnerships
Businesses should incorporate data compliance obligations in service and vendor contracts to mitigate regulatory risk.
(See also: Understanding Contracts in Nigeria: What Makes an Agreement Legally Binding?)
Compliance Checklist
To avoid being on the wrong side of enforcement actions, organizations should:
Conduct periodic data protection audits
Update privacy policies and data consent mechanisms
Review cross-border data transfer processes for NDPC approval
Engage local data protection officers and legal advisers
Include regulatory change and data-processing clauses in contracts
Ensure vendor and third-party compliance across their supply chain.
Broader Context in Africa
Nigeria’s move mirrors similar enforcement trends across the continent.
Countries like Kenya, South Africa, and Ghana have increased penalties for non-compliance with local data protection frameworks.
Meta itself has faced similar regulatory scrutiny in the European Union, where Ireland’s Data Protection Commission imposed a record €1.2 billion fine for cross-border data violations in 2023.
This signals that Nigeria is aligning its regulatory enforcement with global best practices.
Conclusion
The Meta case demonstrates that data protection is no longer a procedural compliance issue, it is a key business imperative.
For Nigerian and foreign entities alike, the NDPC’s growing assertiveness highlights the importance of embedding privacy governance, consent management, and lawful data transfer mechanisms within all operations.
Transparent and accountable data practices will not only ensure compliance but also enhance consumer trust and position Nigeria as a credible digital economy player.
Sources
Nigeria Data Protection Commission (NDPC) — Public Statement on Enforcement Action against Meta Platforms Inc. (February 2025)
Nigeria Data Protection Act (NDPA), 2023
Federal High Court of Nigeria (Abuja Division) — Meta Platforms Inc. v. Nigeria Data Protection Commission, Suit No. FHC/ABJ/CS/355/2025
Publicly available judicial and regulatory filings relating to NDPC’s enforcement actions and settlement proceedings (February–October 2025)
Media coverage and verified legal reports on the NDPC–Meta settlement (October 2025)
Site Map
© 2024 Maverick Solicitors. All rights reserved.
DEVELOPED BY SHAKS STUDIOS
Site Map
© 2024 Maverick Solicitors. All rights reserved.
DEVELOPED BY SHAKS STUDIOS
Site Map
© 2024 Maverick Solicitors. All rights reserved.
DEVELOPED BY SHAKS STUDIOS
Site Map
© 2024 Maverick Solicitors. All rights reserved.
DEVELOPED BY SHAKS STUDIOS
