Privacy breach: More details into WhatsApp's $220m fine in Nigeria

Image source: hstocks – 123RF.com

The investigation aimed to consider the concern, based on perceived evidence, of consumer abuse in terms of the Federal Competition and Consumer Protection Act, 2018 (FCCPA) and the Nigerian Data Protection Regulation, 2019 (NDPR).

The approach adopted was indeed to investigate WhatsApp LLC (WhatsApp) from both a consumer protection and competition standpoint, as well as data protection perspective, since data protection has been recognised as a consumer protection issue in Nigeria. Based on the fact Meta Platform Inc (Meta) is WhatsApp’s parent company, and exercises control over the business practices of WhatsApp, it was included in the investigation.

Updated privacy policy

The Commission took note during May 2021 that WhatsApp introduced an updated privacy policy (Policy). The Policy became effective on 15 May 2021. The Commission took note of the evidence based on publicly available information and consumer feedback, that suggested that the Policy was forced on Nigerian WhatsApp users in a manner that did not align with applicable standards of fairness. Specifically, the voluntariness of acceptance or consent to the Policy in terms of standards stipulated in terms of the NDPR and FCCPA were deemed questionable.

Following a lengthy investigation, the Commission concluded that WhatsApp and Meta are dominant in the defined market, due to the huge amount of data it collects, as well as their technological link, network and lock-in effects; the accumulation of which led that Commission to the conclusion that WhatsApp and Meta have an ability, intention and indeed likelihood for abuse, with respect to exclusionary practices, barriers to entry and consumer abuse.

Policy disparity

The investigation focused on certain core issues, including the disparity in treatment of consumers in different jurisdictions under similar regulatory frameworks and prevailing legal standards. Specifically, the protection afforded Nigerian users under the NDPR is similar to same for European users under the General Data Protection Regulation (GDPR), yet WhatsApp adopted different policies in both jurisdictions.

In addition, considering scope, purpose, uses and sharing (including sharing with third parties and such uses, including Meta); different treatment between European and Nigerian WhatsApp users; the removal of particular provisions from the prevailing privacy policy; Meta’s role/relationship as a business service provider (BSP), and the manner in which the privacy policy was imposed in Nigeria, were noted.

Rights violation

It was concluded that WhatsApp violated the rights of its users by introducing its updated privacy policy, in a manner that is a clear departure from regulatory provisions governing consent freely obtained, and consent withdrawal.

Furthermore, the investigative panel was pointed to discrimination of Nigerian users, tying and illegal transfer of data outside Nigeria without the necessary consent being obtained. The dominance finding, in its turn resulted in the findings of network effects, lock in effects, and market power, as well as a user interface that prevented consumers from switching.

The ability of regulators to scrutinise business practices should not be underestimated. The legal risks from a data privacy, consumer protection and competition law perspective ought to be taken into account every step of the way when new products are developed, policies drafted, and procedures put in place.

Let all legal planets align. Only then will you mitigate against an administrative fine.

The decision by the Nigerian regulator was announced on 19 July 2024. Let's keep an eye on the way forward considering the suggested $220,000,000 fine.