In a landmark development for digital rights and corporate accountability in Africa, Meta Platforms Inc., the parent company of Facebook and Instagram, has agreed to an out-of-court settlement with the Nigerian Data Protection Commission (NDPC) to resolve a dispute arising from a series of alleged data protection violations.
Background: A Clash Over Data Sovereignty
The NDPC had, on February 18, 2025, issued Final Orders against Meta, imposing a $32.8 million USD remedial fee and a set of corrective actions under the Nigeria Data Protection Act (NDPA) of 2023.
This represented one of the most significant enforcement actions yet taken under Nigeria’s new data protection framework, signaling the Commission’s growing assertiveness in regulating global tech companies operating within its jurisdiction.
The Commission alleged that Meta had violated the privacy rights of Nigerian users by engaging in behavioural advertising without obtaining explicit consent, processing the personal data of non-users, failing to submit its 2022 compliance audit report, and transferring Nigerians’ personal data outside the country without authorization.
The Corrective Orders
Beyond the financial penalty, the NDPC’s orders sought to bring Meta’s operations in line with local legal requirements. Among the directives were:
- Revision of Meta’s privacy policies to reflect Nigerian legal and cultural contexts.
- Completion of a Data Processing Impact Assessment (DPIA) specific to Nigeria.
- Obtaining express user consent before engaging in behavioural advertising.
- Halting cross-border data transfers without prior regulatory approval.
These orders positioned Nigeria alongside the EU and other jurisdictions that are actively reshaping the balance of power between users, corporations, and regulators in the digital economy.
Court Challenge and Settlement Talks
Meta responded by challenging the NDPC’s enforcement process before the Federal High Court in Abuja, arguing that it had been denied a fair hearing. The case, presided over by Justice James Omotosho, became a test case for the reach and procedural fairness of the NDPC under the new law.
However, on October 3, 2025, counsel for both Meta and the NDPC informed the court that the parties had reached an advanced stage in settlement discussions, having exchanged draft terms. The court subsequently adjourned the matter to October 31, 2025, to allow the parties to finalize the agreement — which could ultimately be adopted as a consent judgment.
Why This Matters: The Rise of African Data Enforcement
This case marks a defining moment for Africa’s emerging data governance landscape. The NDPC’s assertiveness signals that global tech giants are now being held accountable to African laws, not just global standards like the GDPR.
If finalized, the settlement will underscore three key trends:
- Regulatory Confidence: African data protection authorities are increasingly willing to confront Big Tech using domestic legal instruments.
- Localized Compliance: Global platforms must now adapt to country-specific privacy expectations, not one-size-fits-all global policies.
- Data Sovereignty in Action: Nigeria’s approach highlights how African nations are asserting greater control over data generated by their citizens.
The Bigger Picture
For Meta, the settlement could provide a path to regulatory stability in one of Africa’s largest markets. For Nigeria — and indeed the continent — it sets a precedent for enforcement maturity, showing that African regulators can balance deterrence with dialogue.
As discussions move toward a final consent judgment, this case may well define how Africa’s digital future is negotiated: through the lens of sovereignty, accountability, and shared responsibility.