FCCPC and Meta: An Insight Into The Rights of Data Subjects in Nigeria
In recent years, Nigerians have become increasingly aware of government laws and regulations, particularly when these laws directly affect their lives. A prime example is the recent dispute between the Federal Competition and Consumer Protection Commission (FCCPC) and Meta, the parent company of Facebook, Instagram, and WhatsApp. The FCCPC accused Meta of violating the rights of Nigerian data subjects and other alleged infractions, under the Federal Competition and Consumer Protection Act (FCCPA) and the Nigerian Data Protection Regulation (NDPR) 2019. The FCCPC's hefty $220 million fine against Meta, while controversial, sparked significant public debate in Nigeria. Meta's subsequent threat to exit the Nigerian market, which will result in potentially disconnecting millions from their platforms, further fueled discussions. While some questioned the fairness of the fine, others were concerned about the government's approach. Amidst this controversy, one glaring issue became evident: many Nigerians were unaware of their fundamental rights as data subjects. This newsletter aims to shed light on these rights of data subjects, using the FCCPC v. Meta case as a reference point, to empower startups and individuals to understand their data protection entitlements and the potential consequences of violations. Before diving into these rights, let's briefly recap the key points of the case.
A Brief Insight into The FCCPC V Meta Case
The FCCPC and the Nigerian Data Protection Commission (NDPC) investigated Meta Platforms (Facebook and WhatsApp) between May 2021 and December 2023. The investigation found that Meta Platforms violated Nigerian consumer protection and data privacy laws. The FCCPC alleged that Meta had engaged in abusive and invasive practices, which included:
- Denying data subjects the right to self-determine;
- Unauthorized transfer and sharing of Nigerian data - subjects' personal data including cross-border storage in violation of the now prevailing law;
- Discrimination and disparate treatment;
- Abuse of dominance; and
- Tying, and bonding.
The FCCPC therefore issued an order against Meta, imposing a $220 million fine for violating consumer protection and data privacy laws in Nigeria, among other penalties.
Data Subject Rights Under the Nigerian Law
Data protection in Nigeria is rooted in the constitutional right to privacy under Section 37 of the constitution, which guarantees and protects the privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications. The Nigeria Data Protection Act 2023 (NDPA) is the primary legislation governing data protection. Before the NDPA, the NDPR which was issued by the National Information Technology Development Agency was the go-to regulation on data protection. Based on the NDPA, the NDPR and other data protection regulations issued by NITDA or Nigerian Data Protection Bureau (NDPB) remain applicable, but are now considered regulations of the NDPC. While the NDPR operates in conjunction with the NDPA, the NDPA takes precedence in case of conflicts. The NDPA applies to any data controller that processes the personal data of anyone residing in Nigeria or to Nigerians within the country. The NDPA and NDPR grant data subjects significant control over their data and impose obligations on data controllers to protect their privacy. The following are the key rights of data subjects.
- Right to be Informed: Data controllers must provide data subjects with clear, concise, and easily understandable information about the processing of their data, including the purpose of processing, the categories of personal data involved, the recipients or categories of recipients of the data, the intended duration of storage, the existence of a right to request rectification or erasure, the existence of a right to complain to a supervisory authority, and, where applicable, the source of the data. The data subjects must be notified about the processing of their data at the time of collection or within a reasonable time thereafter. Data controllers must also provide data subjects with a privacy notice that outlines the key aspects of the data processing activities. This notice should be accessible, and easily understandable. The right to be informed enables data subjects to understand how their data is being used, allowing them to make informed decisions about their privacy.
- Right to Withdraw Consent: The NDPA grants data subjects the right to withdraw their consent for personal data processing at any time, provided consent is the legal basis. Organizations must make the withdrawal process as simple as obtaining consent. If consent was initially given in a straightforward manner, withdrawing consent should be equally easy without additional obstacles. Importantly, withdrawing consent does not affect the lawfulness of past processing based on that consent. If data processing is based on consent and the consent is withdrawn, data controllers may need to identify an alternative legal basis for processing the data, such as legitimate interest or legal obligation.
- Right to Object Processing of Data: Data subjects have the right to object to the processing of their personal data. Data controllers must stop processing unless they can demonstrate compelling reasons that outweigh the data subject's interests. For direct marketing purposes, data subjects have an absolute right to object, and processing must cease.
- Right of Data Portability: Data subjects have the right to receive their personal data from a data controller in a structured, commonly used, and machine-readable format. This allows data subjects to easily transfer their data to other organizations. Additionally, data subjects can transmit the personal data they receive to another data controller without any hindrance. This enables data subjects to switch service providers or move their data to a different location. Where technically feasible, data subjects can request that their personal data be transmitted directly from one data controller to another. This simplifies the transfer process and reduces the risk of data breaches. The NDPA also empowers the Commission to set rules and guidelines for when data subjects can exercise the right to data portability. This may include factors such as the type of data, the purpose of processing, and the impact on the data controller's operations. Furthermore, the Commission can establish obligations for data controllers and processors, including requirements related to costs and timing. This ensures that the right to data portability is exercised in a fair and efficient manner.
- Right to Rectification: Data subjects have the right to request that organizations correct or update inaccurate or incomplete personal information. This is important because accuracy can be subjective and objective. For example, if a data subject moves, they can request the organization to update their address. This right is as important as other rights under the NDPA. If inaccurate, incomplete, or misleading data cannot be corrected, the NDPA allows for its deletion.
- The Right to Erasure: Also known as the right to be forgotten or de-referencing, allows data subjects to request the deletion of their personal data from a data controller. The right to erasure empowers data subjects to take control of their personal data and have it deleted when it's no longer necessary or has been processed unlawfully. This helps protect privacy and prevents the misuse of outdated or irrelevant information. This right applies when:
- The data is no longer needed for its original purpose.
- The data subject withdraws consent for processing.
- The data was processed unlawfully, and the data subject objects to continued processing.
- The data controller processes data without a legal basis.
Conclusion
The FCCPC v. Meta case serves as a stark reminder of the importance of data protection rights in Nigeria. The dispute highlighted the potential consequences of corporate disregard for these rights and the critical role of regulatory bodies in enforcing data privacy laws. By understanding and asserting their data protection entitlements, individuals and businesses can contribute to a more equitable and privacy-respecting digital landscape. The NDPA provides a robust framework for protecting data subjects' rights and holding data controllers accountable, ensuring a more secure and transparent online environment.
Related publications
SEC Draft Regulatory Guide on Digital Assets
Just as many regulators around the globe have been at the heels of the paradigm shifting technology, Nigeria is not left behind in the quest to understand, utilize and maximize the offspring of blockchain technology. Nigeria’s Securities and Exchange Commission (SEC) recently shared guidelines that will regulate and serve as a regulatory framework for the issuance of digital assets and providers in the Nigerian terrain
Startups Funding News
The past month have been a remarkable one for growth and funding across the African startup ecosystem, with several companies achieving significant milestones. In this piece, we spotlight key updates, including Flutterwave’s new unicorn status, Kuda Bank’s impressive Series A raise, and major developments from Paystack’s acquirer, Stripe.