By Olumide Babalola
Background
In February 2025, news of the Nigeria Data Protection Commission’s (NDPC) $32.8 million fine against Meta made headlines. Reactions were mixed: some praised the NDPC for its courage, others questioned the basis of the fine, while sceptics doubted any meaningful outcome would result.
When Meta challenged the fine in court and the NDPC responded, many anticipated a landmark African judgment on data protection. Yet, in an unexpected turn, both parties entered into settlement negotiations. The resulting terms of settlement were later adopted as a consent judgment by the Federal High Court on 3rd November 2025. I recently became interested in the terms of the settlement when a civil society invited me to lead an evidence-based research on accountability of Big Tech companies in Nigeria. Hence, from the certified true copy obtained from the registry of the Federal High Court, the following are my open-minded observations, some of which reveal several troubling implications.
The Final Order Set Aside
Clause 9.2 of the terms reproduced as consent judgment states that the NDPC “sets aside the Final Orders against Meta.” This is arguably the most concerning clause. The 58-page Final Order reflects two years of investigation, hearings, and taxpayer-funded proceedings. Yet, the settlement nullifies all that work. Not only does this undermine the NDPC’s investigative efforts, but it also shields Meta from accountability and limits victims’ ability to seek redress.
The Fine Effectively Nullified
The terms of settlement and consent judgment do not stipulate any payment from Meta. Clause 9.2 discharges Meta from “all claims, demands, actions, causes of action, contracts, obligations, suits, debts, costs, liabilities.” In effect, the NDPC has no official path to collect the $32.8 million fine, leaving only the possibility of an informal, undisclosed arrangement.
Contradictions Within the Settlement
Clause 8 of the settlement outlines obligations for Meta, yet clause 9.2 discharges the company from “obligations.” This contradiction undermines both the optics and enforceability of the agreement, raising questions about the seriousness of Nigeria’s regulatory oversight.
Whistleblower Efforts Undermined
The Final Order was issued in response to a petition from a civil society organization. The consent judgment effectively nullifies the outcome of this patriotic whistleblowing effort. The NDPC’s investigation, which followed due process, is rendered meaningless for the whistleblowers and the public.
Meta’s Track Record Abroad
NDPC’s fine was not unprecedented globally. Meta has faced over €2.7 billion in GDPR fines in Europe, including a €481 million civil damages order in Spain in 2025 for unfair use of personal data. Yet, unlike in Nigeria, enforcement actions abroad have resulted in tangible penalties. The Nigerian settlement appears to be the first instance where Meta successfully challenged a fine and paid nothing (going by the records).
A First in Africa, But at What Cost?
NDPC’s original decision was celebrated as a pioneering move in Africa. However, the settlement undermines that achievement, setting a worrying precedent for regulatory enforcement on the continent.
Implications for Nigeria’s Data Sovereignty
By vacating its enforcement decision against Meta, NDPC raises serious concerns about Nigeria’s control over its citizens’ personal data. Data sovereignty relies on the principle that personal data generated within Nigeria remains subject to Nigerian law and oversight. When violations involving cross-border data transfers can be neutralized via settlement, Nigeria’s ability to assert authority over its citizens’ data is weakened. This reinforces the imbalance between Global South regulators and powerful Global North technology companies, reducing Nigeria’s leverage in setting global data standards.
Circumventing Criminal Accountability
Section 49 of the Nigeria Data Protection Act (NDPA) makes failure to comply with NDPC orders a criminal offense. Meta’s actions, therefore, constituted a criminal violation. The settlement effectively circumvents this accountability, raising dangerous implications for future regulatory enforcement.
Victims Left Unprotected
Ultimately, this episode affects over 60 million Nigerians whose data was misused. With the Final Order set aside, victims remain without redress, undermining the NDPC’s mandate to protect citizens’ privacy.
Double Standards in Enforcement
NDPC has successfully fined other entities in Nigeria, who complied with its orders. Meta, however, has been treated differently, creating an unequal enforcement landscape.
Setting a Precedent for Future Violators
This consent judgment risks creating a blueprint for multinational companies to evade regulatory penalties in Nigeria, weakening the credibility of the NDPC and the broader regulatory framework.
Conclusion
While the NDPC’s original fine against Meta represented a bold step for data protection in Africa, the subsequent consent judgment has diminished its impact. By vacating the Final Order and discharging Meta from all claims and obligations, Nigeria has compromised its data sovereignty, undermined whistleblowers, and left millions of citizens without recourse. This episode highlights the urgent need for stronger, consistent enforcement mechanisms to ensure that multinational technology companies are held accountable in Nigeria.