In February 2025, Nigeria made headlines across the continent. The Nigeria Data Protection Commission (NDPC) had slapped Meta — parent company of Facebook and Instagram — with a $32.8 million fine following a 17-month investigation into data privacy violations affecting over 60 million Nigerian users.
Eight months later, that fine was gone. And nobody said a word.
According to a report by Premium Times Nigeria, Nigeria and Meta signed a quiet settlement on October 30, 2025. A Federal High Court in Abuja rubber-stamped it as a consent judgment on November 3.
The fine was written off. Most of the specific directives were scrapped. And the details were kept from the public — until now.
What the Investigation Actually Found
The NDPC’s case against Meta was not trivial. After launching its probe in September 2023, the commission claimed that Meta had processed the personal data of Nigerians without obtaining proper, specific consent — particularly for behavioural advertising.
It ordered Meta to stop transferring Nigerian user data abroad without regulatory approval, cease collecting data on non-users, and conduct a full Data Processing Impact Assessment examining the effects of its algorithms on human rights and Nigeria’s democratic development.
The commission also directed Meta to update its privacy policy, create educational programmes about data risks in partnership with civil society organisations, and ensure Nigerian users and businesses had access to the same platform benefits as their counterparts in Europe and the United States.
On top of all that: pay the equivalent of $32.8 million as a remedial fee.
It was one of the most sweeping regulatory actions ever taken against a major tech company on the African continent.
The Climbdown
Meta challenged the orders in court, with its legal team arguing the NDPC had denied it a fair hearing and due process. The company even threatened to shut down its Nigerian operations — a pressure tactic that has worked for tech giants in other markets. When the court declined to grant a stay of enforcement, both sides began negotiating behind closed doors.
What emerged from those talks bore little resemblance to the original orders.
Under the settlement, Nigeria released Meta from “any and all claims, demands, actions, causes of action… obligations, suits, debts, costs, liabilities.”
In return, Meta agreed to “use its best endeavours” to continuously improve its data practices in line with Nigeria’s data protection law — language critics describe as deliberately vague.
Meta also agreed to pay the NDPC’s legal fees from the court case it had itself initiated.
Crucially, the settlement explicitly states it does not constitute “an admission of liability or wrongdoing” by either party.
What Got Dropped
The Premium Times review of the original Final Orders against the settlement agreement reveals a near-complete reversal of Nigeria’s regulatory position.
The specific requirement for Meta to seek “express, specific and unambiguous consent” for behavioural advertising was replaced with a broad commitment to process data “lawfully, fairly and transparently.”
The directive to cease collecting data on non-users vanished entirely from the settlement. So did the requirement to create educational programmes with civil society organisations and the directive ensuring Nigerian users receive equitable treatment compared to users in Europe and the US.
The bold cross-border data transfer restriction — Meta was to seek NDPC approval before moving Nigerian user data abroad — was softened to a vague reference to “safeguards.”
Regulatory Teeth, Dulled
Legal experts and digital rights advocates are not impressed.
“Regulatory action is strongest when there is a clear finding of a breach, backed by penalties and the risk of further sanctions,” said Iliya-Ezekiel Ndatse, a data protection lawyer. “Setting aside the earlier orders removed that weight, leaving the commitments with little additional force.“
Tracy Keshi, project manager at the Tech Justice and Digital Governance Programme of the Centre for Journalism Innovation and Development, put it more plainly: “Compliance is now reliant on Meta’s voluntary cooperation.”
She noted that cross-border data flows — arguably the highest-risk area for Nigerian users — remain opaque, with no third-party audits or NDPC disclosures on behavioural advertising to verify any real change.
The NDPC, for its part, defends the deal as a “remediation approach” — focused on correcting behaviour rather than punishing it. Its spokesperson said the commission is “working hand in hand” with Meta on compliance and pointed to awareness campaigns run across Meta’s platforms.
