WHEN the Federal Government and Meta Platforms Inc., parent company of Facebook and Instagram, agreed on Friday to settle out of court a staggering $32.8 million sanction for alleged data privacy violations, it was more than the end of a courtroom tussle.
It signaled Nigeria’s intensifying battle with data protection failures, regulatory enforcement gaps, and the rising dangers confronting millions of citizens in a digital-first economy. News Point Nigeria takes readers inside the growing crisis of digital privacy.
At the Federal High Court in Abuja yesterday (Friday), before Justice James Omotosho, lawyers representing both the Nigeria Data Protection Commission (NDPC) and Meta confirmed that they had entered an “advanced stage of settlement.”
Draft terms, they disclosed, had already been exchanged, and both sides requested the court’s permission to adjourn pending the formal adoption of settlement terms.
For the NDPC, the fine against Meta imposed in February was a test case for the enforcement of the Nigeria Data Protection Act (NDPA), 2023, signed into law by President Bola Tinubu barely a year earlier.
The commission accused the global tech giant of multiple breaches, including behavioural advertising without user consent, cross-border transfer of personal data, failure to file its 2022 audit, and processing of information belonging to non-users, including minors.
Meta, however, rejected the sanction, filing a counter-suit that described the NDPC’s enforcement as “procedurally defective” and a violation of its right to fair hearing. It asked the court to void the penalty altogether.
While settlement now appears imminent, the bigger question lingers: what does this case reveal about the state of data protection in Nigeria?
The Meta case is not an isolated event. In recent years, Nigerians have found themselves increasingly vulnerable to data privacy abuses, ranging from unauthorized use of personal information for political campaigns to the unlawful sale of SIM registration details.
In August 2025, the NDPC launched what it called its most ambitious enforcement drive yet, an investigation into 1,369 companies across key sectors such as banking, pensions, insurance, and gaming. These firms were given 21 days to prove compliance with the NDPA or face sanctions.
Earlier in July 2025, Africa’s largest pay-TV, Multichoice Nigeria, was fined ₦766.2 million for “intrusive and disproportionate” processing of user data, including cross-border transfers without consent.
Despite being ordered to implement corrective measures, its compliance was deemed “unsatisfactory.”
Cybersecurity firm Surfshark reported that data breach incidents in Nigeria surged by 64% in the first quarter of 2023, rising from 50,000 to 82,000 cases in just three months.
The implications of these breaches go beyond regulatory fines, they affect real lives.
In October 2023, graduates of the University of Ilorin had their celebration marred when they received unsolicited congratulatory messages from Senator Saliu Mustapha, raising the question: how did the lawmaker obtain their personal data?
What seemed like a harmless political gesture exposed the larger reality: millions of Nigerians are unaware of how often their personal information, phone numbers, emails, national identity data is shared or exploited without their knowledge or consent.
“It is a clear violation of their rights,” said cybersecurity expert Dr. Ada Nwosu, who stressed that both public and private institutions must prioritize compliance with the NDPA.
Investigations have revealed that data breaches in Nigeria stem not only from hackers but also from weak internal controls and insider exploitation.
In 2023, Flutterwave lost over ₦2.9 billion in unauthorized transactions traced to workflow loopholes.
A leaked spreadsheet of Sterling Bank’s customer details raised concerns over third-party vendor risk.
Even the National Identity Management Commission (NIMC) faced scrutiny when a researcher demonstrated how unsecured APIs exposed sensitive identity records.
Telecommunications providers, despite strict regulation, have also struggled. In early 2024, MTN Group disclosed a data incident affecting customers across multiple markets, sparking fears in Nigeria given the scale of its SIM registration database.
Nigeria’s NDPA 2023 was meant to usher in a new era of accountability and trust in the handling of personal data. The law grants Nigerians rights over how their information is collected, stored, and shared. Yet, enforcement is still catching up with reality.
Experts warn that breaches are not just legal infractions but also security threats from identity theft to financial fraud. For businesses, non-compliance risks not only fines but reputational damage and exclusion from international partnerships that demand data protection standards.
As consumer rights advocate Dr. Amaka Okafor notes, “The issue is not whether breaches will occur, but whether Nigerians have the power and awareness to assert their rights when they do.”
The NDPC has made it clear that companies have no choice but to comply with the NDPA. The upcoming General Application and Implementation Directive (GAID), effective from September 19, 2025, will further tighten compliance requirements.
Regulators estimate that compliance-related services could generate ₦13.8 billion in revenue for licensed consultants by the end of 2025.
But beyond economics, data protection in Nigeria is fast becoming a survival strategy for citizens protecting their identities, and for businesses safeguarding their credibility.
As the FG–Meta settlement nears conclusion, it serves as both a landmark moment and a cautionary tale: global giants are not beyond the reach of Nigeria’s laws, and local firms must now prepare to meet the same standards or risk being the next on the regulator’s list.