Technology Times presents the report of the Federal Competition and Consumer Protection Commission (FCCPC) investigation of Meta, owners of Facebook and WhatsApp, that revealed alleged unscrupulous business practices that violated data privacy of Nigerian consumers.
Table of Contents
IN THE MATTER OF INVESTIGATION INTO POSSIBLE VIOLATIONS OF THE RIGHTS OF NIGERIAN CONSUMERS IN THE PROVISION OF CONTACT-BASED INSTANT MESSAGING SERVICE IN NIGERIA AND ENQUIRIES INTO OBNOXIOUS, EXPLOITATIVE, AND UNSCRUPULOUS BUSINESS PRACTICES BY WHATSAPP LLC AND META PLATFORMS, INC. UNDER THE FEDERAL COMPETITION AND CONSUMER PROTECTION ACT, 2018
EXECUTIVE SUMMARY November 13, 2023
EXECUTIVE SUMMARY
Data protection has been vastly recognised as a consumer protection issue, but very few have recognised the increasing concern and challenges it raises as a competition issue. However, the Federal Competition and Consumer Protection Commission (Commission) being the foremost agency of the Federal Government responsible for the promotion, protection, and enforcement of competition and consumer protection in Nigeria, has approached this growing concern and investigation from both a consumer protection and competition standpoint.
As will be noticed in the Report, the Commission was able to empirically establish the fact that the Targets of Investigation (ToI), WhatsApp LLC and Meta Platform INC. are dominant in the defined market, due to the huge amount of data it collects, as well as their technological link, network and lock-in effects; the accumulation of which has demonstrated an ability, intention and indeed likelihood for abuse, with respect to exclusionary practices, barriers to entry and consumer abuse.
In the instant investigation, besides the evidence of consumer abuse based on both the Federal Competition and Consumer Protection Act, 2018 (FCCPA) and the Nigerian Data Protection Regulation, 2019 (NDPR), the team examined and analysed specific conduct by the ToI, and substantiated the fact that they abused their dominance.
About May 2021, the Commission became aware of the then WhatsApp’s Updated Privacy Policy (“Policy”). The Policy became effective on May 15, 2021. Publicly available evidence and consumer feedback appeared to the suggest that the Policy was foisted on Nigerian users in a manner that did not comport with applicable standards of fairness. Specifically, the voluntariness of acceptance or consent to the Policy under standards identified under the NDPR and FCCPA appeared questionable.
In order to most appropriately address any possible violations of extant law and regulations, particularly, the FCCPA, and to proceed in a comprehensive manner, the Commission as is the case in inquiries of this nature conducted a preliminary investigation to gain deeper understandings, nature, structure and dynamics of the market in which WhatsApp operates in Nigeria. Credible evidence and analysis demonstrated that WhatsApp is dominant in the defined market it operates in Nigeria.
Based on the Commission’s assessment and findings, the Commission was satisfied that there was sufficient basis to potentially ultimately conclude that, in the absence of contrary evidence, WhatsApp’s conduct could be violations of the FCCPA and NDPR.
In accordance with the Commission’s regulatory, and investigative process, and in order that a target or subject of investigation is accorded the fullest opportunity to controvert, rebut, dispute, explain of clarify available evidence, on June 10, 2021, the Commission issued an Order to Show Cause (OSC) pursuant to Section 17 of the FCCPA. The purpose of the OSC was to inform and present the target of investigation (WhatsApp and Facebook (now Meta)) with the Commission’s initial findings; and to invite responses.
The OSC required WhatsApp and Facebook to show cause why the Commission should not proceed in the manner identified in the OSC, more particularly, entering an order finding that the ToI had infringed, and were infringing consumer rights, and engaging in conduct that constitutes abuse of dominance through their joint business practices and the Updated Privacy Policy, specifically in contravention of Sections 72, 108(d), 124(1), and 127 of the FCCPA and Regulations 1.3(iii), 2.3, and 2.5 of the NDPR.
For completeness, Meta (previously known as Facebook) was included in the investigation because it is WhatsApp’s parent company, and, exercises control over the business practices of WhatsApp. Additionally, evidence showed that Meta stands to benefit from particular updates in the Policy through various technical integrations.
On July 9, 2021, Facebook and WhatsApp (now jointly referred to as “ToI”) responded to the Commission’s OSC. The ToI by internal counsels indicated their intention to respond to the OSC within 30 days from the day the OSC was received. On July 23, 2021, the Commission received representation from external and local Nigerian counsel on behalf of the ToI as their joint response and disputation of the OSC and the preliminary findings therein. Essentially, ToI considered the regulatory intervention of the Commission unwarranted and based on a misapprehension of the purpose and effect of the Policy.
On August 19, 2021, the Commission responded to the ToI reiterating its analysis, and providing detailed responses to the ToI’ joint presentation of July 23. The Commission clarified the core substantive issues including disparate treatment of consumers in different jurisdictions under similar regulatory frameworks and prevailing legal standards. Specifically, the protection afforded Nigerian users under the NDPR is similar to same for European users under the General Data Protection Regulation (GDPR), yet ToI adopted different policies in both jurisdictions.
In addition, and in response to assertions made by the ToI, the Commission requested further information to support or substantiate the position and assertions adopted by the ToI. In particular, the Commission requested: Privacy Policies that were then currently in force; Privacy Policies that were no longer in force; technical white papers; identities of business solution providers (past, current, and prospective); and number of WhatsApp users in Nigeria that have accepted the Privacy Policy (including dates of acceptance).
On October 4, 2021, the ToI responded challenging the Commission’s August 19 response arguing that the Commission’s assertions and findings were baseless and lacked factual evidentiary support. In particular, the ToI disagreed with the Commission’s market definition, whether the ToI were dominant, and questioned whether their conduct resulted in any harm to consumers.
In furtherance of the investigation, including to address issues raised by the ToI, the Commission procured additional evidence from relevant institutional and regulatory sources including the National Information Technology Development Agency (NITDA).
The Commission received further evidence, including the differences between the prevailing Privacy Policies in Europe and Nigeria, regulatory interactions with Meta regarding the Policy, and scope of data points collected by ToI with respect to the defined market.
In response to an expressed request, the Commission engaged ToI in discussions regarding the subject of investigation. Discussions started on December 14, 2021; and culminated in a meeting on March 4, 2022.
At the March 4th meeting, ToI were confronted with the evidence gathered, and the Commission’s thoughts about the investigation. In response, and as further entrenchment of the ToI position, ToI again reiterated the intended purpose and effect of the Policy. In addition, ToI responded to specific inquiries from investigators with respect to the scope, purpose, uses and sharing (including sharing with 3rd parties and such uses, including Meta); disparate treatment between European and Nigerian WhatsApp users; removal of particular provisions from the prevailing Privacy Policy; Meta’s role/relationship as a Business Service Provider (BSP), and the manner in which the Privacy Policy was imposed in Nigeria.
ToI expressed a desire to more robustly respond to the inquiries by augmenting their answers in a more comprehensive written presentation within 21 days. The ToI’ request for a more comprehensive response was granted, including the provision of additional perspectives addressing the issues identified by the Commission.
ToI provided the written response in their comprehensive presentation of April 1, 2022.
In furtherance of the investigation, and to more empirically address points, and or refutations raised by ToI, the Commission on May 18, 2023, authorized and conducted an independent market study to (i). Validate, corroborate or otherwise information provided and argument propounded by ToI; (ii). Secure an even more recent survey or “state of the market” as well as landscape; (iii). Verify participants including any new entrants; (iv). Respective market shares/power; (v). Scope of services and usability/substitutability; and (vii). Other counterfactuals with respect to barriers and switching cost.
On May 24, 2023, the Commission requested that ToI provide information with respect to location(s) where the data of data subjects/consumers in, and gathered in Nigeria in delivering service is stored. On June 5, 2023, ToI responded informing the Commission that the data subject of regulatory inquiry is stored in Meta’ data centres at multiple locations: United States, European Union, and Singapore. The Commission’s request was to assess compliance with Clause 2.11 of the NDPR under the rubric of both regulatory compliance, and disparate treatment from users in Europe under the GDPR.
This investigation commenced by the OSC of June 23, 2021, and the repeated engagements and exchanges with ToI, as well as evidence procured from other relevant sources. The Commission is satisfied with the sufficiency of evidence, and adequacy of inquiry, including scope, interrogation of issues, opportunity to, and for the ToI to respond, refute and contribute to the investigation, and outcome. Accordingly, the Commission by this Report and any Orders under the FCCPA and other applicable instruments made pursuant to, closed the investigation.
In summary, the NDPR provides the basis and authority with respect to consumer’s right to self-determine the use, processing and transfer or dissemination of their data. The FCCPA mandates the FCCPC to administer and enforce any enactment with respect to Consumer Protection and Competition, including the NDPR.
WhatsApp violated the rights of its users by introducing its Updated Privacy Policy, in a manner that is a clear departure from regulatory provisions governing consent freely obtained, and consent withdrawal, the investigative Panel (Panel) were also able to demonstrate discrimination of Nigerian users, tying and illegal transfer of data outside Nigeria without the requisite permit.
Furthermore, given that ToI are dominant, the series of conduct described in the report constitute an abuse of dominance, due to the established network effect, lock in effects, and market power, as well as user interface that prevented consumers from switching.
RECOMMENDATIONS
The Panel recommended corrective outcomes (Penalties for infringement is considered differently under the Commission’s Administrative Penalties Regulations, 2020 (APR); and in circumstances where the Commission will not seek criminal prosecution or referral to the Office of the Honourable Attorney General for prosecution); made the following recommendations based on the issues for Determination and Terms of Reference (ToR) to the Investigative Panel:
1. Whether WhatsApp’s 2021 Updated Privacy Policy complies with the NDPR
The NDPR provides the basis and authority with respect to consumer’s right to self-determine the use, processing and transfer or dissemination of their data. This is a legal and fundamental right of the data subject, except on grounds of necessity. ToI had an obligation and several opportunities to, but failed to show that this fundamental and legal right of users was not violated, when ToI provided information with respect to each data point collected and the basis for such specific collection, considering its failure to obtain users freely given consent.
ToI should immediately and forthwith and in any case no later than 10 days from date of Order provide the Commission and NDPC simultaneously with a comprehensive full and detailed information about what data it gathers including identifying exactly which is necessary for maintaining service and discontinuing gathering from those not so identified pending any further regulatory action.
ToI shall immediately reinstate the rights of Nigerian users to self-determine and control the use, processing, sharing or transfer of their data, as well as their right to informed choice, and fair dealings by providing Nigerian Users an opportunity to restrict and withdraw their consent without losing functionality or deleting the application.
ToI shall immediately ensure that their Privacy Policy complies with the Nigerian Data Protection Act (NDPA) with respect to its obligation to ensure data subjects consent freely to any Privacy Policies, by updating the Privacy Policy in an intelligible format, that allows Nigerian Users the opportunity to fully express their legitimate rights with respect to each data point collected.
ToI shall immediately ensure its Privacy Policy is in compliance with the NDPR, and the Nigerian Data Protection Act, with respect to storage and transfer of user’s data in data centers outside Nigeria.
ToI shall immediately and forthwith stop the process of sharing WhatsApp user’s information with other Facebook companies and third parties, until such a time when users have actively and voluntarily consented to each and every component of the liberties ToI intend to exercise with respect to the information of data subjects. Such proposed policy must be approved by the NDPC and or the Commission prior to operationalization.
ToI shall immediately revert to the data sharing practices adopted in 2016. Additionally, they are required to establish an opt-in screen that allows users to consent to or withhold consent for the sharing of additional personal data with third parties affiliated with the App, same to be approved in advance by the Commission and the NDPC.
2. Whether WhatsApp’s 2021 Updated Privacy Policy and business practices with respect to its data collection and management processes are excessive, unscrupulous, obnoxious and a deliberate tactic to exploit Nigerian consumers, contrary to the FCCPA and NDPR
WhatsApp collects a lot more data than is required for the provision of its services to its users, than other operators of similar or same service. The data collected by WhatsApp is more than necessary for efficient provision of its services as demonstrated by data points collected by providers of same or similar services. In addition, WhatsApp processes this data and shares with third parties of its choosing, including Facebook, its parent company; without the legal and necessary consent of its users. What is more egregious is the manner in which this data is demanded from the users. WhatsApp determined to compel users of its service to waive their right to self-determine how their data is used by degrading the quality of its service and limiting functionality against any user who fails to accept its current Privacy Policy. Finally, WhatsApp denies Nigerian users their right to restrict or withdraw their consent with respect to sharing their data with third parties and Facebook, in a discriminatory manner when compared with their European counterparts.
ToI shall immediately and forthwith, and in any case, no later than 10 days from date of this Order, cease the tying and transfer of data from its WhatsApp market to its Facebook market, and other third parties’ services without express consent sought and freely obtained from data subjects.
3. Whether WhatsApp is dominant in the defined relevant market and whether its business tactic with respect to its Privacy Policy update is an abuse of such dominance
Considering WhatsApp’s market share, its market power with respect to its financial and economic strength and backing from its parent or affiliate company, its links to other technological operators, its network effect, lock in effects, and other factual barriers to entry and expansion (such as enormous user interface), the Commission determined it is dominant in the “Contact-Based Instant Messaging Service” in Nigeria. Following its determination of dominance, the Commission analyzed specific conduct by WhatsApp with respect to its unbalanced power with users of its service and competitors to determine that it had abused its dominance by failing to honor consumer rights to self-determine how their data is processed and disseminated, due to its lock-in-effect as a dominant service provider; collecting data in excess of what is required for the efficient provision of its service and tying both services and markets (necessary data with optional data) while denying consumers their right to give consent to the use of such data; is not only evidence of its dominance but also an abuse of such dominance through its demonstrable discrimination and exploitation among others.
4. We recommend Penalties for infringement under the Administrative Penalties Regulations, 2020 (APR) in circumstances where the Commission will not seek criminal prosecution or referral to the Office of the Honourable Attorney General for prosecution.