Data Protection Considerations in Mergers & Acquisitions in Nigeria

Nigeria’s consumer protection agency fined Meta $220 million because it believed that Meta breached data protection laws and that the breach was so egregious as to warrant the fine. We don’t agree with the decision of the agency, but the ruling has significant implications for private equity and strategic mergers and acquisitions, especially technology mergers. This article explains how mergers and acquisitions in Nigeria can become a regulatory flashpoint, and what investors and deal teams must do to avoid similar exposure.

1. Following the acquisition of WhatsApp by Facebook, WhatsApp sought the consent of its users to transfer data to its new owner. The fine arose from the Nigerian authorities’ view that the method of obtaining this consent approach violated consent principles under Nigeria’s data protection laws. In other words, the fine occurred within the context of a legitimate post-acquisition integration process, following a merger and acquisition transaction.

2. Buyers must give greater consideration to warranties and indemnities in the context of mergers and acquisitions in Nigeria, especially relating to regulatory fines imposed for pre-closing conduct. The Meta case shows how regulatory agencies may hold acquirers accountable for legacy conduct, even if it occurred before the closing date or arose from decisions that the acquirer did not directly control.

3. An independent data protection audit of a target company in a merger and acquisition in Nigeria ought to be separated from the standard legal due diligence and handled by specialized consultants. Legal teams may miss the operational nuances of data processing practices. A dedicated data protection audit allows for a deeper review of how consent is obtained, how data is shared, and whether the company’s data policies align with the jurisdiction’s evolving regulatory expectations.

4. Global data transfers now require a localized strategy, not just legal disclaimers. The FCCPC’s objection was not about transferring data per se, but about applying different standards to Nigerian users compared to users in Europe. Regulatory environments increasingly expect companies to offer equivalent protections across jurisdictions, particularly where local laws mirror international frameworks (as the NDPR mirrors the GDPR).

5. It may be prudent for post-acquisition product changes to undergo consent impact assessments, especially if a buyer intends to unify data systems. Meta’s move to integrate WhatsApp data with Facebook services triggered scrutiny. Buyers should assume that any change in how data is processed post-acquisition may be viewed as a fresh processing activity, not grandfathered by the original consent obtained.

6. Cross-border regulatory coordination is rising, and fines are following. Nigeria’s approach reflects a global trend of regulators asserting extraterritorial jurisdiction where their citizens’ data is concerned. Dealmakers in mergers and acquisitions ought to anticipate that enforcement may no longer be limited to the U.S. or EU, and that emerging markets will apply penalties of equal commercial consequence.

7. Material adverse change (MAC) clauses must now consider regulatory pushback on data and privacy grounds. In jurisdictions like Nigeria, an unexpected regulatory fine, even post-closing, may materially impact the value or viability of the transaction. Buyers should consider crafting MAC triggers that are not limited to financial deterioration, but also include enforcement actions related to data, AI, or platform conduct.

8. For data protection compliance purposes, dealmakers are dealing with two distinct regulators: a sector regulator (e.g., NITDA) and a competition regulator (FCCPC). What makes Nigeria unique is that the FCCPC may override the sector regulator’s stance if it determines that consumer rights or competition principles have been violated. This dual-track oversight increases complexity and requires buyers to prepare for parallel and potentially conflicting compliance interpretations.