The Nigeria Data Protection Commission (NDPC) has launched an investigation into TikTok and Truecaller over alleged data breaches. This move is part of efforts to enforce compliance with the Nigeria Data Protection Act.
Speaking at a press conference in Abuja on Thursday, NDPC’s Chief Executive Officer, Dr. Vincent Olatunji, confirmed the probe. He stated that the commission is assessing the companies’ compliance with data protection laws and will determine the appropriate regulatory action based on its findings.
Olatunji noted that NDPC has shifted its focus to multinational companies, adding that investigations into TikTok and Truecaller are specifically related to data privacy concerns. He explained that if the companies address the identified issues and comply with regulations, the commission is willing to work with them.
He also revealed that compliance with data protection laws in Nigeria has improved significantly. Initially, only four percent of organisations adhered to regulations, but this has now risen to over 55 percent due to increased enforcement and stakeholder engagement.
The NDPC does not impose immediate sanctions on non-compliant companies. Instead, it follows a remediation process that considers the severity of breaches, the number of affected individuals and the potential economic impact. Companies found in violation are required to correct their failures and keep detailed records of their data processing activities. The commission then monitors them for six months to a year to ensure full compliance.
At the event, the NDPC also introduced the Nigeria Data Protection Act General Application and Implementation Directive. This guideline aims to help organisations understand and comply with data protection laws. It will be available on the NDPC portal and will reinforce the role of Data Protection Officers in companies.
Olatunji emphasized that many organisations lack proper knowledge of data protection regulations, leading to unintentional violations. He described the directive as a major step toward strengthening data privacy in Nigeria, especially as digital technologies continue to evolve.
The commission has engaged key stakeholders, including government agencies, corporate organisations, civil society groups and international institutions, to ensure that the directive meets global standards. It covers areas such as data protection principles, lawful data processing, cross border data transfers and grievance redress mechanisms.
To further protect citizens’ privacy, the NDPC introduced the Standard Notice to Address Grievance, which allows individuals to demand corrective action from companies before seeking intervention from the commission.
The full implementation of the directive will begin in September 2025, with a six month transition period. Provisions related to fees will take effect in January 2026. The NDPC also plans to roll out capacity building programs and provide regular advisories to support compliance efforts.
Olatunji assured that the commission remains committed to safeguarding Nigerians’ data privacy through clear regulations and continuous engagement with stakeholders.