The Nigeria Data Protection Commission (NDPC) has commenced an investigation into TikTok and Truecaller over suspected data breaches, aiming to ensure their compliance with the Nigeria Data Protection Act.
Vincent Olatunji, the national commissioner and Chief Executive Officer of the NDPC, disclosed this at a press conference in Abuja on Thursday.
Olatunji stated that the commission is assessing their compliance with data protection laws and will decide on appropriate regulatory actions based on its findings.
According to him, “As we speak, we have even gone to the extent of investigating multinationals. We are currently investigating TikTok and Truecaller in the area of data privacy”.
He added, “Depending on our findings, if they are able to go through remediation and do what is right, we are happy to work with them.”
The Executive Officer revealed that when the commission initially began monitoring compliance, only 4% of organizations adhered to data protection regulations.
However, he noted that increased enforcement and stakeholder engagement had raised compliance levels to over 55%.
He explained that the NDPC does not impose immediate sanctions but adopts a remediation approach, which involves assessing breaches based on their severity, the number of affected individuals, and the potential impact on the economy.
He said that rather than announcing non-compliance outright, the commission provides companies with specific corrective measures to address their shortcomings.
The commissioner added that once a company is found to be in breach, it must maintain detailed records of its data processing activities and correct any identified failures. Organisations under scrutiny are also monitored for a period of six months to a year to ensure full compliance.
Read also: Nigerians up earnings from YouTube, TikTok as content creation thrives
He further stated that while the commission is open to remediation, it will not hesitate to take stronger measures if necessary.
At the press conference, the NDPC also introduced the Nigeria Data Protection Act – General Application and Implementation Directive, which provides guidelines to help data controllers and processors comply with the law.
Olatunji said many organisations do not fully understand data protection regulations, leading to inadvertent breaches.
The directive, which will be available on the NDPC portal, is intended to provide clarity and reinforce the role of Data Protection Officers in ensuring compliance.
He reaffirmed its commitment to safeguarding the privacy rights of Nigerians through the implementation of the Nigeria Data Protection Act – General Application and Implementation Directive.
Olatunji described the directive as a significant milestone in Nigeria’s efforts to ensure data privacy and protection, particularly in an era where emerging technologies are reshaping digital interactions.
He stated that the NDPC began working on a robust implementation framework following the presidential assent to the Nigeria Data Protection Bill by President Bola Tinubu on June 12, 2023.
According to him, this assent aligns with Section 37 of the 1999 Constitution, which guarantees the privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications.
He explained that in fulfilling this constitutional obligation, the commission had engaged extensively with key stakeholders, including data subjects, government agencies, corporate organisations, civil society groups, international institutions, and the media.
These engagements were aimed at ensuring that the directive reflects the expectations and realities of the evolving data protection landscape.
He announced that the directive addresses key areas such as data protection principles, lawful bases for data processing, data subjects’ rights, cross-border data transfers, compliance audit returns, and standardised grievance redress mechanisms.
He added that it also provides guidelines on data privacy impact assessments, training and certification of data protection officers, alternative dispute resolution, and global best practice benchmarking.
He also stated that the NDPC had introduced the Standard Notice to Address Grievance, a mechanism that allows individuals to directly demand remedial action from data controllers and processors without first seeking intervention from the commission.
He stated that the directive’s full implementation would begin in September 2025, giving organizations a six-month transition period.
Additionally, he noted that all fee-related provisions would take effect from January 2026.
He assured that the commission would continue issuing guidance notices and advisories to clarify legal requirements and strengthen data privacy and protection in Nigeria.
He further mentioned that capacity-building programs would be introduced, with feedback gathered through NDPC platforms to inform future reviews and the development of new regulatory measures.