The Nigeria Data Protection Commission (NDPC) has launched an investigation into TikTok and Truecaller amidst concerns regarding potential data breaches. This initiative aims to ensure that both companies adhere to the stipulations set forth in the Nigeria Data Protection Act. Vincent Olatunji, the NDPC’s national commissioner and Chief Executive Officer, announced the commencement of these investigations during a press conference held in Abuja.
Olatunji emphasized that the NDPC is thoroughly evaluating the compliance levels of these entities concerning data protection regulations. He noted that the commission’s findings will inform any necessary regulatory actions. “As we speak, we have even gone to the extent of investigating multinationals. We are currently investigating TikTok and Truecaller in the area of data privacy,” Olatunji stated, indicating the seriousness of the inquiry.
The NDPC has seen significant improvements in compliance with data protection laws since initiating monitoring, with adherence levels rising from a mere four percent to over fifty-five percent. Olatunji explained that rather than imposing immediate penalties, the commission follows a remediation approach. This methodology evaluates breaches based on their severity, the number of affected individuals, and potential economic impact, allowing companies a chance to rectify their shortcomings.
When a breach is identified, companies are required to maintain meticulous records of their data processing activities and address any deficiencies found. Entities under review will be monitored for a period ranging from six months to a year to ensure improved compliance. Olatunji insisted that while the NDPC is committed to working collaboratively with companies to facilitate remediation, it will not hesitate to enforce stronger measures if the situation warrants.
At the press conference, the NDPC introduced the Nigeria Data Protection Act – General Application and Implementation Directive. The directive aims to guide both data controllers and processors in their compliance efforts. Olatunji acknowledged that many organizations are still unfamiliar with data protection regulations, leading to unintentional breaches, and the directive is designed to bring clarity and reinforce the role of Data Protection Officers.
The NDPC has committed to prioritizing the privacy rights of Nigerians through the implementation of this directive. Olatunji described this new framework as a vital advancement in Nigeria’s data privacy strategies, particularly necessary in an era increasingly defined by technological innovations that shape digital interactions.
Following the presidential assent to the Nigeria Data Protection Bill by President Bola Tinubu in June 2023, the NDPC began developing a comprehensive implementation framework. This initiative aligns with Section 37 of the 1999 Constitution, which guarantees the privacy of citizens and their communications. Engaging with a wide array of stakeholders, including government agencies, civil society groups, international institutions, and the media, has been crucial to ensuring that the directive meets the evolving demands of the data protection landscape.
The newly introduced directive addresses essential aspects such as data protection principles, lawful bases for data processing, and the rights of data subjects. It also outlines procedures for cross-border data transfers, compliance audits, and grievance redress mechanisms. With an emphasis on security best practices, the NDPC encourages organizations to conduct data privacy impact assessments and invest in the training and certification of Data Protection Officers.
The NDPC has also implemented a Standard Notice to Address Grievance mechanism, enabling individuals to directly seek remedial action from data controllers without the need for prior intervention from the commission. Full implementation of the directive is expected to commence in September 2025, allowing organizations a transitional period of six months, while all fee-related provisions will take effect in January 2026. Olatunji assured the business community that the NDPC will continue to issue guidance to bolster data privacy and protection across Nigeria.
As the investigation unfolds, potential tactics aligned with the MITRE ATT&CK framework may have been utilized in any breaches discovered during the inquiry. Categories such as initial access and persistence could apply if vulnerabilities were exploited. The NDPC’s ongoing efforts highlight the critical importance of ensuring compliance with data protection regulations in an increasingly digital and interconnected age.
