The Nigeria Data Protection Commission (NDPC) has opened an investigation into TikTok and Truecaller over alleged violations of data privacy laws.
Part of an enforcement by the Nigeria Data Protection Act (NDPA), the goal is to strengthen data security and accountability in the country.
At a press briefing in Abuja, NDPC’s Chief Executive Officer, Dr Vincent Olatunji, confirmed the ongoing probe, stating, “As we speak, we have even gone to the extent of investigating multinationals. We are currently investigating TikTok and Truecaller in the area of data privacy.”
The commission is assessing whether these global platforms comply with Nigeria’s data protection regulations. If violations are found, the companies could be required to implement corrective measures. Olatunji clarified that the NDPC’s approach is not to impose immediate penalties but to guide organisations toward compliance.
When the NDPC first started monitoring data protection compliance, only 4% of companies in Nigeria adhered to the regulations. However, through sustained enforcement and stakeholder engagement, compliance levels have now risen to over 55%. This shift shows the level of awareness when it comes to data privacy among businesses operating in Nigeria.
Unlike regulators that immediately impose fines, the NDPC first evaluates the severity of breaches and their impact on individuals and the economy. Organisations found to be non-compliant are given specific steps to rectify their lapses. They must maintain proper records of data processing activities, and the commission monitors their progress for six months to a year.
While the NDPC prefers remediation over punitive action, Olatunji warned that stricter enforcement would be applied when necessary.
Beyond investigations, the NDPC has also introduced the Nigeria Data Protection Act – General Application and Implementation Directive (NDP Act-GAID), a detailed framework to help businesses comply with the law. This directive covers key areas such as data protection principles, legal grounds for processing personal data, cross-border data transfers, and mechanisms for handling grievances.
A highlight is the introduction of the Standard Notice to Address Grievance (SNAG), which allows individuals to demand corrective action from companies handling their data—without first involving the NDPC. Olatunji stated that this empowers Nigerians to take charge of their data privacy, holding businesses accountable in real-time.
Full implementation of the directive will commence in September 2025, with a six-month transition period for businesses to align with the new requirements. Provisions related to fees will take effect in January 2026.
The NDPC has assured that it will continue to provide advisory notices and training programmes to ensure that Nigeria’s data protection culture stays strong even as technology brings changes.
