Paragraph 1: The Nigeria Data Protection Commission (NDPC) has initiated investigations into TikTok and Truecaller over potential violations of the Nigeria Data Protection Act (NDPA). This move underscores the NDPC’s intensified efforts to ensure compliance with data protection regulations among both local and international companies operating within Nigeria. Dr. Vincent Olatunji, the National Commissioner and CEO of the NDPC, announced the investigations during a press conference, emphasizing the commission’s commitment to scrutinizing data handling practices and taking appropriate regulatory action based on their findings. The investigations will focus on determining whether these companies’ data collection, processing, and storage practices align with the provisions of the NDPA.
Paragraph 2: The NDPC’s approach to enforcement emphasizes remediation rather than immediate sanctions. Dr. Olatunji explained that the commission assesses data breaches based on their severity, the number of individuals affected, and the potential economic impact. Instead of publicly announcing non-compliance, the NDPC provides companies with specific corrective measures to address identified shortcomings. This approach allows organizations the opportunity to rectify their practices and strengthen their data protection frameworks. Following the implementation of corrective measures, the NDPC monitors the organizations for a period of six months to a year to ensure sustained compliance. However, Dr. Olatunji stressed that the commission would not hesitate to impose stronger measures if necessary.
Paragraph 3: Alongside the investigations, the NDPC unveiled the Nigeria Data Protection Act – General Application and Implementation Directive. This directive provides detailed guidance to data controllers and processors on how to comply with the NDPA. Dr. Olatunji highlighted that many organizations lack a comprehensive understanding of data protection regulations, which often leads to unintentional breaches. The directive aims to clarify legal requirements, promote best practices, and foster a stronger culture of data privacy and protection within Nigeria. The directive will be accessible on the NDPC’s online portal, providing a readily available resource for organizations seeking to comply with the law
Paragraph 4: The NDPA – General Application and Implementation Directive addresses a broad range of critical data protection areas. These include fundamental data protection principles, lawful bases for data processing, data subjects’ rights, cross-border data transfer regulations, compliance audit returns, and standardized grievance redress mechanisms. Furthermore, the directive offers guidance on data privacy impact assessments, training and certification programs for Data Protection Officers (DPOs), alternative dispute resolution processes, and benchmarking against global best practices. This comprehensive coverage aims to equip organizations with the necessary tools and knowledge to implement robust data protection measures.
Paragraph 5: The NDPC also introduced the Standard Notice to Address Grievance, a mechanism empowering individuals to directly demand remedial action from data controllers and processors without requiring initial intervention from the commission. This empowers data subjects to actively participate in protecting their data privacy rights. Dr. Olatunji emphasized the NDPC’s commitment to fulfilling the constitutional guarantee of citizens’ privacy, as enshrined in Section 37 of the 1999 Constitution, which protects the privacy of citizens’ homes, correspondence, telephone conversations, and telegraphic communications. The development of the directive involved extensive consultations with various stakeholders, including data subjects, government agencies, corporate organizations, civil society groups, international institutions, and the media, ensuring that it reflects the evolving data protection landscape.
Paragraph 6: The full implementation of the NDPA – General Application and Implementation Directive is scheduled for September 2025, allowing organizations a six-month transition period to adapt their practices and systems. Provisions related to fees will take effect from January 2026. The NDPC has committed to providing ongoing support to organizations through guidance notices, advisories, and capacity-building programs. The commission will also actively solicit feedback through its platforms to inform future reviews of the directive and the development of new regulatory instruments. This continuous improvement approach aims to ensure that Nigeria’s data protection framework remains effective and adaptable in the face of evolving technological advancements and data privacy challenges.
