ABUJA, Nigeria (VOICE OF NAIJA)-The Nigeria Data Protection Commission (NDPC) has launched an investigation into TikTok and Truecaller over alleged data breaches as part of its efforts to enforce compliance with the Nigeria Data Protection Act.
NDPC’s National Commissioner and Chief Executive Officer, Dr. Vincent Olatunji, announced this during a press conference in Abuja on Thursday.
He stated that the commission was assessing the platforms’ adherence to data protection laws and would determine the necessary regulatory action based on its findings.
“As we speak, we have even gone to the extent of investigating multinationals. We are currently investigating TikTok and Truecaller in the area of data privacy,” he said.
Olatunji added, “Depending on our findings, if they are able to go through remediation and do what is right, we are happy to work with them.”
He revealed that when the commission first began monitoring compliance, only four percent of organisations adhered to data protection regulations.
However, he noted that enforcement efforts and stakeholder engagement had helped raise compliance levels to over 55 percent.
Explaining NDPC’s approach, he said the commission does not impose immediate sanctions but instead adopts a remediation strategy, evaluating breaches based on their severity, the number of affected individuals, and potential economic impact.
Rather than publicly declaring non-compliance, the NDPC provides companies with specific corrective measures to address any identified shortcomings.
READ ALSO: EU Regulators Fine Meta 390m Euros In Latest Privacy Crackdown
Once a company is found in breach, it must maintain detailed records of its data processing activities and rectify any failures.
Organisations under review are also monitored for six months to a year to ensure full compliance.
While emphasizing the NDPC’s willingness to support companies in meeting regulatory standards, Olatunji warned that stronger measures would be taken if necessary.
During the press conference, the NDPC also introduced the Nigeria Data Protection Act – General Application and Implementation Directive, a guideline designed to help data controllers and processors comply with the law.
He pointed out that many organisations lack a full understanding of data protection regulations, leading to unintentional breaches.
The directive, which will be available on the NDPC portal, aims to provide clarity and reinforce the role of Data Protection Officers in ensuring compliance.
Olatunji reaffirmed the commission’s commitment to protecting Nigerians’ privacy rights through the implementation of the Nigeria Data Protection Act – General Application and Implementation Directive.
Describing the directive as a major milestone in Nigeria’s data privacy efforts, he emphasized its importance in an era where emerging technologies are reshaping digital interactions.
He noted that following President Bola Tinubu’s assent to the Nigeria Data Protection Bill on June 12, 2023, the NDPC began developing a comprehensive implementation framework.
According to him, this aligns with Section 37 of the 1999 Constitution, which guarantees the privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications.
To fulfill this constitutional obligation, the commission engaged extensively with key stakeholders, including data subjects, government agencies, corporate organisations, civil society groups, international institutions, and the media.
READ ALSO: Nigeria Fines Meta $220m For Data Privacy Violations
These consultations aimed to ensure that the directive reflects the evolving realities of data protection.
Olatunji announced that the directive covers critical areas such as data protection principles, lawful bases for data processing, data subjects’ rights, cross-border data transfers, compliance audit returns, and standardized grievance redress mechanisms.
Additionally, it provides guidelines on data privacy impact assessments, training and certification of data protection officers, alternative dispute resolution, and global best practice benchmarking.
He revealed that the NDPC had introduced the Standard Notice to Address Grievance, a mechanism allowing individuals to demand remedial action directly from data controllers and processors without first seeking the commission’s intervention.
Olatunji stated that the full implementation of the directive would begin in September 2025, with organisations given a six-month transition period.
Provisions related to fees would take effect from January 2026.
He assured that the NDPC would continue to issue guidance notices and advisories to clarify legal requirements and promote a stronger culture of data privacy and protection in Nigeria.
Furthermore, he disclosed that capacity-building programmes would be introduced, and feedback would be gathered through NDPC platforms to inform future reviews of the directive and the development of new regulatory frameworks.