The Nigeria Data Protection Commission (NDPC) has launched an investigation into TikTok and Truecaller over alleged data breaches as part of its enforcement of the Nigeria Data Protection Act (NDPA).

The National Commissioner and Chief Executive Officer of the NDPC, Dr. Vincent Olatunji, disclosed this at a press conference in Abuja on Thursday, stating that the commission was scrutinising their compliance with data protection laws.

“As we speak, we have even gone to the extent of investigating multinationals. We are currently investigating TikTok and Truecaller in the area of data privacy,” he said.

He added that depending on the findings, if the companies could go through remediation and correct their lapses, the NDPC would be open to working with them.

Olatunji noted that when the commission began monitoring compliance, only four per cent of organisations adhered to data protection regulations. However, due to increased enforcement and engagement with stakeholders, compliance levels have now improved to over 55 per cent.

Regulatory approach and compliance monitoring

The NDPC boss explained that the commission does not impose immediate sanctions on organisations found in breach of data protection laws. Instead, it adopts a remediation approach that evaluates breaches based on severity, the number of affected individuals, and the potential impact on the economy.

Rather than immediately announcing non-compliance, the NDPC provides companies with specific corrective measures to address their shortcomings. Once a company is found to be in breach, it must maintain detailed records of its data processing activities and rectify identified failures. The commission then monitors these organisations for a period of six months to a year to ensure full compliance.

While the NDPC prioritises remediation, Olatunji said the commission would not hesitate to take stronger enforcement actions where necessary.

New directive for data protection compliance

At the press conference, the NDPC also unveiled the Nigeria Data Protection Act – General Application and Implementation Directive (NDP Act-GAID), which provides comprehensive guidelines to help data controllers and processors comply with the law.

Olatunji described the directive as a significant milestone in Nigeria’s data privacy efforts, particularly as emerging technologies continue to reshape digital interactions. He stated that following President Bola Tinubu’s assent to the Nigeria Data Protection Bill on 12 June 2023, the NDPC began developing a framework to ensure its full implementation.

The directive, which will be made available on the NDPC portal, covers critical areas such as data protection principles, lawful bases for data processing, data subjects’ rights, cross-border data transfers, compliance audit returns, and standardised grievance redress mechanisms.

Additionally, the NDPC introduced the Standard Notice to Address Grievance (SNAG), a mechanism that allows individuals to demand remedial action directly from data controllers and processors without first going through the commission. This, Olatunji said, empowers over 230 million Nigerians to play an active role in enforcing data protection laws.

He announced that the full implementation of the directive would commence in September 2025, with a six-month transition period for organisations. All provisions relating to fees will take effect from January 2026.

The NDPC assured that it would continue to provide guidance notices and advisories to clarify legal requirements while rolling out capacity-building programmes to deepen the culture of data privacy and protection in Nigeria.