Data Breaches: NDPC Launches Investigation into TikTok, Truecaller

The Nigeria Data Protection Commission (NDPC) has initiated an investigation into TikTok and Truecaller over alleged data breaches as part of its enforcement of the Nigeria Data Protection Act (NDPA).

The move signals the commission’s commitment to safeguarding personal data and ensuring compliance with national data protection regulations.

Speaking at a press conference in Abuja on Thursday, the National Commissioner and Chief Executive Officer of the NDPC, Dr Vincent Olatunji, revealed that the commission was closely examining the two multinational companies’ adherence to data protection laws.

“As we speak, we have even gone to the extent of investigating multinationals. We are currently investigating TikTok and Truecaller in the area of data privacy,” Olatunji stated.

He further noted that the companies would be given the opportunity to address any lapses identified during the investigation. If they undertake remediation and correct their non-compliance issues, the NDPC would be open to collaboration.

Olatunji also highlighted the progress Nigeria has made in enforcing data protection regulations. He stated that when the NDPC first began monitoring compliance, only four per cent of organisations adhered to data protection laws. However, due to increased enforcement and engagement with stakeholders, compliance levels have now improved to over 55 per cent.

The NDPC emphasised that its enforcement approach prioritises remediation over immediate sanctions. Rather than immediately penalising companies for non-compliance, the commission assesses breaches based on severity, the number of affected individuals, and the potential economic impact.

Key aspects of the NDPC’s regulatory strategy include:

• Corrective Measures: Companies found in breach of data protection laws are given specific guidelines to rectify their shortcomings.
• Compliance Monitoring: Organisations under investigation are required to maintain detailed records of their data processing activities and implement corrective measures. The NDPC then monitors them for six months to a year to ensure full compliance.
• Enforcement Actions: While the NDPC prioritises remediation, it will take stricter enforcement actions when necessary to protect consumer data and uphold the law.

During the press conference, the NDPC also introduced the Nigeria Data Protection Act – General Application and Implementation Directive (NDP Act-GAID), a comprehensive set of guidelines designed to assist data controllers and processors in complying with the law.

Dr Olatunji described the directive as a significant milestone in Nigeria’s data privacy landscape, particularly as emerging technologies continue to reshape digital interactions. He noted that after President Bola Tinubu assented to the Nigeria Data Protection Bill on 12 June 2023, the NDPC began developing a framework for its full implementation.

Also Read: NDPC to Prosecute Data Privacy Offenders from 2025

The directive, which will be available on the NDPC portal, covers several key areas, including:

• Data protection principles
• Lawful bases for data processing
• Data subjects’ rights
• Cross-border data transfers
• Compliance audit returns
• Standardised grievance redress mechanisms

Additionally, the NDPC introduced the Standard Notice to Address Grievance (SNAG), a tool that allows individuals to demand remedial action directly from data controllers and processors without first going through the commission. According to Olatunji, this initiative empowers over 230 million Nigerians to take an active role in enforcing data protection laws.

Implementation Timeline and Future Plans

The NDPC announced that the directive would be fully implemented from September 2025, with a six-month transition period for organisations. All provisions related to compliance fees will take effect from January 2026.

To ensure a smooth transition, the NDPC plans to provide ongoing guidance notices and advisories to clarify legal requirements. Additionally, it will roll out capacity-building programmes aimed at fostering a culture of data privacy and protection in Nigeria.

As digital platforms continue to play an integral role in everyday life, the NDPC reassured Nigerians that it remains dedicated to protecting citizens’ data and will continue to enforce data privacy laws to prevent unauthorised access and misuse of personal information.