 has launched an investigation into TikTok and Truecaller over alleged data breaches){kind=link}
The Nigeria Data Protection Commission (NDPC) has taken a significant step in enforcing data protection regulations in Nigeria by launching an investigation into TikTok and Truecaller over alleged data breaches. This move is part of the commission’s efforts to ensure compliance with the Nigeria Data Protection Act. In addition to the investigation, the NDPC has also introduced the Nigeria Data Protection Act – General Application and Implementation Directive, which provides guidelines for data controllers and processors to comply with the law.
The National Commissioner and Chief Executive Officer of the NDPC, Dr. Vincent Olatunji, disclosed the investigation at a press conference in Abuja. According to Dr. Olatunji, the commission is scrutinizing the companies’ compliance with data protection laws and will determine the necessary regulatory action based on its findings. The investigation aims to assess whether TikTok and Truecaller have breached data protection regulations and to ensure that they take corrective measures to prevent future breaches.
The NDPC reported that when it began monitoring compliance, only 4% of organizations adhered to data protection regulations. However, compliance levels have improved to over 55% due to increased enforcement and engagement with stakeholders. This significant improvement demonstrates the effectiveness of the NDPC’s efforts to raise awareness and enforce compliance with data protection regulations.
The NDPC adopts a remediation approach, which involves assessing breaches based on their severity, the number of affected individuals, and the potential impact on the economy. Instead of imposing immediate sanctions, the commission provides companies with specific corrective measures to address their shortcomings. This approach encourages companies to take proactive steps to correct their lapses and prevent future breaches.
The NDPC has introduced the Nigeria Data Protection Act – General Application and Implementation Directive, which provides guidelines for data controllers and processors to comply with the law. The directive addresses key areas such as:
- – Data protection principles
– Lawful bases for data processing
– Data subjects’ rights
– Cross-border data transfers
– Compliance audit returns
– Standardized grievance redress mechanisms
The directive also provides guidelines on data privacy impact assessments, training and certification of data protection officers, alternative dispute resolution, and global best practice benchmarking.
The full implementation of the directive will commence in September 2025, allowing organizations a six-month transition period. All provisions relating to fees will take effect from January 2026. The NDPC will continue to provide guidance notices and advisories to clarify legal requirements and deepen the culture of data privacy and protection in Nigeria.
The NDPC’s investigation into TikTok and Truecaller, as well as the introduction of the Nigeria Data Protection Act – General Application and Implementation Directive, demonstrate the commission’s commitment to enforcing data protection regulations in Nigeria. The directive provides a clear framework for data controllers and processors to comply with the law, and the remediation approach encourages companies to take proactive steps to correct their lapses and prevent future breaches