TikTok, Truecaller under investigation for alleged data privacy violations in Nigeria

The data privacy laws in Nigeria, the Nigeria Data Protection Commission (NDPC) has launched an investigation into social media giant TikTok and caller identification service Truecaller over alleged breaches of data protection regulations.

Speaking at a press conference in Abuja on Thursday, Vincent Olatunji, the National Commissioner and Chief Executive Officer (CEO) of NDPC, confirmed that the agency is scrutinizing the compliance of these platforms with the Nigeria Data Protection Act (NDPA). He stated that regulatory actions would be determined based on the findings of the ongoing assessment.

“As we speak, we have even gone to the extent of investigating multinationals. We are currently investigating TikTok and Truecaller in the area of data privacy,” Olatunji revealed.

Olatunji emphasized that the NDPC prioritizes remediation over immediate punitive actions. The commission evaluates data breaches based on their severity, the number of affected individuals, and potential economic repercussions. Rather than publicly declaring non-compliance, the agency provides companies with clear corrective measures to address any violations.

“Depending on our findings, if they can go through remediation and do what is right, we are happy to work with them,” he said.

Companies found in violation must maintain comprehensive records of their data processing activities and rectify any identified gaps. These organizations are then placed under strict monitoring for six months to a year to ensure full compliance.

When the NDPC initially began monitoring data protection compliance, only 4 per cent of organizations adhered to the regulations. However, through increased enforcement and stakeholder engagement, compliance levels have now exceeded 55 per cent—a significant improvement that underscores the growing awareness of data privacy laws in Nigeria.

At the press conference, the NDPC also introduced the NDPA General Application and Implementation Directive (NDP Act GAID), a regulatory framework aimed at assisting data controllers and processors in complying with the NDPA.

Olatunji noted that many organizations lack a thorough understanding of data protection laws, leading to inadvertent breaches. The new directive seeks to address these challenges by outlining technical and organizational measures covering key areas such as data protection principles, lawful data processing, compliance audits, and the rights of data subjects.

The directive, which will be available on the NDPC’s official portal, aims to provide clarity and reinforce the role of data protection officers in ensuring compliance with Nigerian data laws.