NDPC probes alleged data breaches by TikTok, Truecaller

The Nigeria Data Protection Commission (NDPC) says it is investigating TikTok and Truecaller over alleged data privacy violations as part of efforts to enforce compliance with the Nigeria Data Protection Act (NDPA).

Speaking during a press conference in Abuja on Thursday, Vincent Olatunji, the national commissioner and chief executive officer (CEO) of NDPC, said the agency is assessing the platforms’ compliance with data protection laws and would determine necessary regulatory actions based on its findings.

“As we speak, we have even gone to the extent of investigating multinationals. We are currently investigating TikTok and Truecaller in the area of data privacy,” Olatunji said.

“Depending on our findings, if they are able to go through remediation and do what is right, we are happy to work with them.”

The NDPC CEO noted said when the commission began monitoring data protection compliance, only 4 percent of organisations adhered to regulations.

He, however, said through increased enforcement and stakeholder engagement, compliance levels have now surpassed 55 percent.

Olatunji said the NDPC prioritises remediation over immediate sanctions, evaluating data breaches based on their severity, the number of individuals affected, and the potential economic impact.

Instead of publicly declaring non-compliance, he said the commission provides companies with clear corrective measures to address identified issues.

The commissioner added that organisations found in violation must keep comprehensive records of their data processing activities and rectify any lapses.

“Additionally, they are subject to monitoring for six months to a year to ensure full compliance,” he said.

Olatunji said while the commission prefers a corrective approach, it will not hesitate to enforce stricter actions if necessary.

At the press conference, the NDPC also introduced the NDPA general application and implementation directive (NDP Act GAID), a regulatory framework designed to help data controllers and processors comply with the NDPA.

Olatunji said many organisations lack understanding of data protection regulations, often leading to inadvertent breaches.

The commissioner said the NDP Act GAID addresses technical and organisational measures in the areas of data protection principles, lawful basis of data processing, NDP Act compliance audit, and data subject rights, among others.

He said the directive, which will be available on the NDPC’s portal, intends to provide clarity and reinforce the role of data protection officers in ensuring compliance.