The Nigerian government, through the Nigeria Data Protection Commission (NDPC), has ordered an immediate investigation into the data processing activities of Chinese-owned e-commerce platform Temu over alleged violations of the Nigeria Data Protection Act (NDPA).
The decision raises fresh concerns about how foreign technology companies collect, store, and transfer Nigerians’ personal data.
In a press release dated February 16, the NDPC said its National Commissioner and Chief Executive Officer, Vincent Olatunji, authorised the probe following mounting concerns around online surveillance, excessive personal data collection, lack of transparency, weak accountability mechanisms, and cross-border data transfers.
“The investigation of Temu was triggered by concerns around online surveillance through personal data processing, accountability, data minimisation requirement, transparency, duty of care and cross-border data transfer,” the statement read in part..
Preliminary findings by the Commission indicate that Temu processes the personal data of an estimated 12.7 million Nigerian users, while serving about 70 million daily active users globally, raising serious questions about how Nigerians’ data are collected, stored, shared, and protected.
“The National Commissioner warned that processors who engage in processing activities on behalf of data controllers without verifying their compliance with the NDP Act may be liable under the NDP Act,” the Commission added.
According to data, Nigeria is Africa’s most populous country and one of the continent’s fastest-growing digital markets with millions of its citizens relying on mobile apps, social media platforms, fintech services, and e-commerce sites for daily transactions often with little understanding of how their personal information is being used.
Civil society groups and digital rights advocates say the Temu investigation represents a crucial test of Nigeria’s willingness to enforce its data protection laws against powerful global technology companies.
The ICIR reports that in January 2019, the National Information Technology Development Agency (NITDA) established the Nigeria Data Protection Regulation (NDPR), the country’s first comprehensive framework governing how organisations collect, process, and store personal data.
The NDPR introduced consent requirements for data collection, rights of data subjects, obligations for organisations to implement security safeguards, sanctions for data breaches and non-compliance, but because the NDPR was a regulation rather than an Act of Parliament, enforcement powers were limited, and penalties were often contested.
In February 2022, the Federal Government established the Nigeria Data Protection Commission to replace NITDA as the primary data protection authority – a move aimed at strengthening independence, enforcement capacity, and regulatory clarity.
In June 2023, President Bola Ahmed Tinubu signed the Nigeria Data Protection Act (NDPA), 2023 into law. The Act gives the NDPC statutory backing, expands enforcement powers and penalties, establishes lawful bases for data processing, regulates cross-border data transfers, and mandates data protection impact assessments for high-risk processing.
Analysts believe that the NDPC probe sends a message that Nigeria is no longer a soft landing for companies that treat user data carelessly.
