The Nigeria Data Protection Commission (NDPC) has ordered an immediate investigation into the data processing activities of global e-commerce platform Temu, citing concerns that its operations in Nigeria may contravene the Nigeria Data Protection Act (NDP Act), 2023.
Vincent Olatunji, national commissioner and chief executive officer of the commission, directed the probe amid growing regulatory scrutiny of how digital platforms collect, store, and transfer Nigerians’ personal information.
In a statement issued Monday, Babatunde Bamigboye, NDPC’s head of legal, enforcement and regulations, disclosed that preliminary findings suggest the platform may be engaged in practices inconsistent with statutory data protection obligations.
According to the statement, the investigation was triggered by concerns relating to online surveillance through personal data processing, accountability mechanisms, compliance with data minimisation principles, transparency requirements, duty of care, and the legality of cross-border data transfers.
“Preliminary investigations indicate that Temu is an e-commerce platform which processes personal information of approximately 12.7 million data subjects in Nigeria with 70 million daily active users globally,” the statement read.
The commission noted that under the NDP Act, data controllers and data processors are subject to strict compliance standards, including lawful basis for processing, purpose limitation, storage limitation, and adequate safeguards for international data transfers. It warned that processors acting on behalf of controllers without verifying compliance with the Act could be held directly liable.
Background: Nigeria’s Evolving Data Protection Framework
The investigation comes against the backdrop of Nigeria’s expanding digital economy and heightened regulatory oversight of data-driven platforms.
The NDP Act, signed into law in 2023, established the NDPC as the primary regulator for data protection, transforming what had previously operated under the Nigeria Data Protection Regulation (NDPR) into a more robust statutory regime. The law aligns Nigeria’s framework more closely with global standards such as the EU’s General Data Protection Regulation (GDPR), particularly on issues of consent, accountability, and cross-border data governance.
With millions of Nigerians increasingly relying on e-commerce, fintech, telecommunications, and social media platforms, regulators have emphasised the need to ensure that personal data is not exploited, unlawfully transferred abroad, or processed without adequate safeguards.
Earlier this month, on February 5, the Nigerian Communications Commission (NCC) signed a memorandum of understanding (MoU) with the NDPC to deepen inter-agency collaboration on data privacy enforcement. The NDPC said the partnership would enable both agencies to combine technical, regulatory, and enforcement capabilities to strengthen consumer data protection across Nigeria’s telecommunications and digital services ecosystem.
Industry analysts note that cross-border platforms operating in Nigeria are increasingly subject to local compliance expectations, particularly where large volumes of personal data are involved. Failure to adhere to statutory obligations could attract administrative penalties, enforcement actions, and reputational consequences.
The NDPC’s latest move signals a more assertive regulatory posture, reinforcing its mandate to ensure that organisations handling Nigerians’ personal information operate within the bounds of the law.
As the investigation unfolds, stakeholders across Nigeria’s technology and e-commerce sectors will be watching closely for potential enforcement actions and clarifications on compliance thresholds under the NDP Act.
