The Nigeria Data Protection Commission (NDPC) has launched an investigation into Chinese e-commerce platform Temu over concerns that the personal data of approximately 12.7 million Nigerians may have been improperly handled.
The probe was ordered by Vincent Olatunji, National Commissioner and Chief Executive Officer of the NDPC, following indications that the company processes large volumes of personal information belonging to Nigerian users.
The development was disclosed in a statement signed by Babatunde Bamigboye, Head of Legal, Enforcement and Regulations at the Commission.
According to the NDPC, preliminary findings suggest that Temu processes personal information of about 12.7 million Nigerian data subjects, while reportedly serving 70 million daily active users globally.
The Commission said the scale of data processing raises significant compliance concerns under the Nigeria Data Protection Act (NDPA) 2023.
Key areas under review include:
- Online surveillance practices
- Transparency and accountability obligations
- Data minimisation principles
- Duty of care to data subjects
- Cross-border data transfers
Dr. Olatunji warned that data processors acting on behalf of data controllers must verify that those controllers comply with Nigerian data protection laws or risk liability.
The Temu probe comes amid intensified regulatory scrutiny of organisations handling large-scale personal data.
In August 2025, the NDPC launched a sector-wide investigation into 1,369 organisations suspected of breaching the NDPA. The affected sectors included banking, insurance, pensions, and gaming.
The breakdown included:
- 795 financial institutions
- 392 insurance brokers
- 35 insurance companies
- 10 pension companies
- 136 gaming companies
The organisations were given 21 days to demonstrate compliance or face sanctions.
In 2025, the NDPC imposed a N766.2 million fine on MultiChoice Nigeria for violations of the NDPA, the largest single penalty issued by the Commission since the law came into force in 2023.
However, the regulator says it prioritises a remediation-based approach, encouraging organisations to correct violations before sanctions are imposed.
“Usually, when we investigate and find a breach, if they are ready to comply with the law, what is the point of making noise? It’s only when an organisation is unwilling to comply with the law that we are forced to impose sanctions,” Olatunji said in a recent interview.
He added that enforcement decisions are also weighed against broader economic considerations to avoid discouraging investment.
The outcome of the Temu investigation could signal how aggressively Nigeria intends to regulate global digital platforms operating within its jurisdiction.
