NDPC Investigates Temu Over Alleged Data Protection Violations

Nigeria’s data protection regulator has launched a formal investigation into Temu amid concerns that the personal data of millions of Nigerians may have been improperly processed.

The probe was ordered by the National Commissioner and Chief Executive Officer of the Nigeria Data Protection Commission (NDPC), Vincent Olatunji, following indications that the e-commerce platform processes personal information belonging to approximately 12.7 million Nigerians.

The development was disclosed in a statement signed by Babatunde Bamigboye, Esq., CDPRP, Head of Legal, Enforcement and Regulations at the Commission.

What the NDPC Is Investigating

According to the NDPC, the investigation was triggered by multiple concerns surrounding the platform’s data handling practices. These include:

Online surveillance practices

Transparency and accountability gaps

Data minimisation compliance

Duty of care obligations

Cross-border data transfers

“Preliminary investigations indicate that Temu is an e-commerce platform which processes personal information of approximately 12.7 million data subjects in Nigeria, with 70 million daily active users globally,” the Commission stated.

Regulators say the scale of data collection raises significant compliance questions under the Nigeria Data Protection Act (NDPA) 2023.

Dr. Olatunji also issued a warning to companies that process data on behalf of other organisations, stressing that data processors must verify the legal compliance of data controllers before undertaking processing activities.

Processors who fail to do so, he warned, may be held liable under Nigerian law.

Rising Regulatory Scrutiny

The Temu investigation comes amid increased regulatory oversight across sectors that handle high volumes of personal information.

In August last year, the NDPC launched a sector-wide investigation into 1,369 organisations suspected of violating provisions of the NDPA 2023. The probe targeted entities in sensitive industries including:

Banking

Insurance

Pensions

Gaming

Insurance brokerage

The Commission gave the affected organisations — including 795 financial institutions — 21 days to submit evidence of compliance or risk sanctions.

Enforcement and the “Remediation Approach”

The NDPC has demonstrated its willingness to impose significant penalties where necessary. Last year, the Commission fined MultiChoice Nigeria N766.2 million for violations of the NDPA — the largest single fine issued since the Act came into force in 2023.

However, the regulator maintains that enforcement is guided by a remediation-first approach.

Speaking recently, Dr. Olatunji emphasized that the Commission prioritizes compliance over public spectacle.

“Usually, when we investigate and find a breach, if they are ready to comply with the law, what is the point of making noise?
It’s only when an organization is unwilling to comply with the law that we are forced to impose sanctions.”

He added that the Commission remains mindful of Nigeria’s broader economic stability and investment climate, noting that enforcement decisions are carefully balanced to ensure both regulatory integrity and business sustainability.

What This Means for Nigeria’s Digital Economy

The investigation into Temu signals a maturing regulatory environment where large-scale data processing — especially by foreign digital platforms — will face closer scrutiny.

With over 12 million Nigerians potentially affected, the outcome of the probe could shape future compliance expectations for global technology and e-commerce companies operating in Nigeria.

As Nigeria’s digital economy expands, data protection enforcement is increasingly becoming central to consumer trust, cross-border digital trade, and investor confidence.