Nigeria’s data protection regulator has launched a high-stakes investigation into the data processing activities of global e-commerce giant Temu.
The move places the personal information of an estimated 12.7 million Nigerians under intense regulatory scrutiny.
The probe, ordered by National Commissioner and CEO of the Nigeria Data Protection Commission (NDPC), Dr. Vincent Olatunji, is focused on whether Temu’s data handling practices align with the legal requirements of the Nigeria Data Protection Act (NDP Act).
“The investigation of Temu was triggered by concerns around online surveillance through personal data processing, accountability, data minimisation requirement, transparency, duty of care and cross-border transfer,” Babatunde Bamigboye, NDPC’s Head, Legal, Enforcement and Regulations, said in a statement on Tuesday.
The issue is not only compliance in principle, but the scale of processing. Preliminary findings by the Commission indicate that Temu processes personal information belonging to approximately 12.7 million Nigerian data subjects.
Globally, the platform is estimated to record about 70 million daily active users, underscoring the magnitude of the international data ecosystem in which Nigerian consumers’ information may circulate.
In quantitative terms, 12.7 million data subjects represent a significant proportion of Nigeria’s active online consumer base.
In a market with one of Africa’s largest internet populations, that figure signals systemic exposure rather than isolated risk.
E-commerce platforms of Temu’s scale typically process multilayered datasets: identity information, phone numbers and email addresses, delivery locations, device identifiers, IP addresses, browsing histories, purchasing patterns, payment metadata and behavioural analytics.
Under the NDP Act, each category of data must be processed lawfully, collected for specific and legitimate purposes, limited to what is necessary, and protected by appropriate technical and organisational safeguards.
The NDPC said its investigation was “triggered by concerns around online surveillance through personal data processing, accountability, data minimisation requirement, transparency, duty of care and cross-border data transfer.”
Each of those concerns speaks to core quantitative risks:
*Data minimisation: Whether the volume and categories of data collected are proportionate to stated business purposes.
*Transparency: Whether millions of users have been clearly informed about how their data is used.
*Cross-border transfers: Whether personal data of 12.7 million Nigerians may be transmitted to foreign jurisdictions without equivalent legal safeguards.
Enacted in 2023, the NDP Act provides Nigeria with its first comprehensive statutory framework for personal data governance. It establishes enforceable rights for data subjects and codifies obligations for data controllers and processors, including strict conditions for cross-border transfers.
By invoking the Act in relation to a global e-commerce platform operating at scale, the NDPC is signalling that Nigeria’s data protection regime is moving from normative compliance guidance to measurable enforcement.
The financial implications could be material. The NDP Act provides for administrative penalties that may be calculated as a percentage of annual gross revenue for serious breaches, alongside corrective compliance orders and potential suspension of unlawful processing activities.
For high-volume digital platforms, percentage-based penalties can translate into substantial monetary exposure.
In a pointed warning to the wider ecosystem, Olatunji stated that processors who engage in processing activities on behalf of data controllers without verifying their compliance with the NDP Act “may be liable under the NDP Act.”
That caution extends potential risk exposure beyond the primary platform including payment processors handling transaction data, logistics providers managing delivery information, cloud service providers hosting data infrastructure and marketing and analytics vendors processing behavioural data
In effect, any entity within the data value chain linked to the 12.7 million Nigerian data subjects could face compliance scrutiny if due diligence obligations are not met.
One of the most consequential aspects of the investigation concerns cross-border data transfers. The NDP Act requires that personal data exported outside Nigeria must be subject to adequate protection, either through recognised adequacy mechanisms, binding corporate rules, contractual safeguards, or other lawful transfer bases.
Given Temu’s global footprint and reported 70 million daily active users worldwide, the probability that Nigerian user data intersects with international data infrastructure is high.
The regulatory question is whether equivalent levels of data protection are guaranteed in those jurisdictions.
The investigation lands at a time when digital platforms are scaling aggressively across emerging markets.
For Nigeria, the case represents a regulatory stress test: can a relatively new statutory regime effectively oversee multinational digital actors with massive data processing volumes?
Beyond Temu, the NDPC’s action sends a measurable signal to the broader e-commerce, fintech, and digital services ecosystem. Scale will not dilute regulatory jurisdiction. If anything, scale increases scrutiny.
The Commission has not announced a timeline for concluding the investigation. However, with 12.7 million Nigerian data subjects implicated, the matter marks one of the most consequential enforcement steps since the enactment of the NDP Act.
Leave a comment