By 
By Osasome, C.O
Commission Orders Immediate Investigation Into Data Processing Practices
Nigeria’s data protection regulator, Nigeria Data Protection Commission (NDPC), has ordered an immediate investigation into the data processing activities of Temu, following concerns that the platform may be operating in breach of the Nigeria Data Protection (NDP) Act.
RELATED: NDPC investigates privacy violations by Meta, banks, others
The directive was issued by the NDPC’s National Commissioner and CEO, Dr. Vincent Olatunji, and confirmed in an official statement by the Commission’s Head of Legal, Enforcement and Regulations, Babatunde Bamigboye.
Why Temu Is Under Regulatory Scrutiny
According to the NDPC, the probe was triggered by red flags around online surveillance practices, accountability, data minimisation, transparency, duty of care, and cross-border data transfers.
Preliminary findings indicate that Temu processes the personal data of an estimated 12.7 million Nigerian users, while serving over 70 million daily active users globally.
The Commission warned that data processors acting on behalf of controllers, without verifying their compliance with Nigeria’s data protection laws, could themselves be held liable under the NDP Act.
About Temu and Its Nigerian Operations
Temu is a Chinese-owned online marketplace operated by PDD Holdings. It connects consumers directly with manufacturers to offer heavily discounted products ranging from fashion and electronics to household items. The platform is widely known for its “Shop Like a Billionaire” marketing campaign and aggressive global expansion strategy.
Temu officially launched in Nigeria in late 2024 and has since become one of the country’s most downloaded mobile apps. Prices are displayed in naira, and the platform offers direct shipping to Nigerian addresses.
To support last-mile delivery, Temu entered into a logistics partnership in late 2025 with Dellyman. This deal enables nationwide coverage across major cities and suburban areas.
NDPC Flags Liability for Local Partners
As of February 2026, the NDPC confirmed that Temu remains under active investigation. Beyond Temu itself, the Commission has issued a stern warning to local logistics, payment, and service partners that they may face legal exposure if they continue processing personal data for non-compliant platforms.
The investigation is expected to focus particularly on transparency obligations and the legality of cross-border data transfers involving Nigerian citizens’ information.
Competitive Pressure on Local E-Commerce Players
Temu’s entry into Nigeria has intensified competition with established platforms such as Jumia and Konga.
While Temu’s direct-from-manufacturer model allows for lower prices, local platforms still retain an advantage in faster delivery for goods stocked in domestic warehouses.
NDPC Steps Up Enforcement Nationwide
The Temu probe forms part of a broader enforcement push by the NDPC following the enactment of the Nigeria Data Protection Act (NDPA) 2023. Over the past two years, the Commission has launched several high-profile investigations and imposed significant penalties.
Major enforcement actions (2025–2026) include:
- Temu (ongoing): Investigation into alleged privacy breaches affecting 12.7 million Nigerian users.
- Meta (settlement): A $32.8 million remedial fee negotiated in late 2025 over unlawful data appropriation and intrusive behavioural advertising.
- Sector-wide crackdown: In August 2025, the NDPC targeted 1,369 organisations across banking, gaming, insurance, and pension sectors.
Penalties and Compliance Revenue
The NDPC reports that it has completed 246 data breach investigations, generating over ₦7.2 billion in compliance revenue and penalties.
Notable sanctions include:
- MultiChoice Nigeria – ₦766.2 million fine for unauthorised cross-border data transfers.
- Fidelity Bank PLC – ₦555.8 million fine for processing personal data without informed consent.
GAID 2025: The Compliance Framework in Force
The NDPC’s enforcement drive is anchored on the General Application and Implementation Directive (GAID) 2025. which became fully effective on September 19, 2025. The directive operationalises the NDPA by mandating:
- Registration of Data Controllers and Processors of Major Importance (DCPMI)
- Annual Compliance Audit Returns (CAR) by March 31
- Mandatory reporting of data breaches within 72 hours
Members of the public can also report suspected privacy violations via the NDPC’s online complaint portal.
What This Means for Nigeria’s Digital Economy
The Temu investigation underscores Nigeria’s increasingly assertive stance on data sovereignty and privacy protection. This has become critical particularly as foreign digital platforms expand their footprint in Africa’s largest market. For global technology firms, compliance with Nigeria’s data protection regime is no longer optional. It is fast becoming a prerequisite for operating at scale.
