Nigeria’s data protection authority has launched a formal investigation into Temu, the fast-growing Chinese e-commerce platform, over alleged violations of the country’s data protection law, raising fresh questions about how foreign digital platforms handle the personal information of millions of Nigerian users.
The Nigeria Data Protection Commission confirmed the development on Monday, with its National Commissioner and Chief Executive Officer, Dr Vincent Olatunji, personally ordering the immediate commencement of the investigation. Dr Olatunji stated that the data processing activities of Temu may be in violation of the Nigeria Data Protection Act.
According to the Commission, the investigation was triggered by a cluster of specific concerns surrounding Temu’s operations in Nigeria. These include allegations of online surveillance through personal data processing, questions around accountability, non-compliance with data minimisation requirements, lack of transparency, failure in duty of care obligations, and concerns over cross-border data transfers involving Nigerian users’ personal information.
Preliminary findings by the Commission indicate that Temu operates as an e-commerce platform that processes the personal information of approximately 12.7 million data subjects in Nigeria. The platform reportedly records 70 million daily active users globally, underscoring the scale at which user data is being collected and processed.
Dr Olatunji issued a direct warning to data processors operating in Nigeria, stating that those who engage in processing activities on behalf of data controllers without first verifying compliance with the Nigeria Data Protection Act may face liability under the same law.
The investigation comes at a time of growing regulatory scrutiny of foreign technology and e-commerce platforms operating across African markets, where enforcement of digital rights and data sovereignty has gained increasing legislative and institutional attention.
Temu, owned by Chinese technology conglomerate PDD Holdings, launched aggressively into global markets in recent years, positioning itself as a discount-focused online marketplace offering a wide range of consumer goods at low prices. Since entering the Nigerian market, it has attracted millions of users, though questions about its data practices have surfaced across multiple jurisdictions internationally.
Nigeria enacted the Nigeria Data Protection Act in 2023, creating a statutory framework for the regulation of personal data and establishing the NDPC as the principal regulatory authority. The Act introduced obligations around consent, data minimisation, cross-border transfer restrictions, and accountability for both data controllers and processors operating within or targeting Nigerian users.
The NDPC has in the preceding months expanded its enforcement posture, engaging with multiple companies and pursuing compliance audits across sectors. The Temu investigation represents one of the more high-profile actions by the Commission, given the platform’s scale of user penetration within Nigeria.
Cross-border data transfer has emerged as a particularly sensitive area under the Act, as it governs the movement of Nigerian citizens’ personal data to jurisdictions outside the country. Regulators are required to assess whether receiving countries offer adequate data protection standards before such transfers can be considered lawful.
The Commission has not disclosed a timeline for the conclusion of the investigation or indicated what sanctions may follow if violations are confirmed. Under the Nigeria Data Protection Act, penalties for breaches can be substantial, with fines potentially calculated as a percentage of annual turnover for organisations found to be in violation.
The NDPC stated that further details of the investigation would be made available as proceedings progress.
