Nigeria Is Losing the Battle for Its Citizens’ Data, and Temu Is Only the Latest Warning Sign

Chioma downloaded the Temu app in October 2024 because the prices were, in her words, “too good to ignore”. She entered her name, her phone number, her delivery address, her card details, and a few taps later, a package was on its way from a warehouse she could not locate to a door she trusted. What she did not know was that somewhere in that transaction, she had also become a data point in a global operation that Nigerian regulators are only now beginning to examine.

She is one of approximately 12.7 million Nigerians whose personal data the platform was found to be processing, according to the Nigeria Data Protection Commission. And as of February 2026, the NDPC had formally opened an investigation into whether any of that processing was lawful.

The Temu story is not just about one Chinese e-commerce app. It is a mirror held up to the entire state of Nigeria’s digital ecosystem, where data is being harvested faster than it is being protected and where the gap between the law on paper and the law in practice is wide enough to drive a server farm through.

How the Temu Investigation Began and What the NDPC Found

In a press release dated February 16, 2026, the Nigeria Data Protection Commission announced that its National Commissioner and CEO, Vincent Olatunji, ordered an immediate probe into Temu’s activities for potential violations of the Nigeria Data Protection Act. The investigation was triggered by concerns related to online surveillance through personal data processing, as well as issues of accountability, data minimisation, transparency, duty of care, and cross-border data transfers.

Regulators said they were assessing whether the fast-growing online marketplace complies with national standards on transparency, lawful data collection, surveillance practices, and the transfer of personal information across borders. At the centre of the investigation are concerns that the platform may be collecting more information than necessary to operate, a potential breach of the data minimisation principle enshrined in Nigeria’s data protection framework.

Temu could face fines of up to two per cent of its annual revenue if found in violation of the Nigeria Data Protection Act, one of the most significant regulatory actions against a foreign digital marketplace operating in Africa’s most populous nation, and notably, one operating without a local corporate entity.

The platform’s response was careful. In a statement released in February 2026, Temu said it was “committed to complying with applicable laws and regulations in our data practices” and pledged to engage in “open and constructive dialogue” with the NDPC to address the regulator’s concerns. It is the kind of corporate language that sounds cooperative and commits to nothing.

The NDPC also warned that third-party data processors acting on behalf of data controllers must verify compliance with the Nigeria Data Protection Act, with such processors risking being held directly liable if they engage in activities that do not comply with Nigerian statutory requirements. That warning extends the investigation’s reach far beyond Temu itself, touching the logistics firms, payment processors, and data intermediaries in its supply chain.

The Bigger Crisis Behind the Probe

Temu did not create Nigeria’s data vulnerability problem. It walked into one that was already well-established.

According to a report by cybersecurity firm Surfshark, Nigeria recorded over 150,000 compromised accounts in the first half of 2025 alone, with breaches in Q1 reaching 120,000 incidents before dropping by 73 per cent in the second quarter. Surfshark’s data further reveals that Nigeria has experienced 23.3 million breached accounts since 2004, making it the third most affected country in Sub-Saharan Africa. Of those, approximately 13 million accounts had passwords leaked, putting 56 per cent of users at risk of account takeover, extortion, or identity theft.

The threat is not only coming from outside the country’s borders. Between January and September 2025, Nigeria experienced a surge in data breaches and cybercrime activities across banking, telecom, government, healthcare, and critical infrastructure sectors. Dark web actors were observed actively selling banking databases and stolen credentials from Nigerian financial institutions, with claims of over 60 million Nigerian telecom records being traded. Government agencies, including the Nigerian Navy and the Lower Niger River Basin Development Authority, were also targeted, with sensitive internal data leaked. Healthcare records comprising 130,000 patient entries were exposed.

These are not isolated incidents. They reflect a digital economy that has grown far faster than its security architecture.

Cybersecurity analysts note that Nigeria’s fintech, e-commerce, and digital services sectors have exploded, but many operate without basic cybersecurity frameworks. Growth has outpaced governance. That sentence should be printed on the wall of every ministry responsible for digital regulation in Abuja.

For Emeka Okonkwo, a Lagos-based digital rights advocate, the Temu probe is a necessary but long overdue step. “We have been operating in a wild west”, he told The Gazette News. Nigerians are giving away their data every day, to apps, to delivery services, and to loyalty programmes, and they have no idea where it goes, who sees it, or what it is worth. The NDPC is doing the right thing, but it is working against years of inertia.”

What the Law Says and What Has Been Done

Nigeria passed the Nigeria Data Protection Act in 2023, one of the most comprehensive data governance frameworks on the African continent. On paper, the protections are robust. In practice, enforcement has been selective and slow.

The NDPC has been increasingly active since its inception. In March 2025, it ordered a similar investigation into TikTok and Truecaller. In July 2025, it imposed a landmark fine of N766.24 million on MultiChoice Nigeria following a year-long probe into intrusive data processing and illegal cross-border transfers. In April 2025, the Competition and Consumer Protection Tribunal upheld a $220 million fine against Meta for discriminatory and exploitative conduct.

Temu has also faced significant fines abroad for data privacy violations, including a $978,000 penalty in South Korea in May 2025 for undisclosed cross-border data transfers and a $2 million civil penalty in the United States in September 2025 to settle allegations related to inadequate seller verification. These precedents highlight ongoing international scrutiny of Temu’s data practices as Nigeria’s NDPC probe continues.

The pattern is clear. Temu has been penalised on three continents for practices that regulators around the world recognise as problematic. The NDPC’s decision to act is not a Nigerian overreaction; it is Nigeria catching up with what Seoul, Washington, and Brussels already concluded.

Adaeze Nwosu, a legal practitioner who works on digital rights and data compliance in Lagos, described the regulatory moment plainly. “The 2023 Act gave us the tools. What we have been missing is the will to use them consistently and at scale. Fining MultiChoice and probing Temu is important, but the real test is whether small and mid-size platforms that handle millions of Nigerians’ data are also being held to the same standard,” she said.

The NDPC did not respond to The Gazette News’s request for an update on the timeline or current status of the Temu investigation as of press time.

What This Means for Ordinary Nigerians

Back in her shop, Chioma is not thinking about cross-border data transfers or the data minimisation principle. She is thinking about whether the dress she ordered will fit and whether she should order again.

That is the nature of the problem. The harm from data misuse is largely invisible until it is not: until the spam calls begin, until a loan is taken out in someone’s name without their knowledge, until a scammer mentions a street address that was never publicly shared.

With 13 million leaked accounts carrying exposed passwords, 56 per cent of affected Nigerian users remain at ongoing risk of account takeover, extortion, or identity theft. Those are not abstract figures. They are the market woman whose mobile banking PIN was stolen, the graduate whose BVN appeared in a dark web listing he will never see, and the civil servant whose health records were traded for a few dollars in a forum hosted on a server he cannot trace.

The NDPC has framed the Temu investigation as a decisive end to the era of unchecked data harvesting in Nigeria, stating that global platforms must now choose between aligning their algorithms with the Nigeria Data Protection Act or facing massive fines and market exclusion.

That is the right frame. The question is whether the institution has the resources, the independence, and the sustained political backing to enforce it at the scale the moment demands.

Nigeria is Africa’s largest internet market. Its citizens deserve protection that matches that status. Right now, the data is being collected at scale. The protection is still catching up.

Chioma placed another order last week. She did not read the privacy policy. Almost nobody does.