INEC under data protection scrutiny, says NDPC

Innovation & Technology

ABUJA, Nigeria (NPA) — The Nigeria Data Protection Commission (NDPC) has disclosed that it twice requested the Records of Processing Activities (ROPA) of the Independent National Electoral Commission (INEC) over allegations of data breaches.

The National Commissioner of the NDPC, Dr Vincent Olatunji, made the disclosure during a media briefing in Abuja to mark the commission’s third anniversary.

Olatunji said the requests were made following the enactment of the Nigeria Data Protection Act by President Bola Ahmed Tinubu on June 12, 2023, as part of efforts to safeguard the integrity of Nigeria’s electoral database.

According to him, the commission treats all reported data breaches with urgency and professionalism, irrespective of whether the institutions involved are public or private.

“There is no breach reported to us that we have not acted on, whether in government or private institutions,” he said.

“For instance, INEC has been asked twice for its Records of Processing Activities. The matter is sensitive because the country is moving towards another election and it speaks to the credibility of the database.”

He stressed that the commission was acting promptly because of the importance of maintaining public confidence in the electoral process.

The NDPC boss also revealed that the commission had investigated several organisations, including Meta, TikTok, Temu, Remita and Sterling Bank, insisting that no organisation was exempt from scrutiny.

According to him, all organisations invited by the commission had cooperated fully with investigations.

“I cannot remember any organisation that was invited and did not show up. All of them have appeared and engaged with us,” he said.

Olatunji explained that the NDPC adopts a compliance-driven and developmental approach to regulation rather than focusing solely on sanctions.

He said the commission evaluates organisations based on factors such as registration status, audit filings, data protection officers, privacy policies and technical safeguards before determining appropriate corrective measures.

According to him, organisations with substantial compliance records are often directed to address identified gaps within a specified period and may be required to pay remediation fees instead of penalties.

“The objective is compliance and not punishment. We do not want to stifle innovation or drive away investors,” he said.

“Our law is a developmental law designed to stimulate sustainable growth.”

Olatunji further disclosed that the commission’s dispute with Meta was the only case that proceeded to court after the company challenged a $32 million penalty imposed by the NDPC.

He said the matter was eventually resolved through an out-of-court settlement after both parties agreed on measures to strengthen compliance and support data protection initiatives in Nigeria.

According to him, the settlement was reached in the interest of the economy and millions of Nigerians who rely on Meta’s platforms for business and communication.

“What we desire is compliance, not embarrassment or driving companies or investors away from Nigeria,” he said.

“The agreement reached is a win-win situation that protects Nigerians and ensures responsible handling of personal data.”

The NDPC commissioner reaffirmed the commission’s commitment to integrity, transparency and stakeholder collaboration in advancing data protection and privacy awareness across the country.