Updates On The Recent Activities And Other Developments In The Data Privacy Sector

• The Nigerian Data Protection Commission (NDPC) has announced a 60-day extension for the filing of the 2025 Data Protection Compliance Audit Returns (CAR), with the new deadline now set for 30th May 2026. In light of this, organisations that are required to file a CAR are advised to take advantage of this extension to avoid paying a late filing fee. Data Controllers and Data Processors of Major Importance should note that failure to file within the prescribed timeline will attract regulatory sanctions. In particular, late filing of the CAR is subject to a penalty of 50% of the applicable filing fee, in addition to the risk of further regulatory scrutiny or enforcement action by the NDPC. See the link to the update here: https://pavestoneslegal.com/ndpc-extends-data-audit-filing-deadline/
• The National Commissioner/CEO, Dr Vincent Olatunji, during a one-day workshop for gaming and sports betting operators under the auspices of the Association of Nigerian Bookmakers (ANB) urged Sports Betting Operators to Secure Massive User Data. In his remarks, he reiterated the importance of data security for the ANB as a data controller and processor of major importance, noting that no fewer than 60 million Nigerians use their platforms monthly. He noted that, given the data-intensive nature of gaming operations (including customer onboarding, identity verification, payment processing, and marketing communications), operators must prioritise data protection and privacy. See the link to the update here: https://www.ndpc.gov.ng/gaming-sector-in-focus-ndpc-urges-sports-betting-operators-to-secure-massive-user-data/
• The Commission has warned content creators against filming unsuspecting members of the public without their consent. It has also threatened criminal prosecution and sanctions against social media platforms that fail to act. The Commission, in a statement released on Friday, said it had been alerted to the activities of individuals who take photos and videos of unsuspecting people and share them on social media, describing such acts as violations of the constitutional right to privacy. It cited a specific case involving a content creator who stands at roadsides in Lagos State to produce what she describes as a “reality show” of unsuspecting passers-by, pointing out that a preliminary investigation had revealed that the practice served neither a public nor a legitimate interest. See the link to the update here: https://punchng.com/ndpc-warns-content-creators-over-unauthorised-filming-of-citizens/
• The NDPC has launched an investigation into an alleged data breach involving Remita Payment Services Ltd., Sterling Bank, and other entities. In a statement issued and signed by its Head, Legal, Enforcement and Regulations, Babatunde Bamigboye, the need for a probe followed reports of a suspected cyberattack circulating on dark web forums, where threat actors claimed to have accessed and exposed sensitive customer and institutional data linked to the affected platforms. The NDPC said its probe, which commenced with the service of a Notice of Investigation on April 1, 2026, is focused on determining the scope of the incident, the categories of personal data affected, and the potential risks to data subjects. The Commission stated that the investigation would also assess the technical and organisational safeguards in place, as well as the mitigation measures adopted in the event of a confirmed breach. See the link to the update here: https://www.channelstv.com/2026/04/06/ndpc-probes-remita-sterling-bank-over-alleged-data-breach/
• The Commission has launched an investigation into a reported data breach at the Corporate Affairs Commission (CAC). The probe by the Commission follows a sequence of events that began circulating online, alleging that hackers had breached the CAC database and possibly accessed millions of corporate records. The Commission said the move is aimed at safeguarding trust in Nigeria’s digital and economic systems amid growing concerns over data security. In its first official statement, the CAC described the incident as affecting “limited aspects” of its information systems and said it had activated internal response protocols while working with the National Information Technology Development Agency (NITDA) and other partners to assess the impact. The agency also advised users to update their login credentials and monitor their records, signalling concern that sensitive data such as account details or corporate records could have been exposed or targeted. See the link to the update here: https://nairametrics.com/2026/04/17/ndpc-probes-alleged-data-breach-at-corporate-affairs-
• The NDPC has commenced a sector-wide investigation of tertiary institutions across the country over alleged breaches of the Nigeria Data Protection Act, raising fresh compliance pressure on universities and other post-secondary institutions. In a statement issued by the Head of Legal, Enforcement and Regulations at the NDPC, Babatunde Bamigboye, the Commission said the exercise was in furtherance of its statutory mandate under the NDP Act 2023 to enforce data protection standards across sectors. According to the NDPC, tertiary institutions, including universities, polytechnics, colleges of education and other post-secondary institutions, process large volumes of personal data belonging to students, staff, alumni, research participants and other stakeholders, making compliance with the Act imperative. “Hence, these institutions must demonstrate full compliance with the NDP Act,” the commission stated. See the link to the update here: https://punchng.com/ndpc-probes-tertiary-institutions-over-data-protection-compliance/
• The Commission has fined MultiChoice Nigeria ₦766,242,500 for breaching the Nigeria Data Protection Act. According to the Commission’s Head of Legal, Enforcement and Regulations, Mr Babatunde Bamigboye, the fine followed an investigation launched in the second quarter of 2024 into suspected violations of subscribers’ privacy rights and the unlawful cross-border transfer of data belonging to Nigerians. NDPC found, among other things, that MultiChoice violated the data privacy rights of its subscribers and individuals associated with them who are not necessarily subscribers. The Commission also discovered that MultiChoice engaged in the illegal cross-border transfer of personal data belonging to Nigerian data subjects. According to the Commission, “The depth of data processing by Multichoice is patently intrusive, unfair, unnecessary, and disproportionate.” Since the remedial measures undertaken by Multichoice in this regard were unsatisfactory, the Commission imposed a fine for violating the NDPA provisions. See the link to the update here: https://punchng.com/ndpc-fines-multichoice-%E2%82%A6766m-for-data-privacy-violations/
• NDPC fined Fidelity Bank NGN 555.8 million for violating the Nigerian Data Protection Act by processing personal data of Nigerians and residents without lawful basis and informed consent. The NDPC's investigation revealed non-compliance in the bank's data processing tools and reliance on non-compliant third-party processors. Despite opportunities for accountability, Fidelity Bank failed to provide a satisfactory remedial plan, leading to the fine. The decision was initially issued in July 2023, with a directive for a remedial fee in December 2023. See the link to the update here: https://www.dataguidance.com/news/nigeria-ndpc-fines-fidelity-bank-ngn-5558m-data
• The Commission has solidified its reputation in the digital space, concluding 246 investigations into data protection and privacy breaches and generating over N5.2 billion in compliance revenue. These outcomes reflect a deliberate shift toward aggressive, enforcement-driven oversight under the Nigeria Data Protection Act, 2023. The 246 concluded probes have directly led to 11 enforcement actions, including significant fines and remediation directives, demonstrating that the NDPC is prepared to impose substantial penalties on violators, from major corporations to financial institutions. See the link to the update here: https://businessday.ng/technology/article/ndpc-
• The NDPC, as of last year, launched its largest enforcement action since the passage of the Nigeria Data Protection Act (NDP Act) in 2023, placing more than 1,300 organisations under investigation and giving them 21 days to demonstrate compliance with the law or face enforcement orders, administrative fines, and possible prosecution. The regulator said the investigation marks the beginning of a sector-by-sector crackdown on firms suspected of violating statutory data protection obligations. The suspected sectors include: insurance companies, pension fund administrators, microfinance banks, mortgage lenders, gaming operators, and hundreds of insurance brokers. For the first time, the regulator has gone beyond quiet inquiries and has moved to publicly name companies that failed to act in accordance with the provisions of the Act. See the link to the update here: https://websecuritylab.org/ndpc-orders-1300-firms-to-prove-compliance-with-nigerias-data-protection-act/
• The Nigeria Data Protection Commission (NDPC) has issued an advisory warning to organisations about increasing cyber threats targeting Nigeria’s digital and data infrastructure. The Commission urged public and private institutions to strengthen their data security measures in compliance with the Nigeria Data Protection Act (NDPA) 2023. Key recommendations include adopting multi-factor authentication, conducting regular security assessments, appointing certified Data Protection Officers, and improving incident response systems. The NDPC warned that organisations failing to protect personal data may face regulatory sanctions and legal consequences. See the link to the update at: https://www.linkedin.com/posts/data-protection-advisory-by-ndpc-on-escalating

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.