The Nigeria Data Protection Commission (NDPC) has slammed a ₦766,242,500 fine on Multichoice Nigeria for multiple violations of the Nigeria Data Protection Act (NDP Act), marking one of the most consequential enforcement actions since the law came into effect.
The NDPC says the penalty follows a detailed investigation launched in the second quarter of 2024, prompted by reports of suspected breaches of subscriber privacy and unauthorised cross-border transfer of Nigerian users’ personal data by the Pay-TV service provider, Multichoice Nigeria.
Multichoice, the Commission finds, infringes not only on the data privacy rights of its subscribers but also unlawfully processes the personal information of non-subscribers—specifically, friends and contacts of users.
The NDPC says the penalty follows a detailed investigation launched in the second quarter of 2024, prompted by reports of suspected breaches of subscriber privacy and unauthorised cross-border transfer of Nigerian users’ personal data by the Pay-TV service provider, Multichoice Nigeria.
“Multichoice violates the data privacy rights of subscribers and their friends who are not necessarily subscribers,” NDPC says in an official statement. “This is a grave affront to the fundamental right to privacy as enshrined in Section 37 of the 1999 Constitution of the Federal Republic of Nigeria.”
The Commission accuses Multichoice of conducting illegal cross-border data transfers involving Nigerians’ personal data—an action that contravenes national data sovereignty principles under both domestic and international law.
“Nigeria is entitled to protect her citizens and data sovereignty under both international and extant municipal laws—as these have far-reaching implications for rule of law, national security and economic growth,” the NDPC states.
Despite being directed to implement appropriate remedial measures in line with the Commission’s standard enforcement protocol, the NDPC says Multichoice’s response is inadequate and uncooperative. As a result, the Commission ordered the company to pay the ₦766 million fine for non-compliance with the NDP Act.
In a significant follow-up move, Dr Vincent Olatunji, National Commissioner of the NDPC, has ordered a broader investigation into all Multichoice-operated outlets in Nigeria that collect personal data.
The Commission warns that any entity found processing personal data unlawfully will face similar penalties, signalling a tougher stance on data privacy enforcement across Nigeria’s digital landscape.
Multichoice Nigeria data privacy fine: What are the issues involved?
Technology Times review of relevant provisions of the Nigeria Data Protection Act (NDPA) and information provided by the data protection guardian agency, NDPC, provides a broader scope and context of some of the issues involved in the data privacy breaches filed against Multichoice Nigeria, and is broken down by the government agency in the underlisted FAQs:
What is data processing?
Data Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Nigeria is entitled to protect her citizens and data sovereignty under both international and extant municipal laws—as these have far-reaching implications for rule of law, national security and economic growth,” the NDPC states.
How important is the consent of a data subject in data processing?
The consent of a data subject is very important in data processing. A Data Controller must seek this consent either in writing or by any other action through which the Data Subject knows he is giving consent. There are exceptions where duly constituted authorities can process data without consent in public interest or where private organisations may have lawful and cogent basis (albeit rebuttable) for data processing. These exceptions are without prejudice to the principles of data protection. Hence every data controller whether acting in public interest or in private interest can be held to account under the NDPA.
How can the Nigeria Data Protection Commission (NDPc) legally protect the privacy rights of a data subject?
Privacy right is a fundamental right that is recognized and enforceable through executive powers vested in the executive arm and the judicial powers vested in the judicial arm of government. In the exercise of the executive powers vested in the President by virtue of Section 5, 1999 Constitution of the Federal Republic of Nigeria (CFRN, as amended), the NDPC was established to implement the NDPA. Through its synergy or collaboration with relevant government agencies such as the National Information Technology Development Agency (NITDA), Nigeria Police Force, Federal Competition and Consumer Protection Commission, Independent Corrupt Practices and Related Offences Commission (ICPC), Central Bank of Nigeria etc. NDPB takes effective executive measures in protecting the Privacy Rights of Data Subjects.
The consent of a data subject is very important in data processing. A Data Controller must seek this consent either in writing or by any other action through which the Data Subject knows he is giving consent. There are exceptions where duly constituted authorities can process data without consent in public interest or where private organisations may have lawful and cogent basis (albeit rebuttable) for data processing.
What is the role of NDPA in transactions that require transfer of personal data abroad?
The NDPR recognises the need for cross-border transfer of data in an era of globalised and high-speed business transactions. Article 2.11 of the Regulation, which touches on transfer to a foreign country, addresses this issue. To comply with the provision and other aspects of the Regulation, the Data Controller is under legal obligation to provide the following:
- I) The name(s) of the country where personally identifiable information of Nigerian citizens are transferred on a regular course of business.
- II) The consent of the data subject in line with the principles of data protection.
- III) The Data Protection Laws and contact of National Data Protection Office / Administration of such of the named country (in I above)
- IV) The Privacy Policy of the Data Controller which must comply with the provisions of the NDPR.
- V) An overview of encryption method and data security standard.
- VI) Any other detail that assures the privacy of personal Data is adequately Protected in the named country (in “(I)” above).
What are the major objectives of the NDPA?
- To safeguard the rights of Natural Persons to Data Privacy;
- To foster safe conduct of transactions involving the exchange of Personal Data;
- To prevent manipulation of Personal Data; and
- To ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a just and equitable legal regulatory framework on data protection and which (framework) is in tune with best practice.
What is the scope of the NDPC?
NDPA applies to all transactions that involve the processing of Personal Data;
NDPA applies to natural persons residing in Nigeria or residing outside Nigeria (but who are citizens of Nigeria);
NDPA does not limit, abridge or deny the full protection a natural person is entitled to under any law, regulation, policy, contract for the time being in force in Nigeria or in any foreign jurisdiction.
Home
