The Nigeria Data Protection Commission has said it is treating the alleged INEC voter data leak with urgency, warning that no institution, whether public or private, is too powerful to be investigated or invited when data protection issues arise.
The National Commissioner and Chief Executive Officer of the NDPC, Dr. Vincent Olatunji, said this while speaking on recent data protection controversies, enforcement actions, emerging technologies, the 2027 elections and Nigeria’s data localisation policy.
Olatunji said the commission does not act merely because an allegation is trending on social media, but follows established investigation procedures to ensure fairness, diligence and due process.
According to him, no data breach reported to the commission has been ignored, whether it involves a government agency or a private organisation.
“What is important is that there is no breach reported to us that we have not acted on, whether it involves a government institution or a private organisation. We investigate every report properly and thoroughly before reaching any conclusion,” he said.
On the INEC matter, Olatunji said the case is particularly sensitive because Nigeria is approaching another election cycle and the issue touches on the credibility of one of the country’s most important databases.
“The INEC matter is one of the cases we are currently handling. It is particularly sensitive because we are moving towards another election cycle, and it speaks directly to the credibility of one of the most important databases in the country. Because of that, we treated it with the utmost urgency,” he said.
He disclosed that INEC officials had appeared before the commission more than once, adding that all parties involved had been invited to a Pre-Action Conference as part of the ongoing investigation.
“INEC officials have appeared before us more than once. They were here last week, and they have been here again. Furthermore, all parties involved have been invited to a Pre-Action Conference, not just INEC, as we continue with our investigations,” he said.
Olatunji said the NDPC would continue to invite any institution or company when necessary, regardless of its size or influence.
“No matter how big you are, we will invite you. We have invited multinational companies, digital platforms, and government agencies. Once a matter comes before us, we investigate and take the necessary action,” he said.
The NDPC boss explained that the commission’s enforcement approach is focused more on compliance than punishment.
He said when a breach is reported, the commission does not merely examine the incident, but also reviews the entire compliance structure of the organisation involved, including whether it is registered with the NDPC, has filed audit reports, appointed a Data Protection Officer, developed a privacy policy, kept records of processing activities and adopted adequate safeguards.
According to him, where an organisation has substantially complied but still has gaps, the commission may impose remediation fees and monitor compliance instead of rushing to impose punitive fines.
“Our objective is compliance. That is the most important thing,” he said.
Speaking on the Meta case, Olatunji said the matter was the only major case that went to court after the NDPC imposed a penalty.
He said when Meta saw the commission’s position and evidence in court, the company approached the NDPC for discussions outside the courtroom.
Olatunji said the commission’s goal is not to embarrass companies, collect money or drive away investment, but to ensure that organisations respect Nigerians’ privacy rights and comply with the law.
“We must not do anything that will unnecessarily drive away investment. Think about the millions of Nigerians who depend on Facebook, Instagram, and WhatsApp every day. Students use these platforms, market women use them, small businesses rely on them, and entrepreneurs buy and sell products through them,” he said.
“The question, therefore, becomes: what exactly are we trying to achieve? Is it to collect money? Is it to embarrass companies? Is it to drive them away? No. The objective is compliance.”
On artificial intelligence and other emerging technologies, Olatunji said the speed of technological change remains one of the biggest issues facing regulators.
He said many developers understand cybersecurity but often treat privacy as an afterthought, stressing that privacy must be built into technology from the design stage.
“That is why we are pushing Privacy by Design. Privacy should be incorporated at the ideation stage. It should be part of the design process from the beginning rather than being introduced after a product has already been developed,” he said.
He added that the commission is developing regulations and frameworks to guide emerging technologies, noting that the Nigeria Data Protection Act gives the NDPC flexibility to issue regulations without returning to the National Assembly every time a new technology emerges.
Ahead of the 2027 elections, Olatunji said the commission is working closely with INEC and has established a dedicated Working Group with the electoral body.
He said the framework would allow the commission to engage political parties and other stakeholders on responsible handling of personal data.
According to him, many political parties collect personal data from members and supporters without fully understanding the privacy safeguards required by law.
“We are ready to train political parties on responsible data processing practices,” he said.
He added that the commission is also engaging traditional institutions because they remain close to artisans, market women, transport workers and rural residents who make up a large part of the voting population.
Olatunji further disclosed that the NDPC had translated the Nigeria Data Protection Act into major Nigerian languages to enable citizens understand their rights.
On the Central Bank of Nigeria’s directive requiring financial institutions to retain payment transaction data within the country, Olatunji described the policy as a positive development for Nigeria.
He said the policy is about data localisation and would help stimulate investment in Nigeria’s data centre ecosystem.
According to him, Nigeria currently has about 27 data centres, many of which have capacity that is not fully utilised.
“If financial transaction data is hosted locally, it will stimulate investment in the data centre ecosystem. It will create jobs, increase infrastructure development, and reduce capital flight,” he said.
He added that local hosting of financial transaction data would reduce foreign exchange pressure, encourage competition among data centre operators, improve infrastructure and security, and eventually reduce hosting costs.

