The Nigeria Data Protection Commission (NDPC) has issued its most significant enforcement action since the 2023 Data Protection Act came into effect—levying a staggering ₦766.2 million fine on MultiChoice Nigeria. The penalty follows a detailed investigation that began in the second quarter of 2024, revealing widespread data privacy breaches and unauthorized cross-border transfers of Nigerian subscribers’ personal information. This report offers a thorough rephrasing of the original announcement, bringing in international best practices and contextual background to reach a full 1,000 words.

Investigation Uncovers Systemic Data Violations

Mid-2024 saw the NDPC initiate a formal probe into MultiChoice after various complaints and intelligence indicated the company violated data privacy laws. Legal officials including Babatunde Bamigboye (Head, Legal, Enforcement & Regulations) explained that MultiChoice collected excessive personal information—not only from paying subscribers but also from their friends and contacts. Furthermore, the company allegedly transferred this data outside Nigeria without valid legal grounds.

The NDPC described the company’s data collection methods as “patently intrusive, unfair, unnecessary and disproportionate,” affirming that these breaches violated Section 37 of the 1999 Nigerian Constitution, which enshrines the right to privacy. The Commission further emphasized that Nigeria must protect data sovereignty to preserve national security and maintain public trust in the digital economy.

Failure to Remediate Invites a Heavy Penalty

Following initial findings, the NDPC directed MultiChoice to rectify the infringements. However, authorities determined that the company did not cooperate adequately. The recommended remediations—including data localization, deletion of unnecessary records, and documented subscriber consent—remained partly or wholly unimplemented. Consequently, NDPC National Commissioner Dr. Vincent Olatunji instituted the historic fine.

Adding to the severity, Dr. Olatunji ordered all outlets where MultiChoice collects personal data to be audited for compliance. Any identified violations would trigger further penalties under the Data Protection Act.

Breaking Down the Penalty: Significance and Precedent

• Largest fine to date: This record-setting penalty eclipses previous fines under the NDPC regime. Before this, institutions such as banks and insurance companies cumulatively paid approximately ₦400 million for minor infractions.

• Regulatory shift: The NDPC has signaled a clear move toward stricter enforcement, stating that fines—including up to 2% of an entity’s annual gross revenue—will be imposed when remediation fails.

• Widespread impact: Fidelity Bank previously incurred a ₦555.8 million fine this year for customer data breaches. Such actions illustrate a wider regulatory crackdown aimed at achieving compliance across sectors.

MultiChoice’s Regulatory History

In addition to data privacy concerns, MultiChoice Nigeria has attracted regulatory attention for other issues:

• The Federal Competition and Consumer Protection Commission (FCCPC) filed charges against the broadcaster in early 2025 after enforcing price reduction orders were disregarded.

• Regulatory bodies have increasingly scrutinized MultiChoice’s business conduct, signalling that the company cannot rely on influence alone to avoid proper governance.

This context magnifies the seriousness of the NDPC’s penalty, as repeated interventions suggest systemic compliance shortcomings rather than a single lapse.

What Drove the Fine?

• Scale of violations: The extent of unauthorized data collection—affecting both subscribers and their contacts—and cross-border transfers substantially increased the NDPC’s response.

• Lack of corrective action: MultiChoice failed to implement necessary changes within the given timeframe. As Dr. Olatunji noted, remediation is preferred, but enforcement follows when entities resist compliance.

• Protective signal: The NDPC emphasized that no company—regardless of its national importance—stands above the law when infringing citizens’ digital rights.

A Legal Framework and NDPC’s Mandate

The Nigeria Data Protection Act (NDPA) 2023 grants the NDPC authority to safeguard digital privacy. Controllers or processors found in breach face fines of at least ₦10 million or up to 2% of annual gross revenue. Beyond enforcement, NDPC’s responsibilities include:

• Drafting regulations

• Certifying data privacy professionals

• Leading workshops to raise awareness

• Serving as Nigeria’s liaison with international privacy regulators

The act aims to unify data governance under a coherent, globally aligned legal framework.

Reactions from Key Stakeholders

• NDPC leadership: Commissioner Dr. Olatunji clarified that enforcement actions remain optional when companies show willingness to remedy breaches. However, penalties become inevitable with resistance.

• Business community: Firms operating in Nigeria increasingly recognize the need for robust data compliance to avoid financial, legal, or reputational harm.

• Consumers: With growing awareness of digital rights, citizens may view this penalty as evidence of the NDPC’s protective stance and possible legacy for digital trust.

Implications for MultiChoice Nigeria

• Financial strain: A ₦766 million fine poses a significant financial challenge, depending on the company’s profit margins and contingency reserves.

• Compliance overhaul: MultiChoice must now implement full internal audits and revise its data policies—including securing consent, limiting data retention, and ensuring transparency.

• Ongoing scrutiny: The Commission’s directive to audit all collection outlets means the risk of future penalties remains high if issues persist.

Looking Ahead: Sector-Wide Implications

• Amplified enforcement: The NDPC will continue issuing sanctions where voluntary remediation fails. Non-compliant entities face escalating pressure.

• Governance upgrades: Companies must boost data security, revise retention policies, and localize servers to align with NDPA obligations.

• Stakeholder development: The NDPC plans to sponsor data protection officer certification and business workshops to foster widespread compliance.

• International cooperation: The agency expects to share best practices and enforcement tactics with global regulators, positioning Nigeria as a leader in African data privacy.

Global Perspective: Comparisons from Other Jurisdictions

While the NDPC penalty dwarfs previous fines domestically, it remains moderate by international standards. For context:

• The UK’s Information Commissioner’s Office imposed a £275 million fine on British Airways in 2019 for data breaches.

• Germany’s Deutsche Wohnen AG faced a €14.5 million fine in 2021 for GDPR violations.

• The EU’s maximum fine reaches 4% of turn-over, reflecting the region’s firm stance on data privacy.

Nigeria’s emerging enforcement landscape mirrors this global trend, signaling improved stewardship of digital rights.

Conclusion: A Turning Point for Digital Privacy in Nigeria

The ₦766.2 million fine represents more than a punitive event—it signifies a pivotal moment in Nigeria’s digital regulation. As the NDPC shifts from advisory and supportive roles to assertive enforcement, entities handling data face renewed urgency to comply.

For MultiChoice Nigeria, adapting swiftly and transparently is no longer optional. For the broader digital economy, the message is clear: privacy protections matter, and breaches bear real consequences. Successful transition to lawful data governance could foster trust, unlock investment, and position Nigeria as a data protection frontrunner on the continent.