Articles

NDPC’s ₦766.2 million fine against Multichoice Nigeria: Key lessons for cross-border data accountability

December 18, 2025by Kayode Sofola & Associates (KS LEGAL)0

INTRODUCTION

On 6th June 2025, the Nigerian Data Protection Commission (the “NDPC”) imposed a ₦766,242,500 administrative penalty on Multichoice Nigeria for systemic violations of the Nigeria Data Protection Act (the “NDPA” or the “Act”). The penalty followed a detailed investigation initiated in the second quarter of 2024, which uncovered multiple infringements of the NDPA including unauthorized cross-border data transfers, the processing of personal data without sufficient legal grounds, and infringements against both subscribers and non-subscribers. This enforcement action not only marks a turning point in Nigeria’s data protection regime but also offers critical lessons for stakeholders, particularly in the context of international data transfers. What exactly did Multichoice do wrong? Why does it matter? And what are methods to ensure compliance and avoid being fined?

This article delves into the nature of Multichoice’s violations, outlines the relevant legal framework governing cross-border data transfers in Nigeria, and explores key lessons for compliance and accountability under the NDPA.

WHAT IS CROSS-BORDER DATA TRANSFER?

Cross-border data transfer refers to the transfer of personal data across international borders, from one country to another. This process is crucial for global commerce, communication, and services, allowing companies and individuals to share and access data worldwide. Yet, it introduces complex challenges concerning privacy, security, and adherence to diverse international regulations.

LEGAL FRAMEWORK & GROUNDS FOR CROSS-BORDER DATA TRANSFER

Under Section 41 of the NDPA, data controllers and processors are prohibited from transferring personal data outside Nigeria unless the recipient is subject to legal or regulatory frameworks such as binding corporate rules, contractual clauses, or certification mechanisms that provide an adequate level of protection in accordance with the Act. Alternatively, the transfer may proceed if one of the limited exceptions under Section 43 applies (e.g., explicit consent, necessity for contract performance). To ensure compliance and traceability, organizations are required to document the legal basis and adequacy assessment for each cross-border data transfer, while the Nigeria Data Protection Commission (NDPC) reserves the right to mandate notifications and further clarify these safeguards through regulations.

Section 42 further elaborates on what constitutes “adequate protection,” emphasizing that the receiving jurisdiction must uphold data protection principles substantially similar to those under Nigerian law. In determining adequacy, factors such as the availability of enforceable data subject rights and mechanisms for legal redress are considered.

The NDPC may also impose additional restrictions for sensitive categories of personal data based on the nature of the data and potential risks to individuals.

WHAT DID MULTICHOICE DO WRONG?

The NDPC press release makes several critical findings against Multichoice Nigeria:

  • Multichoice transferred personal data of Nigerian data subjects outside the country without appropriate legal safeguards or justifications. There was no evidence that binding corporate rules, standard contractual clauses, or adequacy assessments were in place.
  • Personal data belonging to subscribers and non-subscribers (e.g., friends or associates of subscribers) was processed without consent or legal basis, violating data minimization and lawful processing principles under the NDPA.
  • The Commission found the extent of data collected and transferred by Multichoice to be intrusive, unfair, unnecessary, and disproportionate, contradicting the fundamental right to privacy protected under Section 37 of the Nigerian Constitution.
  • Multichoice’s lack of cooperation in the investigation process further aggravated the Commission’s stance.

LEGAL AND COMPLIANCE LESSONS FOR NIGERIAN AND FOREIGN ORGANIZATIONS

This enforcement action sets a crucial precedent for the private sector, particularly digital service providers, telecoms, fintech companies, and multinationals operating in Nigeria. Therefore:

  1. Cross-Border data transfers must be justified

Organizations must avoid sending personal data outside Nigeria unless:

  • There is a lawful basis (e.g., necessity for a contract);
  • The data subject has given explicit consent;
  • The foreign country ensures an adequate level of protection, or the controller implements safeguards like binding corporate rules.

Failure to meet these standards can trigger administrative fines, enforcement actions, and reputational harm.

2. Even non-subscribers have rights

Interestingly, the NDPC found that Multichoice infringed upon the privacy rights of individuals who were not subscribers. This expands the scope of responsibility for data controllers. If data about individuals is collected or inferred through third-party interactions (e.g., via a subscriber’s contact list), proper consent and justification are still required directly from the owner of such data or information.

3. Penalties are now real and substantial

With this ₦766.2 million fine, the NDPC has proven that data protection enforcement in Nigeria is not symbolic. The size of the penalty reflects the seriousness of the violation and aligns with global trends where data breaches attract multi-million-dollar fines.

THE WAY FORWARD TO ENSURE COMPLIANCE

The NDPC’s enforcement action should not merely be seen as punitive, but also as instructive. To improve overall data protection compliance, the following steps are recommended:

  1.  Organizations should engage the services of legal practitioners or law firms for legal advisory on cross-border data transfer in order to exhaustively comply with the NDPA.
  2. Before initiating large-scale data processing activities or cross-border transfers, data controllers (e.g. Multichoice) must carry out Data Protection Impact Assessments (DPIAs) to evaluate risks to data subjects.
  3. The NDPA requires Data Controllers and Data Processors of major importance” (“DCPMI”) to appoint Data Protection Officers (DPOs). These professionals help ensure ongoing compliance and are often the link between the company and the NDPC. DCMI are Commercial banks, insurance companies, fintech companies and organisations that handle a large volume of financial data.
  4. Develop internal policies for data protection, cross-border transfers, recordkeeping, and breach response. Staff should be regularly trained to understand and apply these policies in their daily operations.

CONCLUSION

The NDPC fine on Multichoice is a paradigm shift towards ensuring that data controllers and processors comply with the NDPA. As Nigeria is positioning itself as a global leader in digital economy regulation, adherence to the NDPA and best practices in cross-border data governance will be vital, not just for avoiding penalties, but for building trust, ensuring privacy, and unlocking international business opportunities.

Kayode Sofola & Associates (KS LEGAL)

Leave a Reply

Your email address will not be published. Required fields are marked *

previous
The Role of the Independent Auditor as a Pillar of Good Corporate Governance
next
SEC Bans INEDs from Becoming CEOs: What This Means for Nigerian Companies
https://kslegal.org/wp-content/uploads/2025/02/Newly-Made-KSLEGAL-LOGO-High-Def-III-Kevin-George.png

Lagos: 9 Ondo street, Osborne Foreshore Estate, Ikoyi.

Abuja: 4H UAC Estate, Aminu Kano Crescent, Wuse II

admin@kslegal.org

+234-913-711-0562