Shares in Trump Media & Technology Group (TMTG) plunged 7.4% on Wednesday, adding to a steep decline that has erased much of the early frenzy surrounding the company.

The latest drop followed a filing with the Securities and Exchange Commission (SEC) late Tuesday, revealing that President Donald Trump is preparing to sell his entire $2.3 billion stake in the company.

The filing showed that TMTG plans to sell more than 142 million shares, including Trump’s personal stake of 114 million shares, which is currently held in a trust controlled by his son, Donald Trump Jr. While the company insisted in a statement that this was a “routine filing” and that Trump was not yet selling, the prospect of the president cashing out rattled investors, deepening the company’s ongoing stock slide.

TMTG’s Downward Spiral: From Frenzy to Freefall

TMTG, which operates Truth Social, has been in a steady decline for months, shedding more than 40% of its value in 2024. The company, once seen as a key pillar of Trump’s post-presidency business empire, has struggled to maintain momentum after an initial surge of enthusiasm among retail investors.

When Trump first launched Truth Social in 2022, it was presented as an alternative to major social media platforms that had banned him following the January 6, 2021, attack on the U.S. Capitol. The company quickly attracted investors eager to support Trump’s vision of a free-speech platform. However, enthusiasm has since waned, as the company continues to post financial losses and struggles to attract a mainstream audience.

TMTG reported a net loss of $19.2 million in the third quarter of 2023, and despite having roughly 650,000 shareholders, it has failed to gain institutional support. The vast majority of its shareholders are small retail investors, with only about 2,100 investors holding more than 5,000 shares.

Trump’s Return to X Raises Questions About Truth Social’s Future

A major factor that accelerated TMTG’s decline was Trump’s return to X (formerly Twitter), the platform where he once had over 80 million followers. After owner Elon Musk lifted Trump’s ban in late 2022, speculation swirled that the president would abandon Truth Social in favor of the far larger platform.

For months, Trump remained exclusive to Truth Social, but as his 2024 reelection campaign intensified, the need to reach a wider audience became apparent. In August 2023, Trump made his highly anticipated return to X, posting for the first time since being reinstated. The move was widely interpreted as a sign that he was distancing himself from Truth Social.

Trump’s Exit from TMTG?

Trump’s potential stock sale is the latest indication that he may be pulling away from the company he founded. While he has not officially announced any plans to abandon Truth Social, his re-engagement with X suggests that he no longer sees it as his primary online megaphone.

In September, Trump reassured investors that he had no plans to sell his shares, causing TMTG’s stock to surge temporarily. However, trading was halted twice by Nasdaq that day due to extreme volatility. At the time, Trump lashed out at the exchange, accusing it of “taking orders from” the SEC and interfering with his business.

Now, with the prospect of him offloading his entire stake, investors fear that TMTG could face an uncertain future. The company has yet to demonstrate it can be viable without Trump’s direct involvement, and if he cashes out, it could signal a loss of confidence in the platform’s long-term prospects.

Market Uncertainty Grows Amid Trump’s Tariff Announcement
The stock drop also comes at a precarious time for financial markets, as investors brace for Trump’s new “reciprocal” tariffs, which he is set to unveil in a White House Rose Garden ceremony later Wednesday. The tariffs, which he has dubbed “liberation day” trade measures, are expected to target foreign imports with aggressive new levies, further roiling market sentiment.

Amid this backdrop of uncertainty, TMTG’s troubles appear far from over. The company’s fate remains closely tied to Trump’s political and business decisions, and as he inches closer to a possible exit, the stock’s downward spiral may only accelerate.

Is Nigeria’s latest data protection directive a genuine step toward compliance, or just another bureaucratic burden? The Nigeria Data Protection Act (NDP Act) 2023 marked a significant step toward strengthening data privacy rights in Nigeria. In line with this, the Nigeria Data Protection Commission (NDPC) recently released the General Application and Implementation Directive (GAID) 2025 (NDPC/NDP ACT-GAID/01/2025), aiming to provide clarity on the Act’s implementation. However, while the GAID introduces useful guidance, it raises concerns regarding its alignment with international best practices, potential revenue-driven motives, and practical challenges for organisations seeking compliance.

The GAID attempts to cover a wide range of regulatory aspects, including data processing principles, data subject rights, cross-border data transfers, and obligations of data controllers and processors. While it elaborates on provisions of the NDP Act and provides templates for compliance (e.g., audit returns, DPO assessments, and cross-border transfer procedures), its structure and approach raise critical concerns.  I do not intend to go on a course of analyzing the details and the herculean task of summarizing the document; I only intend to point out important issues that need to be addressed.

Key Issues with the GAID

The implementation of the GAID has introduced significant concerns that go beyond its stated goal of enhancing data protection in Nigeria. Businesses, especially those processing large volumes of data, are now faced with increased financial burdens, unclear regulatory expectations, and heightened administrative demands. The directive, instead of clarifying ambiguities in the NDP Act, has deepened confusion, particularly regarding cross-border data transfers. Moreover, the drastic increase in audit filing fees raises suspicions that financial motives may be prioritized over fostering a robust data protection ecosystem.

This section explores key challenges stemming from the GAID’s provisions, highlighting areas where regulatory clarity is lacking and where compliance may become impractical or disproportionately costly for organizations.

Misalignment with International Standards

Although the GAID references international best practices (Article 42), certain aspects deviate from established global norms, particularly when compared to the EU’s General Data Protection Regulation (GDPR):

• Defining “Major Importance”: Article 8 primarily categorizes Data Controllers and Processors of Major Importance (DCP-MI) based on the number of data subjects processed. However, global best practices emphasize the sensitivity and potential risk of data rather than sheer volume. A hospital processing sensitive health data of 50 individuals presents a higher risk than a company handling basic contact information for thousands. The GAID’s volume-based approach risks overlooking high-risk processing activities.
• Vague Compliance Requirements: Many compliance obligations are broadly defined, lacking practical implementation guidance. For example, Article 10(3) mandates privacy audit controls “in line with global best practices,” yet it does not specify measurable benchmarks. Similarly, requiring systems to “make data requests and access seamless” (Article 7(s)) is aspirational but offers no concrete direction.

Revenue Generation Over Genuine Compliance?

The GAID’s fee structures and administrative obligations raise concerns that financial motives may be prioritized over fostering effective data protection:

• Increased Audit Filing Fees: A significant hike in mandatory audit filing fees (Schedule 10) raises serious concerns about affordability and fairness. Previously, UHL entities filed for NGN 20,000, but now, fees have drastically increased to NGN 1,000,000 for large data processors. The assumption that data volume equates to revenue is flawed—many organizations process vast amounts of data without generating the income necessary to meet these exorbitant fees. This could lead to non-compliance, financial strain, or forced prioritization of filing fees over operational sustainability.
• Excessive Emphasis on Registration and Filing: The directive places heavy focus on registering DCP-MIs (Article 9) and filing Compliance Audit Returns (CAR) (Article 10), with penalties attached. This administrative focus suggests an emphasis on procedural compliance rather than substantive data protection.

“Rather than fostering compliance, the NDPC appears more focused on monetizing data protection.”

Compliance as an Unclear and Onerous Concept

The GAID, despite its intent to provide clarity, leaves several ambiguities that complicate compliance efforts:

• Lack of Specificity: Many compliance mandates are described in broad terms without clear implementation guidance. Without sector-specific frameworks, businesses are left to interpret their obligations independently, increasing the risk of inconsistent compliance.
• Overemphasis on Documentation: The GAID mandates extensive documentation (e.g., semi-audit reports, DPIAs, etc.). While documentation is critical, an excessive focus without clarity on qualitative expectations could lead to a “checklist” approach rather than fostering substantive compliance.
• Subjectivity in Defining “Major Importance”: While Article 8 lists factors like “value or significance,” the ultimate designation of a DCP-MI appears discretionary. This lack of objective criteria creates uncertainty for organizations and opens the door to arbitrary regulatory decisions.

Cross-Border Data Transfers: A Missed Opportunity

The GAID provides little practical guidance on cross-border data transfers, despite their significance in a globalized digital economy. The directive has failed to clarify the position on cross-border transfers, leaving the situation as confusing as it was under the NDPA, if not more so. Many had anticipated that the GAID would provide much-needed clarity, but instead, it has led them further into uncertainty, akin to being trapped in a dark tunnel with PHCN holding the only light at the end, hopeless.

Specifically, the GAID falls short in several key areas:

• Absence of Concrete Mechanisms: The lack of explicit provisions outlining lawful procedures for cross-border data transfers creates a significant cloud of uncertainty for organizations that depend on the seamless flow of data across international borders.
• Lack of Standard Tools: Unlike many other jurisdictions that have established Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), Nigeria’s data protection framework does not offer clear, standardised mechanisms for businesses to structure their international data transfers in a legally sound manner. This deficiency severely limits the compliance options available to organizations.
• Regulatory Inconsistencies: Businesses striving to comply with the regulations find themselves relying on limited derogations, yet the application and enforcement of these exceptions remain inconsistent. Furthermore, attempts to seek clarification from regulatory bodies have often been met with vague or unhelpful responses, rather than the substantive guidance that is desperately needed.
• Ambiguous Treatment of Multinational Operations and Cloud Services: The GAID fails to adequately address the complexities faced by multinational companies that often process data through centralized systems located in a single data center, regardless of geographical boundaries. Moreover, the legal standing of utilizing foreign-based cloud storage systems for data processing remains unclear, raising significant concerns about legal certainty for businesses that rely on such infrastructure.

“Nigeria has essentially enabled non-compliance by failing to establish a structured transfer mechanism.”

DPIA Expansion: A Burden on Small Businesses?

The GAID significantly broadens the requirement for Data Protection Impact Assessments (DPIAs). By expanding the triggers for DPIAs to include broad categories like “e-commerce” and “healthcare,” the directive imposes burdens on small businesses, such as Instagram vendors and small pharmacies, that may not have the resources for extensive assessments. This expansion raises concerns about unnecessary regulatory hurdles that could stifle small-scale digital enterprises, forcing them to navigate complex compliance obligations typically designed for larger corporations. The cost and administrative demands of conducting DPIAs may lead to reduced digital participation and discourage entrepreneurship, ultimately hindering economic growth and innovation in Nigeria’s emerging tech-driven economy.

Unequal Enforcement: Public Sector Compliance Overlooked?

Although Article 3 of the GAID seeks to replace the NDPR and its implementation framework, it fails to address the Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020. This omission raises a critical question: Are only private sector organizations being targeted for compliance? Without clear directives on how public institutions will adhere to data protection standards, there is a risk of selective enforcement, undermining trust in the regulatory process.

Operationalizing SNAG Introduced the GAID: How?

The introduction of the Data Subject’s Standard Notice to Address Grievance (SNAG) under Article 40 raises operational concerns. While it provides a structured means for individuals to address privacy violations, its effectiveness depends on its implementation. Key questions arise: How will compliance be enforced? Will there be timelines for responding to SNAGs? How will the NDPC handle situations where organizations repeatedly ignore SNAGs? Under the GDPR and UK Data Protection Act, similar mechanisms exist, such as the right to lodge complaints with supervisory authorities (Article 77 GDPR, Section 165 UK DPA) and the obligation of data controllers to respond to data subject rights requests (Article 12 GDPR, Section 45 UK DPA). However, these are supported by clear enforcement actions and redress options, ensuring that violations are met with appropriate remedies and regulatory oversight. Without such measures, SNAG risks being an ineffective tool rather than a meaningful compliance mechanism.

Problematic Articles and Additional Compliance Concerns in the GAID

• Article 7(l) on Cookie Notices: The directive mandates specific cookie banner placements (“obstructing the middle, left, or right side of the home page”), a rigid and intrusive requirement that deviates from more flexible international standards.
• Article 6 on Individual Data Processing: While encouraging responsible data handling, the broad definitions of risky conduct (e.g., “lack of duty of care in handling any device storing personal data”) may create confusion and potential overreach.
• Interplay with Sectoral Regulations (Article 4): The GAID promotes cooperation on sectoral guidelines, but without harmonization, this could lead to regulatory fragmentation across industries.
• Benchmarking with Interoperable Data Privacy Measures (Article 35): The bureaucratic approval process, long approval timelines, and vague definitions could hinder innovation and increase compliance burdens, especially for smaller tech companies.
• Exercise of Data Subject Rights (Articles 36-39): Implementing rectification, portability, and erasure rights requires significant technical and operational adjustments. The lack of clear enforcement mechanisms, the complexity of data portability, and potential disruptions due to temporary orders from the Commission raise compliance risks for businesses.

Conclusion

The GAID 2025 represents an important step in implementing Nigeria’s data protection framework. However, its focus on numerical thresholds for “major importance,” increased filing fees, and broad compliance mandates suggests a framework that leans towards procedural formalities rather than substantive data protection.

“Without practical refinement, the GAID risks becoming a compliance nightmare rather than a safeguard for data privacy.”

To ensure an effective and sustainable data protection regime, the NDPC should refine its approach, focusing on proportionality, clarity, and global best practices. Only then can Nigeria truly establish a data protection framework that supports both regulatory oversight and digital innovation.

Disclaimer: The views and opinions expressed in this article are solely those of the author and do not necessarily reflect the official policy or position of the publishing organization or the author’s employer. This article is for informational and discussion purposes only and should not be construed as an official statement or endorsement by either entity.

Come with your calculator and log book because you may need them. Indeed, you will understand the “Measure of Central Tendency” and how you can use lean six sigma to drive business growth and accelerate productivity. Join Dr Charles Igwe as he teaches on the topic – “Driving Growth and Operational Excellence Using Lean Six Sigma” – at Tekedia Mini-MBA Live at 7pm WAT today. Zoom link in the Board.

This is one of the leading courses which our university partners have used extensively (we allow that provided it is for the good of the students). Dr Igwe, a zen-master, created about 160 slide-courseware to explain this zen-stuff. In the updated lecture (out today), you will master how AI can make Lean Six Sigma even better to drive business growth.

We are Tekedia Institute – the winner of University of Ilorin U-Inspire Award, the winner of Velocity Mhagic Award, and the winner in the knowledge systems of thousands of young people. We have one product and that is KNOWLEDGE. We just received a big endorsement from the Federal Ministry of Youth and Sports Dev in Nigeria; a really amazing and brilliant letter, commending our work. Thanks so much for recognising this Institute.

Pick your seat and let’s fulfil the cardinal mission encapsulated by University of Nigeria Nsukka: “to restore the dignity of man (and woman)”.  Register for the next edition of Tekedia Mini-MBA here.