Introduction
With the increase in the use of personal information by
businesses in this digital age, compliance with data protection and
privacy obligations is of increasing interest to many companies
across jurisdictions. This is due to the heightened risks and
incidence of hacking/compromise of the database of corporations and
the enormous liabilities that arise from them. Furthermore, the
widespread enactment of laws on data privacy in many countries has
compelled companies to prioritise data privacy in their corporate
policies and practices.
Expectedly, the emerging primacy of data privacy compliance by
corporations has precipitated a reappraisal of key considerations
in contemporary corporate transactions including mergers and
acquisitions. Traditionally, when companies contemplate buying or
merging with other companies, top-of-mind considerations are
likely: determining the value of the asset. What is the brand
recognition of the asset worth in the marketplace? Is the
vendor’s selling price fair? Has due diligence been done?
However, in recent times, compliance with applicable data
protection laws has become increasingly critical to merger and
acquisition transactions because an acquisition typically involves
the assumption of responsibility for the use of such data. More so,
where personal information is one of the main assets to be acquired
in a merger transaction, the acquisition may be of little value if
it cannot be used or leveraged by the acquiring entity due to
breach or non-compliance with privacy laws by the undertaking being
acquired.
In Nigeria, the Nigerian Data Protection Regulation
(“NDPR” or “Regulation”) introduced by the
National Information Technology Development Agency (NITDA” or
“Agency”) is the primary legal instrument on data privacy
and aims to safeguard, protect and regulate the collection,
processing and use of personal data. Notably, the scope of the
Regulation extends to wide array of transactions between companies
and natural persons that may involve data
processing1.
This article will examine some data protection considerations in
a merger or acquisition in Nigeria.
Legal Considerations
Multiple laws regulate the use and disclosure of personal
information during and after an acquisition. Hence, it is crucial
for parties to the transaction to identify at the outset of a
transaction the relevant statutory and regulatory requirements
related to personal information. Legislations like the Federal
Competition and Consumer Protection Commission Act, the National
Information Technology Development Act, the NDPR among others
contain provisions that are relevant to data privacy in merger and
acquisition transactions.
In the same vein, when negotiating a deal, it is important to
recognize and address material issues such as transferability of
liability. Unless parties express a contrary intention in contract,
the consummation of an acquisition effects a transfer of the
target’s liabilities to the acquirer by operation of law.
Similarly, the surviving entity in a merger will by operation of
law, assume all liabilities of the other entity. Therefore, it
becomes essential for an acquirer, buyer, or investor to consider
the privacy policies, obligations, duties, and liabilities of
target company during the negotiation of a merger to avoid
liabilities.
One way this can be done is to conduct a robust review of the
target’s privacy and data protection practices. The outcome of
such privacy due diligence will usually assist the acquirer or
investor in deciding whether to proceed with the transaction at a
lesser stake or to withdraw entirely from the transaction. For
example, in 2017, Verizon Communications Inc agreed to buy Yahoo
Inc’s core business for $4.48 billion, lowering its original
offer by a whooping $350 million in the wake of two massive
cyber-attacks on Yahoo Inc’s2.
For contracting parties, the NDPR imposes compliance obligations
on companies including:
- Audit check – The NDPR mandates all organizations that process
the personal data of more than 1000 data subjects3 in a
period of 6 months and 2000 data subjects in a period of 12 months
to submit a Data Protection Audit report to NITDA within a
period of the year.4 Failure to file these returns to
NITDA is deemed a breach of the NDPR. - Data Protection Officers (DPOs) – The regulation also mandates
every data controller to employ a Data Protection Officer within
its organization or outsource this role to a verifiably competent
firm or person. - Privacy Policies – The NDPR also imposes obligation on every
data controller or processor to ensure it has clear and unambiguous
privacy policies that are accessible and comprehensible by the data
subject. These policies are to be meticulously drafted to meet the
requirements in Art. 2.5 of the NDPR.
Accordingly, an acquiring party should ensure to confirm
up-to-date compliance of the target company with the above legal
prescriptions when conducting a comprehensive due diligence on the
affairs of the target company. It is also expedient that the
acquiring company emplace security measures to protect data during
and post the transaction. These measures include, protecting
systems from hackers, setting up firewalls, storing data securely
with access to specific authorised individuals, employing data
encryption technologies, developing an organisational policy for
handing personal data, protecting emailing systems, and providing
continuous capacity building for staff.
The regulatory agencies tasked with enforcing the provisions of
data privacy laws are important in the consummation of mergers and
acquisitions. To this end, it is prudent for parties to a merger or
acquisition to identify and satisfy the requisite regulatory
consents or notifications that may be required in the transaction
process. For instance, in cross border merger/acquisition
transactions where personal data may be transferred, it may be
imperative for parties (asides securing the express consent of data
subjects), to also ensure that the country where such data will be
transferred is a country where an adequacy decision has been made
and approved by NITDA.
It is also possible that the Federal Competition and Consumer
Protection Commission (FCCPC) during its review of a
merger/acquisition transaction bordering on the transfer of
personal data, request parties to produce a letter of no objection
from NITDA or conduct a data protection impact assessment on the
proposed transaction.
However, in practice, the NITDA is not widely referenced when
the considerations are made for mergers or acquisition in Nigeria,
and it is yet to be seen if the creation of the Data Protection
Commission under the proposed Data Protection Bill 2020 will change
this narrative. Notwithstanding NITDA as presently constituted may
play a secondary role in a proposed transaction especially where
there are issues about compliance with obligations under the NDPR
or where personal data is the main subject of acquisition.
Contractual Considerations
It is important that parties to a merger/acquisition transaction
during their negotiation of terms for the transaction give due
consideration to terms that may limit their exposure to liabilities
for data privacy breaches committed by the other parties. Some of
these terms are examined below:
Confidentiality Agreement: It is a
standard practice for parties who desire to transact to enter into
a confidentiality agreement or non-disclosure agreement before
proceeding to enter into binding commercial contracts. This is
usually to protect the integrity of information divulged in the
negotiation process leading to the consummation of the transaction.
In merger and acquisition transaction, it is typical for parties to
share sensitive personal data and records with each other such as
the data of employees and customers. Hence, it is of utmost
importance that parties enter into a confidentiality agreement
prior to the disclosure of such agreements. In this vein and to
further buttress the saliency of this requirement, the
Implementation Guidelines of the NDPR obligates data controllers to
enter into confidentiality agreements with data administrators
engaged by them including third parties.
Indemnity Clauses: Given that breach
of data privacy attracts strict liability as well as the fact that
the data controller is solely responsible to the data subject for
any such breach, it is crucial that parties to a merger/acquisition
transaction particularly the target entity, incorporate indemnity
clauses in their respective transaction agreements. The indemnity
clauses will serve to protect and indemnify a party for any loss
suffered due to a breach of data privacy occasioned by the other
party.
Auditing contracts: The NDPR provides,
as part of due diligence and prohibition of improper motives, as
such a party to any contract that involves that processing, other
than a data subject, must take reasonable measures to ensure that
the other party does not have a record of violating data subject
rights5 under the NDPR. Furthermore, acquirers or
investors who may be assuming the role of a Data Controller or
Joint Controller after a restructuring transaction should also
audit third party processor contracts which require the transfer of
personal data to such third parties.
Review of third-party privacy rights under the
contract: Processing of personal data are often
governed by a contract or other legal act which is in writing,
including in electronic form and is binding on the Data Subject,
Controller and Processors. Generally, the right to use or process
personal data of subjects are not transferable except with consents
of data subjects. Similar, data subjects have the right to object
to an organisation processing (using) your personal data at any
time. To the extent that the target’s existing contracts have a
prohibition against transfer or assignment, a pre-closing consent
to transfer or process must be obtained. The acquirer must
particularly consider how it can use the target’s data post
acquisition or merger transaction especially where data is the
heartbeat of the transaction.
General considerations
Companies that fail to conduct appropriate due diligence into
privacy and data security issues during a transaction may face
difficulties such as restrictions (or even outright prohibitions)
on the use or disclosure of consumer personal information,
liabilities associated with data breach class action lawsuits, or
shareholder derivative actions6 . In addition to the regulatory and
contractual considerations, an acquiring entity should understand
the nature and volume of personal data held by the target and the
safeguards or security measures in place to protect the security,
confidentiality, and integrity of the data. Essentially, it is
important to pay close attention to the privacy and cybersecurity
risks associated with the target.
Specifically, the acquirer should consider the following:
- Nature of data processing activities carried on by the target
perform - Where and how the target stores the personal information, it
obtains. - The security safeguards used by target to protect the
information. - Incidence of cybersecurity or information security breaches in
which personal information or other business confidential
information has been compromised. - Incidence of complaints, investigation, or audit, regarding
privacy or information security from or by relevant regulators,
courts, consumers, employees, or others against the target
company.
Conclusion
There is no controversy about the pertinence and topicality of
the discourse on data privacy at the global stage. Many countries
now appreciate the imperatives and implications for enforcing data
privacy including scrutinizing corporate transactions to ensure
compliance particularly because corporate entities have the
capacity to process large data. With the increasing focus on the
processing and use of data in Nigeria culminating in the
introduction of the NDPR, it is useful for companies to consider
potential concerns with respect to the use, processing and transfer
of personal data and the likely implications of these activities on
their future transactions including a merger or acquisition
transaction.
Footnotes
1. Article 2.1 (1) (a) of the NDPR
2. Anjali Athavaley & David Shepardson, Verizon,
Yahoo agree to lowered $4.48 billion deal following cyber attacks;
available at https://www.reuters.com/article/us-yahoo-m-a-verizon-idUSKBN1601EK.
Accessed on 18th November, 2021.
3. “Data Subject” means any person, who
can be identified, directly or indirectly, by reference to an
identification number or to one or more factors specific to his
physical, physiological, mental, economic, cultural or social
identity (Article 1.3(xiv) of the NDPR).
4. Art. 4.1 (5) and (6) NDPR 2019.
5. Part 3 of the NDPR
6. Lisa J. Sotto and Ryan P. Logan, Hunton Andrews
Kurth (Bloomberg Law ) – Navigating Privacy and Data Security
Issues in M&A and Other Transactions; available at https://www.huntonak.com/images/content/5/8/v2/58107/Navigating-Privacy-and-Data-Security-Issues.pdf (Accessed
on 18th November, 2021).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Comments are closed.