Nigeria: Data Privacy Considerations In Mergers And Acquisitions In Nigeria

Introduction

With the increase in the use of personal information by businesses in this digital age, compliance with data protection and privacy obligations is of increasing interest to many companies across jurisdictions. This is due to the heightened risks and incidence of hacking/compromise of the database of corporations and the enormous liabilities that arise from them. Furthermore, the widespread enactment of laws on data privacy in many countries has compelled companies to prioritise data privacy in their corporate policies and practices.

Expectedly, the emerging primacy of data privacy compliance by corporations has precipitated a reappraisal of key considerations in contemporary corporate transactions including mergers and acquisitions. Traditionally, when companies contemplate buying or merging with other companies, top-of-mind considerations are likely: determining the value of the asset. What is the brand recognition of the asset worth in the marketplace? Is the vendor's selling price fair? Has due diligence been done? However, in recent times, compliance with applicable data protection laws has become increasingly critical to merger and acquisition transactions because an acquisition typically involves the assumption of responsibility for the use of such data. More so, where personal information is one of the main assets to be acquired in a merger transaction, the acquisition may be of little value if it cannot be used or leveraged by the acquiring entity due to breach or non-compliance with privacy laws by the undertaking being acquired.

In Nigeria, the Nigerian Data Protection Regulation ("NDPR" or "Regulation") introduced by the National Information Technology Development Agency (NITDA" or "Agency") is the primary legal instrument on data privacy and aims to safeguard, protect and regulate the collection, processing and use of personal data. Notably, the scope of the Regulation extends to wide array of transactions between companies and natural persons that may involve data processing¹.

This article will examine some data protection considerations in a merger or acquisition in Nigeria.

Legal Considerations

Multiple laws regulate the use and disclosure of personal information during and after an acquisition. Hence, it is crucial for parties to the transaction to identify at the outset of a transaction the relevant statutory and regulatory requirements related to personal information. Legislations like the Federal Competition and Consumer Protection Commission Act, the National Information Technology Development Act, the NDPR among others contain provisions that are relevant to data privacy in merger and acquisition transactions.

In the same vein, when negotiating a deal, it is important to recognize and address material issues such as transferability of liability. Unless parties express a contrary intention in contract, the consummation of an acquisition effects a transfer of the target's liabilities to the acquirer by operation of law. Similarly, the surviving entity in a merger will by operation of law, assume all liabilities of the other entity. Therefore, it becomes essential for an acquirer, buyer, or investor to consider the privacy policies, obligations, duties, and liabilities of target company during the negotiation of a merger to avoid liabilities.

One way this can be done is to conduct a robust review of the target's privacy and data protection practices. The outcome of such privacy due diligence will usually assist the acquirer or investor in deciding whether to proceed with the transaction at a lesser stake or to withdraw entirely from the transaction. For example, in 2017, Verizon Communications Inc agreed to buy Yahoo Inc's core business for $4.48 billion, lowering its original offer by a whooping $350 million in the wake of two massive cyber-attacks on Yahoo Inc's².

For contracting parties, the NDPR imposes compliance obligations on companies including:

1. Audit check - The NDPR mandates all organizations that process the personal data of more than 1000 data subjects³ in a period of 6 months and 2000 data subjects in a period of 12 months to submit a Data Protection Audit report to NITDA within a period of the year.⁴ Failure to file these returns to NITDA is deemed a breach of the NDPR.
   
   
2. Data Protection Officers (DPOs) - The regulation also mandates every data controller to employ a Data Protection Officer within its organization or outsource this role to a verifiably competent firm or person.
   
   
3. Privacy Policies - The NDPR also imposes obligation on every data controller or processor to ensure it has clear and unambiguous privacy policies that are accessible and comprehensible by the data subject. These policies are to be meticulously drafted to meet the requirements in Art. 2.5 of the NDPR.

Accordingly, an acquiring party should ensure to confirm up-to-date compliance of the target company with the above legal prescriptions when conducting a comprehensive due diligence on the affairs of the target company. It is also expedient that the acquiring company emplace security measures to protect data during and post the transaction. These measures include, protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorised individuals, employing data encryption technologies, developing an organisational policy for handing personal data, protecting emailing systems, and providing continuous capacity building for staff.

The regulatory agencies tasked with enforcing the provisions of data privacy laws are important in the consummation of mergers and acquisitions. To this end, it is prudent for parties to a merger or acquisition to identify and satisfy the requisite regulatory consents or notifications that may be required in the transaction process. For instance, in cross border merger/acquisition transactions where personal data may be transferred, it may be imperative for parties (asides securing the express consent of data subjects), to also ensure that the country where such data will be transferred is a country where an adequacy decision has been made and approved by NITDA.

It is also possible that the Federal Competition and Consumer Protection Commission (FCCPC) during its review of a merger/acquisition transaction bordering on the transfer of personal data, request parties to produce a letter of no objection from NITDA or conduct a data protection impact assessment on the proposed transaction.

However, in practice, the NITDA is not widely referenced when the considerations are made for mergers or acquisition in Nigeria, and it is yet to be seen if the creation of the Data Protection Commission under the proposed Data Protection Bill 2020 will change this narrative. Notwithstanding NITDA as presently constituted may play a secondary role in a proposed transaction especially where there are issues about compliance with obligations under the NDPR or where personal data is the main subject of acquisition.

Contractual Considerations

It is important that parties to a merger/acquisition transaction during their negotiation of terms for the transaction give due consideration to terms that may limit their exposure to liabilities for data privacy breaches committed by the other parties. Some of these terms are examined below:

Confidentiality Agreement: It is a standard practice for parties who desire to transact to enter into a confidentiality agreement or non-disclosure agreement before proceeding to enter into binding commercial contracts. This is usually to protect the integrity of information divulged in the negotiation process leading to the consummation of the transaction. In merger and acquisition transaction, it is typical for parties to share sensitive personal data and records with each other such as the data of employees and customers. Hence, it is of utmost importance that parties enter into a confidentiality agreement prior to the disclosure of such agreements. In this vein and to further buttress the saliency of this requirement, the Implementation Guidelines of the NDPR obligates data controllers to enter into confidentiality agreements with data administrators engaged by them including third parties.

Indemnity Clauses: Given that breach of data privacy attracts strict liability as well as the fact that the data controller is solely responsible to the data subject for any such breach, it is crucial that parties to a merger/acquisition transaction particularly the target entity, incorporate indemnity clauses in their respective transaction agreements. The indemnity clauses will serve to protect and indemnify a party for any loss suffered due to a breach of data privacy occasioned by the other party.

Auditing contracts: The NDPR provides, as part of due diligence and prohibition of improper motives, as such a party to any contract that involves that processing, other than a data subject, must take reasonable measures to ensure that the other party does not have a record of violating data subject rights⁵ under the NDPR. Furthermore, acquirers or investors who may be assuming the role of a Data Controller or Joint Controller after a restructuring transaction should also audit third party processor contracts which require the transfer of personal data to such third parties.

Review of third-party privacy rights under the contract: Processing of personal data are often governed by a contract or other legal act which is in writing, including in electronic form and is binding on the Data Subject, Controller and Processors. Generally, the right to use or process personal data of subjects are not transferable except with consents of data subjects. Similar, data subjects have the right to object to an organisation processing (using) your personal data at any time. To the extent that the target's existing contracts have a prohibition against transfer or assignment, a pre-closing consent to transfer or process must be obtained. The acquirer must particularly consider how it can use the target's data post acquisition or merger transaction especially where data is the heartbeat of the transaction.

General considerations

Companies that fail to conduct appropriate due diligence into privacy and data security issues during a transaction may face difficulties such as restrictions (or even outright prohibitions) on the use or disclosure of consumer personal information, liabilities associated with data breach class action lawsuits, or shareholder derivative actions6 . In addition to the regulatory and contractual considerations, an acquiring entity should understand the nature and volume of personal data held by the target and the safeguards or security measures in place to protect the security, confidentiality, and integrity of the data. Essentially, it is important to pay close attention to the privacy and cybersecurity risks associated with the target.

Specifically, the acquirer should consider the following:

1. Nature of data processing activities carried on by the target perform
   
   
2. Where and how the target stores the personal information, it obtains.
   
   
3. The security safeguards used by target to protect the information.
   
   
4. Incidence of cybersecurity or information security breaches in which personal information or other business confidential information has been compromised.
   
   
5. Incidence of complaints, investigation, or audit, regarding privacy or information security from or by relevant regulators, courts, consumers, employees, or others against the target company.

Conclusion

There is no controversy about the pertinence and topicality of the discourse on data privacy at the global stage. Many countries now appreciate the imperatives and implications for enforcing data privacy including scrutinizing corporate transactions to ensure compliance particularly because corporate entities have the capacity to process large data. With the increasing focus on the processing and use of data in Nigeria culminating in the introduction of the NDPR, it is useful for companies to consider potential concerns with respect to the use, processing and transfer of personal data and the likely implications of these activities on their future transactions including a merger or acquisition transaction.

Footnotes

1. Article 2.1 (1) (a) of the NDPR

2. Anjali Athavaley & David Shepardson, Verizon, Yahoo agree to lowered $4.48 billion deal following cyber attacks; available at https://www.reuters.com/article/us-yahoo-m-a-verizon-idUSKBN1601EK. Accessed on 18th November, 2021.

3. "Data Subject" means any person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (Article 1.3(xiv) of the NDPR).

4. Art. 4.1 (5) and (6) NDPR 2019.

5. Part 3 of the NDPR

6. Lisa J. Sotto and Ryan P. Logan, Hunton Andrews Kurth (Bloomberg Law ) - Navigating Privacy and Data Security Issues in M&A and Other Transactions; available at https://www.huntonak.com/images/content/5/8/v2/58107/Navigating-Privacy-and-Data-Security-Issues.pdf (Accessed on 18th November, 2021).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.