Data Protection in M&A What You Need to Know
Any context requiring or necessitating the use of personal data requires taking steps to comply with the Data Protection Act, 2019 (the Act), including where personal data is to be shared or processed within a transactional context. This is ever more likely for data protection issues to materialise, particularly where a target to the transaction is a data-heavy business. This means that transacting parties need to be aware of such potential stumbling blocks, especially in relation to individual rights of data subjects. An example of this could be seen through the issues that arose in the acquisition of WhatsApp by Facebook in October 2014.
Specifically, transacting parties giving or receiving information about a target business must be alive to individuals’ personal data being exchanged, stored, or otherwise processed throughout the course of the transaction, including from the point of entering into and negotiating the initial agreements, to the signing and finally completion, as well as during post-completion integration.
Where Does Data Protection Come In?
Data protection compliance (including compliance with the Act as well as the GDPR if necessary) often comes in at different points during an M&A transaction, for instance:
a). when entering into a non-disclosure agreement (NDA) or term sheet;
b). during initial negotiations and engagement between a buyer and a seller;
c). in the course of the due diligence and disclosure phases, when parties and their respective advisers will inevitably be exchanging a large amount of information on the target, on a confidential basis and subject to confidentiality agreements. Such information will almost certainly include some personal data and the parties will therefore be “processing” that data in the context of assessing the transaction;
d). between signing the transaction documents and completion;
e). in the context of an asset sale, where assets containing personal data such as customer details for instance, are to be transferred and continue to be processed in the normal course of business by the receiving party, including as part of any business integration; or
f). after completion when facilitating integration for instance through the use of transitional services agreements, amongst other things.
This is merely a depiction of how the coming into force of the Act in Kenya has affected how we do business. Data protection principles will practically apply to the entire timeline of a deal. More so, the transacting parties should pay particular attention to ensure continual compliance with those principles throughout the transaction.
The transacting parties should also be aware to the information they hold so as to ensure that only personal data that may be necessary for the specific transaction is shared. This means that there should be solutions in place to separate transferring and non-transferring personal data to as to ensure the respective party is not in breach of any of its obligations as a data controller or processor. Likewise, principles such as the obligation to process personal data in a lawful, fair and transparent manner, and the overarching accountability principle also place a burden on the giving party to ensure that the required information is shared, with the subjects’ consent, withholding no information that may be material to the transaction under the guise of privacy.
In addition, it is inevitable that every target will process some form of personal data, and in any corporate transaction, the buyer almost always inherits any unlawful data processing activities the target has been carrying out. A buyer will need to identify where any unlawful data processing has been carried out in the due diligence process to ensure that it is rectified (ideally pre-completion or if not possible then after completion has taken place).
We shall look further into ensuring compliance with data protection and privacy principles in corporate transactions in the coming weeks. For more information, please contact our corporate team by emailing email@example.com.