New Data Privacy Compliance Considerations in Cross Border M and A Transactions Facing Africa


Thursday, October 31, 2019  /  04:39PM  /   By  Olubunmi Abayomi-Olukunle   /   Header Image Credit:


Some Data Privacy Compliance Considerations in Cross Border M&A Transactions Facing Africa


Perhaps, one of the most defining developments in global data privacy enforcement which also speaks to how increasingly important, data privacy compliance issues, will be for private equity investors, is the recent announcement  by the ICO, (UK's data privacy regulator), of its intention impose a  fine of up Euro 99 million under the European Union's General Data Protection Regulation (GDPR) on strategic investor, Marriott International Inc; in respect of a data breach that previously occurred in recently acquired Starwood Hotels. StarWood Hotels was acquired by Marriott in 2016 for circa USD 13billion. It did not matter that the said data breach occurred in 2014, two years before the acquisition of StarWood Hotels was consummated by Marriot.


It was reported that personal information (including credit card details, passport numbers and dates of birth) contained in approximately 339 million guest records globally were exposed by a cyber security incident in 2014, of which around 30 million related to residents of 31 countries in the European Economic Area.


Amongst others, the ICO reached a decision that:

  1. Marriott failed to undertake sufficient due diligence when it bought Starwood; and
  2. Marriot should also have done more to secure its systems after the acquisition.


The statement credited to Information Commissioner Elizabeth Denham is instructive:

"The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected"


Some, if not the highest regulatory fines globally, have been imposed by data privacy regulators. For instance, Equifax will pay up to $700 million in fines and monetary relief to consumers over a 2017 data breach.


We sense that regulators across board will follow this regulatory trend in view of its potential for revenue. This is not to say that the reason data privacy regulators impose fines is to drive internal revenue but that data privacy breaches & non-compliance is increasingly a compliance flashpoint and one of the easiest ways for a business to get a huge dent to its balance sheet. 


With the new Data Privacy Regulations 2019 issued by Nigeria's data privacy regulator, the (NITDA), private equity fund managers and investors doing deals in Nigeria will need to give greater consideration[i] to data privacy issues, both at the fund level and portfolio company level.


Based on our reflections on a recent engagement, here are some key compliance and risk considerations to put in focus:


  1. Based on a review of the NDPR and its Implementation Guidelines, our view is that NITDA's approach to driving data privacy compliance is relatively friendly. However, we cannot yet tell which trajectory, regulatory enforcement of data breaches in Nigeria, will take, from a penalty imposition standpoint. The closest reference point here really, is the global trend towards the imposition of significant fines on data controllers and data processors who are found to be in breach of data privacy regulations. Without a doubt, it would be prudent for private equity investors to design, investigate and implement, as the case may be, a data privacy compliance strategy in advance;


  1. Portfolio companies and fund manager entities who are found to be in breach of Nigeria's Data Privacy Regulations (NDPR) are liable to pay up to 2% of annual gross revenue. However, the financial exposure for data privacy breaches may be more than 2% because, the NDPR does not prohibit data subjects from seeking additional monetary damages in Nigerian courts, as a constitutional matter, from data controllers, that are portfolio companies or fund managers;


  1. Before the announcement of the NDPR in January 2019, data privacy due diligence, understandably, did not form part of the traditional legal due diligence approach of transaction counsel in Nigeria. With regulatory developments in this area, it's now more important to conduct data privacy due diligence as part of legal due diligence. Although a type of legal due diligence, data privacy diligence should ideally be carried out separate to the legal due diligence, preferably by co-counsel;


  1. Private equity fund investors doing deals in Nigeria will need to diligence their existing portfolio companies and drive management decisions towards investing in data protection systems and relevant technology. Weighed against the potential risks, it's not going to be too late, to conduct a data privacy due diligence. Accordingly, it would not be unreasonable for private equity investors, who may have closed a deal after the announcement of the NDPR, but omitted to conduct a data privacy diligence, to still conduct a data privacy diligence post-closing;


  1. Private equity investors ( and strategic investors) will need to review the contractual protections in investment agreements, to determine the extent to which the existing representations and warranty framework, protects their investments from the regulatory risk that may occur from a breach of data privacy regulations. It may be strategic for private equity investors to be more specific in their strategy here – for instance, the onset of a fine may be structured to trigger a revaluation or a pricing adjustment, which may also trigger other protective/restorative shareholder rights or share issuances;


  1. Privacy equity investors who carry out data privacy diligence, at entry, may be able to leverage the results of such diligence to gain some pricing/valuation advantages;


  1. Similar with legal due diligence, the target should ideally pay for or bear some of the costs for conducting a data privacy due diligence;


  1. Private equity investors who conduct data privacy due diligence will be better able to structure and hedge related data privacy compliance risk at the portfolio company level;


  1. At the fund manager level, like any business that handles customer and market sensitive data, private equity funds are susceptible to data breaches that can cause exposure of customer information and valuable know how or even trade secrets. In addition to ensuring full data privacy compliance for fund manager entities or corporate investment advisers incorporated locally, fund managers should consider communicating the legal requirements of data privacy compliance to its employees in a clear and consistent manner, during on-boarding and from time to time, through internal data privacy control and policy documentation. Data privacy compliance should be a key function of portfolio management and should be sustained till exit through holding period; and


  1. Nigerian venture capital investors with direct investments in US domiciled operating HoldCos which also have Nigerian operations, will need to ensure compliance with US data privacy laws. Similarly, private equity investors with a pan-African investment thesis/portfolio, would need to put in place a more holistic data compliance strategy that addresses data privacy compliance risk on a jurisdictional basis. As of the date of this update, up to 40% of African countries now have data privacy regulations.


[i] Limited Partners or Non-Managing Shareholders typically reserve the rights to generally remove a General Partner for Cause in definitive agreements like the Limited Partnership Agreement or Shareholder Agreement.


"Cause" is usually defined in reference the actions or inactions of a General Partner that constitutes bad faith, fraud, gross negligence, wilful misconduct, a violation of securities laws, breach of fiduciary duty, or a material breach that has a material adverse effect on the business of the investment activities of the GP/Managing Shareholder. 


On this basis, GPs & fund manager entities alike have a general duty to investigate and understand every risk scenario and put in place structures to avert or mitigate such risks.



Proshare Nigeria Pvt. Ltd.



About Author

Olubunmi Abayomi-Olukunle is a partner and Lead Counsel at the Private Equity, Venture Capital & Emerging Companies sector-focused, specialist investment & finance law firm of Balogun Harold - or via e-mail:   



Proshare Nigeria Pvt. Ltd.



Data Protection

1.          The Nigeria Data Protection Regulation - Compliance Requirements

2.         Report Sets Out Governance of Key OTC Derivatives Data Elements - Oct 09, 2019

3.          The Economics of Data - Sept 23, 2019

4.         How The General Data Protection Regulation Will Affect Your Business

5.          National Data Protection Regulations - Legal Alert



Proshare Nigeria Pvt. Ltd.



Related News on Data & Financial Inclusion

1.      Financial Inclusion Rate in Nigeria Now 63.2% As At 2018

2.     Roadmap 2020: Nigeria's Financial Exclusion Rate Currently 36.8% - CBN

3.     Financial Services Agents Call On CBN To Address Stamp Duty Charges

4.     Zenith Bank Drives Convenient Banking and Financial Inclusion with Z-Money

5.     Firstbank Targets 500,000 Agents to Boost Financial Inclusion

6.     Data Science Nigeria Bags 2 Continental AI Awards In Kenya and Tunisia

7.     Why Nigeria Needs To Deepen Its Financial Literacy Level -Toyin F. Sanni

8.     Assessing The Maturity Of Data and Analytics Capabilities In Nigeria - KPMG

9.     EFINA, SANEF Host North Central Quarterly Financial Services Agents Forum In Abuja

10.  Firstbank Is Reducing Poverty, Deepening Financial Inclusion Through Its 31,000 Agent Network

11.   EFINA Partners SANEF And NIBSS To Deepen Financial Inclusion In Nigeria

12.  National Identity Management In Nigeria: NIMC and Matters Arising

13.  Promoting Financial Inclusion Through Payment Service Banks in Nigeria



Proshare Nigeria Pvt. Ltd.



Related News on Business Regulations, Law & Practice

  1. NSE Set to Host 7th Nigerian Capital Market Information Security Forum
  2. Patents: The Fitness and Wellness Industry
  3. Information Minister Inaugurates NBC Reforms Committee, Says FG Plans To Regulate Online Media
  4. NBCC To Host Stakeholders Breakfast Meeting On Corporate Governance
  5. Ownership of Trademarks in Nigeria
  6. DealHQ to Host its Inaugural Enterprise Roundtable on October 31, 2019
  7. FHC Upholds The Imposition of Consumption Tax in Lagos State
  8. One Page Summary of Each IFRS Published
  9. Copyright Protection and Enforcement Rules - Legal Alert
  10. CBi Partners Proshare On The Business Action Against Corruption (BAAC) Nigeria Project
  11. Regulatory Conversations 4.0: Forex Restrictions on Food Imports and Implications For The Economy
  12. Non-profit, Non-governmental Organisations Basic Regulations - Legal Alert
  13. Role of Regulation In Establishing Sovereign Governance and Transparency


Proshare Nigeria Pvt. Ltd.



Related News on Mergers & Acquisitions

1.      CCNN And Obu Cement Company Exploring A Merger of Both Entities

2.     Access Bank Plc - Acquisition Of Controlling Equity Interest In Transnational Bank Kenya Plc

3.     Access Bank Rebutes Acquisition Talks With Union Bank of Nigeria

4.     Mergers And Acquisitions Now Under The Joint Purview Of SEC and FCCPC, Till Further Notice

5.     South Africa's Aspen Sells Australian Prescription Portfolio to Mylan

6.     Diamond Bank Shareholders: How To Process N1 Cash Payment Arising From Scheme of Merger

7.     NSE Lists Additional Shares Arising from the Scheme of Merger between ACCESS and DIAMONDBNK

8.     Creating One of Africa’s Leading Retail Banks - Launch of the New Access Bank Brand

9.     Access Bank Ratings Affirmed; Outlook Stable; Diamond Bank Ratings Discontinued On Effective Merger

10.  ACCESS Updates on Scheme Consideration of Cash and Shares for Shareholders of DIAMONDBNK


Proshare Nigeria Pvt. Ltd. 



Related News