DATA PRIVACY IN MERGER & ACQUISITION: KENYA

In the modern corporate landscape, data has become the new oil, driving the value of multi-million-dollar deals. However, this shift has turned data protection into a high-stakes legal minefield for Mergers and Acquisitions (M&A). In Kenya and globally, a failure to account for data privacy can lead to Liabilities, massive regulatory fines, and irreparable reputational damage.

The Evolution of Due Diligence

Traditionally, Merger &Acquisition due diligence focused on financial audits and physical assets. Today, the most significant “hidden” liabilities often reside in the target company’s data practices. Paragraph 5 of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), acknowledges that the expansion of internal market has intensified the cross-border exchange of personal data among public and private entities, necessitating closer cooperation between Member State authorities to fulfill their legal duties.

 If a target company has been collecting data without proper consent or failing to secure its systems, the acquirer may inherit these legal breaches upon closing. High-profile cases, such as the Marriott International breach following its acquisition of Starwood, serve as a cautionary tale. Marriott was fined millions because the target’s data systems had been compromised years before the merger. In Kenya, the Office of the Data Protection Commissioner (ODPC) has become increasingly vigilant.

The legal framework for data protection in Merger &Acquisition is anchored in specific statutory requirements that parties must satisfy at every stage. During the due diligence phase, the seller must have a lawful basis to share employee or customer data with the buyer. Section 30 (vii) of the Data Protection Act (DPA, 2019 allow for lawful data processing based on “legitimate interests,” provided those interests are not overridden by the data subject’s rights.

Parties must adhere to the principle of data minimization (Section 25(d) DPA; Article 5(1)(c) GDPR). Only the data strictly necessary for the transaction should be shared. Sellers should redact or anonymize sensitive personal information such as health records or precise financial details unless its disclosure is vital to the deal’s valuation. If the transaction involves “Sensitive Personal Data” (defined under Section 2 of the DPA and Article 9 of the GDPR), such as ethnic origin, biometric data, or health status, the standards for processing are significantly higher, often requiring explicit consent or specific legal exemptions.

If the buyer is a multinational entity, any transfer of Kenyan data outside the country must comply with Section 48 of the DPA, which requires proof of “appropriate safeguards” or an adequacy decision by the Data Commissioner.

What Parties Must Do

To ensure a smooth transition and mitigate risks, both buyers and sellers should adopt some proactive legal strategies. Go beyond general IT reviews. Assess the target’s Data Protection compliance, their record of processing activities, and their history of data breaches. Parties should also use Secure Virtual Data Rooms (VDRs). All disclosures should occur within an encrypted VDR with strict access controls. Access should be granted on a “need-to-know” basis and revoked immediately if the deal falls through. Drafting Robust Indemnity clauses in the transaction documents should include specific representations and warranties regarding data compliance. Acquirers should seek indemnities that cover any pre-acquisition data breaches discovered post-closing.

Common Pitfalls

Common pitfalls in Merger &Acquisitions include the misconception that asset sales bypass consent requirements, whereas the transfer of customer lists remains a regulated form of processing that necessitates a valid legal basis, neglecting post-merger integration creates significant risk, as the failure to harmonize privacy policies and secure merging IT systems often leads to structural non-compliance and heightened security vulnerabilities. Moreover, ignoring the “Right to be Forgotten” under Section 39(2) of the DPA and Article 17 of the GDPR can result in the buyer inheriting a data cemetery of unnecessary legacy data, which serves as a liability for both regulatory fines and potential cyberattack.

In conclusion, in this digital age, a successful merger is defined by how well you protect the privacy of the individuals behind the data. At A.O. WANGA ADVOCATES, we specialize in bridging the gap between complex data regulations and seamless corporate transactions. Whether you are a startup being acquired or a multinational seeking expansion in East Africa, our team ensures your deal is built on a foundation of legal integrity.

Feel free to contact us on info@aowangaadvocates.com or +254794600191 for assistance in Data protection compliance or Merger & Acquisition matter.

All rights reserved for A.O. WANGA ADVOCATES

www.aowangaadvocates.com