Subscribe to our Newsletter to receive the latest updates on our content. By tapping the “Subscribe” button you will be redirected to subscription page. Subscription is free.
Kenya passed the Data Protection Act, of 2019 (the Act) in November 2019. The Act is the primary legislation that regulates the processing of personal data in Kenya.
It applies to the processing of personal data by a data controller or a data processor who is either: established or ordinarily resident in Kenya and processes personal data whilst in Kenya; or not established or ordinarily resident in Kenya but processes personal data of data subjects located in Kenya. The Act attempts to align itself with the General Data Protection Regulation (Regulation (EU) 2016/679). Sonal Sejpal and Jade Makory, from ALN Kenya, provide an overview as to why data protection considerations are important in merger and acquisition (‘M&A’) deals.
Kenya appointed its first Data Commissioner in October 2020, almost a year after the Act came into force. The appointment of the Data Commissioner is an important milestone on the path to fully implementing the provisions of the Act.
The Relevance of the Act to M&A deals
Most businesses, large or small, are likely to be collecting, storing, and/or processing personal data for themselves or on behalf of another entity. Doing any or all of these things would make the acquiring entity or the target a data controller and/or a data processor. Under the Act, no person (natural or legal) may act as a data controller or processor without registering with the Data Commissioner.
Presently, the rules relating to the registration of data controllers and data processors have not been prescribed but with the recent appointment of the first Data Commissioner, it is anticipated that the registration of data controllers and data processors will begin within the first half of 2021.
An acquirer should be concerned to see that the systems and processes of the target company comply with the data protection principles set out in the Act. These principles include the lawfulness, fairness, and transparency principle; the purpose limitation principle; the data minimisation principle; the data accuracy principle; the storage limitation principle; the data security principle; the adherence to the right to privacy principle; and the valid explanation principle. The Act captures most of the principles laid down in the GDPR but also contains additional principles which are not provided for in the GDPR.
For example, the principles of adherence to the right to privacy principle and the valid explanation principle are captured in the Act but not provided as principles in the GDPR. The inclusion of these two principles reflects Kenya’s commitment to the right to privacy as laid down in the Kenyan Constitution and emphasises that personal data should not be processed unless a valid explanation is given to justify the same.
Conversely, the principle of accountability which is an overarching principle in the GDPR is not expressly captured in the Act, but it is implied for both data controllers and data processors throughout the Act. An acquiring company or a target company ought to have adhered to the principles of data protection as failure to do so could potentially result in data protection non-compliance which could have consequences if not properly considered during the negotiations in respect of the transaction.
Data Breaches in the Context of M&A Deals
Before concluding an M&A transaction, it is important to carry out data protection due diligence. This is particularly important for the acquiring entity as it will absorb the data protection shortcomings of the target company after the deal has closed. Although we have not seen this extensively deliberated upon in the Kenyan transactional scene as yet, the importance of data protection due diligence is considered a vital step in an M&A transaction in jurisdictions such as the UK and Europe that have had data protection legislation for a few years longer than Kenya. This kind of due diligence could spare the acquirer angst as well as significant costs and reputational damage that could accompany non-compliance by the target.
There are numerous ways in which personal data risks can arise in an M&A transaction. Therefore, before closing an M&A deal, it would be prudent for the acquirer to gather information through a data protection information request list from the target company. If the target has experienced a breach in the past, this should be disclosed to the acquirer. Additionally, the target should be required to submit IT system reports if these systems access personal data. To protect the acquirer further, an indemnity agreement for the period prior to the completion of the deal can be concluded so that any costs in the form of fines and payment of damages are absorbed by the seller/target or reflected in the acquisition price. It may not be possible to do this after the conclusion of the deal if sufficient representations and warranties have not been procured in the transaction documents. Additionally, for personal data held by the target, there is the need to establish if consent was obtained to hold the personal data or any other legal basis for doing so.
If there is a need to obtain fresh consent, the transaction may be an opportune time for the acquirer to get this done.
Data protection considerations in M&A deals in Kenya are critical. This is particularly important for the acquirer, which should be encouraged to carry out data protection due diligence that will factor in the period before, during, and post the transaction. With the appointment of the Data Commissioner, the need to comply with the Act is more important than ever. Those who fail to comply with the Act stand to attract fines of up to KES 3 million (approximately EUR 22,300) or imprisonment of up to 10 years, or both.
Should you have any questions regarding the information in this article, please do not hesitate to contact the Data Protection Team at [email protected]
Partner Sonal Tejpar,
Trainee Lawyer, Jade Makory
This article was written and first published by Data Guidance.