Perhaps, one of the most defining developments in global data privacy enforcement which also speaks to how increasingly important, data privacy compliance issues, will be for private equity investors, is the recent announcement by the ICO, (UK’s data privacy regulator), of its intention impose a fine of up £99 million under the European Union’s General Data Protection Regulation (GDPR) on strategic investor, Marriott International Inc; in respect of a data breach that previously occurred in recently acquired Starwood Hotels. StarWood Hotels was acquired by Marriott in 2016 for circa USD 13billion. It did not matter that the said data breach occurred in 2014, two years before the acquisition of StarWood Hotels was consummated by Marriot. It was reported that personal information (including credit card details, passport numbers and dates of birth) contained in approximately 339 million guest records globally were exposed by a cyber security incident in 2014, of which around 30 million related to residents of 31 countries in the European Economic Area.
Amongst others, the ICO reached a decision that:
(a) Marriott failed to undertake sufficient due diligence when it bought Starwood; and
(b) Marriot should also have done more to secure its systems after the acquisition.
The statement credited to Information Commissioner Elizabeth Denham is instructive:
“The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected”
Some, if not the highest regulatory fines globally, have been imposed by data privacy regulators. For instance, Equifax will pay up to $700 million in fines and monetary relief to consumers over a 2017 data breach.
We sense that regulators across board will follow this regulatory trend in view of its potential for revenue. This is not to say that the reason data privacy regulators impose fines is to drive internal revenue but that data privacy breaches & non-compliance is increasingly a compliance flashpoint and one of the the easiest ways for a business to get a huge dent to its balance sheet. With the new Data Privacy Regulations 2019 issued by Nigeria’s data privacy regulator, the (NITDA), private equity fund managers and investors doing deals in Nigeria will need to give greater consideration[i] to data privacy issues, both at the fund level and portfolio company level.
Based on our reflections on a recent engagement, here are some key compliance and risk considerations to put in focus:
- Based on a review of the NDPR and its Implementation Guidelines, our view is that NITDA’s approach to driving data privacy compliance is relatively friendly. However, we cannot yet tell which trajectory, regulatory enforcement of data breaches in Nigeria, will take, from a penalty imposition standpoint. The closest reference point here really, is the global trend towards the imposition of significant fines on data controllers and data processors who are found to be in breach of data privacy regulations. Without a doubt, it would be prudent for private equity investors to design, investigate and implement, as the case may be, a data privacy compliance strategy in advance;
- Portfolio companies and fund manager entities who are found to be in breach of Nigeria’s Data Privacy Regulations (NDPR) are liable to pay up to 2% of annual gross revenue. However, the financial exposure for data privacy breaches may be more than 2% because, the NDPR does not prohibit data subjects from seeking additional monetary damages in Nigerian courts, as a constitutional matter, from data controllers, that are portfolio companies or fund managers;
- Before the announcement of the NDPR in January 2019, data privacy due diligence, understandably, did not form part of the traditional legal due diligence approach of transaction counsel in Nigeria. With regulatory developments in this area, it’s now more important to conduct data privacy due diligence as part of legal due diligence. Although a type of legal due diligence, data privacy diligence should ideally be carried out separate to the legal due diligence, preferably by co-counsel;
- Private equity fund investors doing deals in Nigeria will need to diligence their existing portfolio companies and drive management decisions towards investing in data protection systems and relevant technology. Weighed against the potential risks, it’s not going to be too late, to conduct a data privacy due diligence. Accordingly, it would not be unreasonable for private equity investors, who may have closed a deal after the announcement of the NDPR, but omitted to conduct a data privacy diligence, to still conduct a data privacy diligence post-closing;
- Private equity investors ( and strategic investors) will need to review the contractual protections in investment agreements, to determine the extent to which the existing representations and warranty framework, protects their investments from the regulatory risk that may occur from a breach of data privacy regulations. It may be strategic for private equity investors to be more specific in their strategy here – for instance, the onset of a fine may be structured to trigger a revaluation or a pricing adjustment, which may also trigger other protective/restorative shareholder rights or share issuances;
- Privacy equity investors who carry out data privacy diligence, at entry, may be able to leverage the results of such diligence to gain some pricing/valuation advantages;
- Similar with legal due diligence, the target should ideally pay for or bear some of the costs for conducting a data privacy due diligence;
- Private equity investors who conduct data privacy due diligence will be better able to structure and hedge related data privacy compliance risk at the portfolio company level;
- At the fund manager level, like any business that handles customer and market sensitive data, private equity funds are susceptible to data breaches that can cause exposure of customer information and valuable know how or even trade secrets. In addition to ensuring full data privacy compliance for fund manager entities or corporate investment advisers incorporated locally, fund managers should consider communicating the legal requirements of data privacy compliance to its employees in a clear and consistent manner, during on-boarding and from time to time, through internal data privacy control and policy documentation. Data privacy compliance should be a key function of portfolio management and should be sustained till exit through holding period; and
- Nigerian venture capital investors with direct investments in US domiciled operating HoldCos which also have Nigerian operations, will need to ensure compliance with US data privacy laws. Similarly, private equity investors with a pan-African investment thesis/portfolio, would need to put in place a more holistic data compliance strategy that addresses data privacy compliance risk on a jurisdictional basis. As of the date of this update, up to 40% of African countries now have data privacy regulations
[i] Limited Partners or Non-Managing Shareholders typically reserve the rights to generally remove a General Partner for Cause in definitive agreements like the Limited Partnership Agreement or Shareholder Agreement. “Cause” is usually defined in reference the actions or inactions of a General Partner that constitutes bad faith, fraud, gross negligence, wilful misconduct, a violation of securities laws, breach of fiduciary duty, or a material breach that has a material adverse effect on the business of the investment activities of the GP/Managing Shareholder. On this basis, GPs & fund manager entities alike have a general duty to investigate and understand every risk scenario and put in place structures to avert or mitigate such risks.