Key trends of 2018: EU doubles down on data protection

GDPR was the most notable EU regulatory initiative in 2018, but attention soon switched back to Brexit.

May saw the coming into force within the EU of the General Data Protection Regulation, with tough penalties for non-compliance, including the threat of fines of up to 4 percent of total global annual turnover or €20 million.

Private equity firms have been warned by lawyers that they cannot simply outsource all responsibilities for this from the funds themselves, since they will be held accountable for breaches, even if these breaches occur under the watch of third-party providers. Fund managers have also taken an interest in the data policies of their portfolio companies.

Writing in pfm a few weeks before the GDPR came into force, Eduardo Usturan, partner and co-director of global privacy and cybersecurity at law firm Hogan Lovells, said the immediate things to look at were revisions to privacy notices and data-processing agreements.

Jane Shvets, partner in cybersecurity and data privacy at fellow law firm Debevoise & Plimpton, told pfm that “more work certainly needs to be done” on breach notifications. GDPR requires companies to notify relevant authorities of data breaches that impact the privacy of EU individuals within 72 hours of discovery.

Lawyers pointed out that if they want to be sure of meeting this deadline, funds need policies and procedures for detecting breaches and intrusions, forwarding that information to relevant individuals and then taking decisions on the need to report.

Fretting over Brexit

But by the time the GDPR came in, many CFOs were already worrying more about Brexit. They were fretting specifically about the possibility of a no-deal Brexit in March 2019 – a failure to reach a negotiated settlement between the UK and EU, which would make it much harder for the UK and EU to access each other’s markets.

These fears triggered a good deal of legal advice over the year. A September note by Proskauer Rose, the law firm, called on fund managers currently using the cross-border “passport,” which allows them to market their funds in the EU, to put contingency plans in place now in case there is no deal.

It noted that without a passport, managers could still seek approval state-by-state to market their funds under national private placement regimes. However, this would exclude them from some countries, such as Italy, where there is no such regime.

Proskauer Rose noted that alternatively, a manager could use another company as an Alternative Investment Fund Manager in an EU member state, and delegate portfolio management back to the UK. The authorization process for this takes approximately six to nine months, the firm said. A UK manager could also establish a fund in a member state and provide investment advice to this EU manager. The EU fund manager would maintain responsibility for both risk and portfolio management.

In the US, private equity fund managers have their own issue to anticipate: the possibility that they may face competition from the banks once more. In August 2018, the Securities and Exchange Commission called for comment on proposals to ease restrictions that prohibit banks from investing in private equity funds. This is part of a general rollback by the Trump administration of the Volcker Rule imposed by legislators after the 2008 financial crisis, which restricts the ability of banks to engage in risky activities.

The previous month, the SEC settled with Oaktree Capital Management, EnCap Investments and Sofinnova Ventures over violations relating to state campaign contributions. The three firms advised public pension funds within two years of making contributions to officials running for state office posts where they would have influence over picking investment advisors to public pension funds, in violation of the Investment Advisers Act of 1940, the SEC said in statements on each firm.

ILPA criticism

Two months earlier the Institutional Limited Partners Association maintained its high profile of recent years by criticizing proposals from US lawmakers to allow private fund advisors to keep more information private when investing in growth companies. A draft bill called for the Securities and Exchange Commission to change the status of a “qualifying portfolio company” to an “emerging growth company.” That would allow private fund advisors to invest up to 100 percent of their portfolio into EGCs without being registered. An EGC is defined as having less than $1 billion in annual gross revenue, though the bill did not mention a threshold.

The proposal runs counter to ILPA’s ongoing push for greater transparency on behalf of its members. In April, it called for the SEC to get GPs to disclose their fees and expenses to LPs.