Private equity firms have been caught in the crossfire of yet another regulatory clash.
Securities and Exchange Commission registration applications from EU-based advisors have been piling up since last summer; a process that should take 45 days has dragged on for months, with dozens of firms affected.
The stalemate has been brought about by conflicting US and EU privacy rules. When a private equity firm or fund advisor registers with the SEC, it promises to share documents requested by the regulator’s examiners. GDPR does not permit this.
“The reporting you have to do towards the SEC is quite extensive,” said Brussels-based lawyer Ruben Roex. Roex works for Timelex, a firm specializing in privacy and data protection, legal aspects of IT and tech. “You need to provide qualitative information, and all of that information will also be personal data. The problem is that, under GDPR you can only process personal data when you have one of six legal grounds, which you can invoke to legitimize your processing activity – the most popular being consent.”
The issue with consent is that under GDPR, an individual can withdraw their consent, which contradicts how the SEC operates. Another legitimate reason for processing data is legal obligation – the regulator demands it – but this only applies to EU legal authorities.
The most applicable legal grounds for sharing data with the SEC would be “legitimate interests,” whereby the business needs of the manager outweigh the interests or concerns of the data owner. The subjective nature of this test means it is worth seeking an opinion letter from a law firm on the matter. This is an uncertain path to go down, though, and the only long-term solution would be co-operation between the EU and SEC. “Unless the SEC moves off its position today, I don’t see any resolution,” said Alex Scheinman, a director at ACA Compliance.
For more comments, see our sister publication Regulatory Compliance Watch discussing the conflict.
Today’s email was prepared by Brian Bonilla.