€56 million: that’s how much European authorities had imposed in fines on companies that breached the EU General Data Protection Regulation by February this year, nine months after the law’s introduction. Admittedly, that amount has been spread across more than 200,000 cases – equating to an average penalty of €280 – but experts predict regulators are just getting started.
Alex Scheinman, a director at ACA Compliance, warns that since GDPR has been around for a year, regulators will be handing out more fines.
“The supervisory authorities in the EU are indicating that we should see a significant increase of firms that are subject to monetary penalties,” he tells Private Funds CFO.
“We should expect to see more and more of these fines beginning sometime later this summer and this should serve as a wake-up call for many private equity firms that have not been paying attention or have taken a wait-and-see approach with respect to GDPR enforcement.”
If you are having doubts over whether your firm is compliant – or even needs to be – you are not alone.
“I don’t think anybody is compliant,” says one Europe-based chief compliance officer of a US private equity firm, who asked not to be named. “I regularly meet with other compliance officers and have observed a wide range of GDPR implementations. It’s difficult to know how to comply without unnecessarily going too far.”
Even after putting in place what they consider to be a best practice program, it’s still difficult to know if they are fully compliant, the CCO says, stating that GDPR as a whole is “overly complicated” and based on an “ambiguous set of rules.”
Complying in the US
Chances are that you have already considered the implications of GDPR and either enacted a compliance program or decided it does not apply. It is a European law but applies to those outside of the EU, Dan Silver, a partner at law firm Clifford Chance tells Private Funds CFO.
A US-based fund manager must comply with GDPR if it has a physical establishment or operations in the EU and processes data in connection with that physical location or if it offers goods or services into the EU.
“It’s not crystal clear what the latter means in the fund context, but we usually interpret that as actively marketing a fund to EU investors and, in particular, to individual investors,” says Silver.
If you are in the decided-it-did-not-apply camp, it may be time to think again.
The California Consumer Privacy Act comes into force on January 1, 2020 with a one-year lookback provision, so it is essential private fund managers understand how it affects their data operations now.
The law requires companies to inform California residents: which of their personal data the company collects or holds; the purpose for which it was collected; where the company got that information; how the information is being used; whether the information is being disclosed or sold; and to whom the information is being disclosed or sold.
Under the law consumers have the right to request to opt out of a business selling their information, to access any personal information the business has stored and to the deletion of any personal information the business has stored.
Businesses will also be obligated to provide an opt-out page or link on their websites’ homepage that notifies consumers of their right to not have their personal data sold.
The CCPA was inspired by the GDPR, but while they share some similarities there are key differences to keep in mind with geographic scope being the most obvious. That said, for the CCPA, it is less than clear what “doing business in California” means, says Silver.
“It will likely apply if you have a physical presence in California or have California-domiciled investors.”
Those businesses complying with that hazy definition are required to comply with CCPA if they have revenues over $25 million or data on 50,000 or more residents, households or devices, or if 50 percent of the business’s revenues are coming from selling personal information.
The two regimes are also subtly different in how they define personal data. In broad terms, both include any information that could identify a person, including name, email address, date of birth and phone number. The CCPA goes a little further in terms of including data that identifies either person or household, says Silver.
Penalties for transgressions differ. A breach of GDPR could be as much as 4 percent of global revenues or €20 million, whichever is greater. For the CCPA it’s $7,500 per violation, and the violating company will be subject to an injunction. The CCPA also allows fines for statutory damages of between $100 and $750 per person.
“If you have a database with covered personal data – for example the bank account numbers of a million Californians – and a hacker got in and stole that database, there would be potentially a class action filed against you for $750 million, even if the hackers didn’t do anything with that database,” says Ed McNicholas, a partner at law firm Ropes & Gray.
Both data privacy laws allow individuals or customers to request access to any personal information that a business may have collected about them. GDPR requests must be complied within 30 days (with a possible 60-day extension), while CCPA requests must be dealt with in 45 days.
Battle of the Atlantic
The nature of a struggle between Californian and federal law is as yet unclear, but another regulatory clash is already in effect. And private equity firms have been caught in the crossfire.
Securities and Exchange Commission registration applications from EU-based advisors have been piling up since last summer; a process that should take 45 days has dragged on for months with dozens of firms affected.
The stalemate has been brought about by conflicting US and EU privacy rules. When a private equity firm or fund advisor registers with the SEC it promises to share documents requested by the regulator’s examiners. GDPR does not permit this.
“The reporting you have to do towards the SEC is quite extensive,” says Brussels-based lawyer Ruben Roex. Roex works for Timelex, a firm specializing in privacy and data protection, legal aspects of IT and tech. “You need to provide qualitative information, and a lot of that information will also be personal data. The problem is that, under GDPR, you can only process personal data when you have one of six legal grounds, which you can invoke to legitimize your processing activity. The best known being consent.”
The issue with consent is that under GDPR an individual can withdraw their consent, which contradicts how the SEC operates. Another legitimate reason for processing data is legal obligation – the regulator demands it – but this only applies to EU legal authorities.
The most applicable legal grounds for sharing data with the SEC would be “legitimate interests,” whereby the business needs of the manager outweigh the interests or concerns of the data owner. The subjective nature of this test means it is worth seeking an opinion letter from a law firm on the matter. This is an uncertain path to go down though and the only long-term solution would be co-operation between the EU and SEC. “Unless the SEC moves off its position today, it’s hard to see how this will get resolved,” Alex Scheinman, a director at ACA Compliance, says.
Personal data: what counts
Private equity firms are not – for the most part – in the business of vacuuming up oceans of personal data and monetizing it. For some, particularly those with only institutional investors, this is enough to feel compliant with either GDPR or CCPA. “In my view, the only way a private equity firm would be directly responsible for that data is if you have multiple portfolio companies that are consumer facing,”says Sanjay Sanghoee, CFO and COO of Delos Capital, a lower mid-market private equity firm based in New York.
For Sanghoee, the robustness of the firm’s cybersecurity is the most relevant part of data governance. Delos has a compliance consultant that comes in quarterly to review the results from its IT consultants and security tests. They also express opinion about best practices seen at firms that can be implemented.
“From the perspective of HR or protecting the information of our investors, which is obviously a huge focus for us, our cybersecurity set-up is very robust,” Sanghoee adds. “Our default position is that we do not share data with anyone, unless either legally required to do so, with explicit permission to do so from an employee or investor, or with a prior understanding of what information we need to share in the ordinary course of business.”
So exactly what personal data does a typical firm gather? “We have mainly three kinds of personal data that we process,” says the Europe-based compliance officer. “First is investor data. All our investors are required under local KYC and anti-money-laundering regulations to provide certain information to us. Second is the information of our employees. We also handle third-party personal data, which can be related to service providers, portfolio companies and current employees.”
The same CCO also mentions having to keep track of data regarding individuals interested in working for the firm.
Job applicants’ résumés are also noted by Fredrick Shaw, chief compliance officer of NASDAQ-listed private equity investor and advisor Hamilton Lane, as data that needs to be considered PII (personal identity information). “It was apparent to us that we have obligations to these people now, even if we never speak to them, even if their résumé is completely off-base.” As a side note, job applicant data will likely be taken out of the CCPA definition; an amendment approved by the California Assembly on May 29 saw collection of personal information from job applicants, employees, contractors or agents removed from the legislation.
The SEC’s warning shot
So if you haven’t been caught by GDPR, you may have to comply with CCPA… and then there is good old Regulation S-P.
The Securities and Exchange Commission’s rules on safeguarding customer and client data have been around for nearly two decades, but a risk alert released by the commission in April is a signal that examiners are going to be paying closer attention to this.
“It’s an old rule being looked at in a new cyber world. The SEC is putting some teeth behind that rule and the industry needs to pay attention,” says Guy Talarico, CEO and founder of consulting firm Alaric Compliance Services.
Greg MacCordy, a former SEC industry expert who now works alongside Talarico, rams the point home: “Every Office of Compliance Inspections and Examinations team that is going out, even if they didn’t participate in this set of risk exams, will be looking for this in a firm’s policies and procedures.”
Regulation S-P “requires a registrant to provide a clear and conspicuous” privacy notice to customers or clients when the initial customer relationship is established, annually and opt-out privacy notices if a customer or client doesn’t want personal information shared with third parties. Registrants must also have adequate written policies and procedures that address “administrative, technical, and physical safeguards for the protection of customer records and information,” according to the April risk alert. This regulation only concerns private equity firms with individual investors.
SEC-registered firms will certainly have considered and made some effort to comply with S-P (although the aforementioned risk alert highlights some common compliance shortcomings).
‘Fight over pre-emption’
In general, federal privacy regulation will have a complicated relationship with the state privacy laws, says Ropes & Gray’s McNicholas. “Right now, anything processed pursuant to GLBA (Gramm–Leach–Bliley Act), which was the source of Reg S-P, is exempt from the CCPA. If other states don’t allow for that exemption you could have a fight over pre-emption,” he says.
Pre-emption is when a state and federal law contradict, and the federal law supersedes the state law because it is ranked higher under the Supremacy Clause in the constitution. Reg S-P and CCPA overlap because they both enforce the idea of keeping data safe by having proper policies and procedures in place to ensure security.
“The CCPA goes beyond that by imposing additional restrictions on what you can do with personal data,” Silver says. “For example, it requires that you give consumers the right to opt out of the sale of their data and also provide a detailed disclosure as to how you plan to use that data. This is far more aligned with the GDPR approach.”
“We could easily see litigation over pre-emption or litigation over the constitutionality of the CCPA,” McNicholas adds. “For instance, when California put out a financial privacy law years ago there was a long-running battle about whether or not it was pre-empted by the Fair Credit Reporting Act. After many court battles it was decided that it was partially pre-empted.”
After the CCPA was passed, a number of US states started to push for their own privacy laws similar to California’s. If the US adopts a state-by-state model, then private equity firms have to start coming up with a plan now to get ahead of the wave.
“We’re providing guidance to our private equity clients. The first thing they need to do is to really figure out if the law applies to them, and if it does, what kind of data are they collecting that they would have to worry about,” Bonnie Yeomans, special privacy counsel at Proskauer, says. “At this point we’re not advising clients to change any policies or procedures yet to comply with the law, but they should be thinking about what they are doing with personal data so that they can be ready.”
“I keep hoping that there will be a federal standard that is created so that we don’t have to have so many different data privacy policies,” says Hamilton Lane CCO Shaw. “My understanding at this point, is that the CCPA should be the most expansive and the most restrictive. We will adopt that policy and most likely rely on our adoption of the most restrictive policy to enable our compliance with the less restrictive policies.”
Between the ticking clock of CCPA, the parade of copycat state legislation in the works, EU authorities ramping up activity and the SEC renewing its focus, the compliance agenda for any private equity firm must have personal data as item number one. With multiple regimes overlapping or conflicting, the high watermark approach – complying with the strictest possible version – may be the most sensible approach.
How you may be misinterpreting GDPR
Ringfencing your European activity is harder than you think. US private equity firms think they can limit compliance to the tools and activities in Europe, says Brussels-based privacy lawyer Ruben Roex, “which often is not the case, given that often the internal systems are centralized.”
The definition of personal data is broader than you think. “You do have personal identifiable information in the US as a concept, but it is far more limited than what we understand as personal data,” says Roex. “Often the client comes to us and says, ‘We don’t process any personal data, we’ve anonymized everything, because we’ve deleted the names and have no employee numbers for them, so we’re done.’ Well, under European law, just deleting the names and some identifiers such as numbers will not imply that the data is anonymized at all.”
You have to update contacts with suppliers everywhere, not just in Europe. “Even if your supplier is based in the US, or wherever in the world, it may be necessary to amend the contracts to make sure that they comply with what the GDPR says has to be in there.”