As European data protection regulators prepare to enforce the General Data Protection Regulation (GDPR) from May 2018, private equity firms must act to minimise the risk of becoming financially liable for the data protection failings of portfolio companies. After a recent spate of high-profile data breaches, the risks for financial sponsors are high.

Why is a Data Protection Failing at Portfolio Company Level a Serious Concern for a Buyout Firm?

The GDPR sets out defined obligations and extends EU data protection law’s territorial reach, catching any business that operates in the EU, or offers goods and services to — or monitors the behaviour of — EU data subjects (whether in the EU or not). Fines for noncompliance can be substantial — up to the higher of €20 million or 4% of an undertaking’s global annual turnover. The regime defers to the EU antitrust concept of “undertaking”, which in our view means fines may be calculated by reference to the combined revenue of an offending portfolio company and the buyout firm (including the firm and all other portfolio companies within its group). This leaves open the possibility of data protection regulators directly fining buyout firms for the failures of portfolio companies.

EU antitrust case law has established that group companies can be liable for infringements committed by any entity forming part of the undertaking. This includes financial holding companies and indirectly controlled subsidiaries or investments — such as a PE firm and its portfolio companies — if there is a relationship of “decisive influence”. Arguments of rogue subsidiaries and the purely financial nature of investments have failed to exonerate parent companies and shareholders. Shareholdings as low as 30% have given rise to liability on the part of minority shareholders in antitrust cases.

In 2014, the European Commission found a financial sponsor jointly and severally liable for the antitrust infringements of a portfolio company, imposing a multi-million Euro fine. The EC deemed the sponsor to have had and exerted decisive influence over the business, as the sponsor indirectly had 100% of the voting rights, held board positions, and had broad management powers. Judgment in the appeal to the EU’s General Court is expected in the coming months.

What Can PE Firms Do to Manage Increased Data Risk?

Given the need for buyout firms to monitor portfolio companies and retain shareholder protections, structuring solutions and limitations on shareholder or board consent matters aimed at avoiding classification as an undertaking, are unlikely to be practicable.

A structured approach to diligence when acquiring companies is critical. Assessing how a target collects, stores, uses, and transfers personal data will be vital to understanding valuation and risk associated with new deals. Non-compliance should be identified pre-acquisition, and a remediation plan implemented. If appropriate, PE firms should consider specific indemnities for data liabilities, covenants enabling ongoing safeguards, and conditions precedent regarding steps to address material non-compliance.

For existing portfolio companies, PE firms should ensure GDPR compliance is on management’s radar by confirming that a robust privacy governance programme exists, that companies have undertaken a GDPR gap analysis, and that a remediation plan is in place.

Finally

Data breaches and non-compliance with data protection laws can cause harm to portfolio companies and dampen financial prospects on exit. Aside from the damaging effects at portfolio company level, PE firms should be alert to the real risk that data breaches could lead to fines for PE firms, calculated on the basis of the turnover of all of its portfolio companies.