GDPR360

GDPR: can it impact financial regulation of foreign takeovers?

Stuart Ritchie

12.11.2017

ABSTRACT Supervisors are interested in GDPR risks. Financial regulators are interested in financial risks. Often the latter may be derivative of the former. An obvious question arises: at what point might financial regulators become interested in data protection risks?

Background: I was asked a question which for various conduct reasons I can’t possibly answer in the terms asked. That said, given its resonance with similar issues I’ve observed in the UK and other contexts, I’ve reformulated it to something so generic as to be answerable on a methodological level without raising the ire of my regulator. More than usual, anyway.Prima facie, a local data protection Supervisory Authority likely will be far more interested in GDPR compliance and enforcement than will a local financial regulator.That said, many controllers (especially banks) in many jurisdictions have local and/or international audit and reporting requirements. Some of these may involve assessing and publicly declaring financial risks and (with enterprises small enough to be insurable) considering insurability. Where undeclared, such controllers and their internal and external auditors can always get themselves off the hook for risks that are both unforeseeable and unforeseen.Regrettably, under the GDPR risk is no longer permitted to remain unforeseen. On the contrary, GDPR compliance specifically requires identification of foreseeable risks, via performance of data protection risk assessments ("DPIAs") per Article 35. These will interest data protection regulators, and auditors, and insurers (because unless you’ve foreseen them then by definition you’re likely in breach anyway, unless you can prove that it was unforeseeable – a very big ask).

And there’s the rub! Performing DPIAs necessarily requires collecting all the information that would be required for lawyers and auditors to make such financial risk assessments as might be requested by financial regulators (as well as underwriters etc). (disclaimer: in this paragraph I’m conflicted, as in my view the connection is so close that the software on which I’m working calculates such financial risks as part of automated DPIAs)

Next: reassuringly, until and unless the buyer and/or the purchased company create new/more dataflows exporting personal data, particularly to the buyer’s jurisdictions or other extra-EEA destinations, data protection financial risks obviously won’t increase beyond any already incurred pre-sale – a significant qualification. It just makes the controller of more interest to more regulators, data subjects etc.

Except that… given the recent pair of near-maximum fines (of both buyer and seller independently) for a personal data "asset sale" in Bavaria, we now know that a takeover not compliant with data protection law ipso facto will trigger a data protection public financial risk. And, by inference, private remedy class action risks. Then there are the criminal risks (noting that about two-thirds of the Member States attach custodial sentences to data protection criminal offenses, nothing to do with the GDPR except for its indirect impact on local rules of evidence), which in turn also might be regarded as brand risks and associated risks for auditors courageous enough to sign off on unqualified valuations of affected brands.

In (trite) conclusion: the answer to the question must be "No, but…". Clear as mud? Perhaps. But from a methodological perspective those, I think, are the main parameters around which controllers, auditors, underwriters, M&A advisers etc might consider legal advice.

Final note: don’t panic! There’s absolutely nothing in the GDPR per se that logically distinguishes any such effects from that of the previous law, or even data protection law in other jurisdictions (for example data breach laws in the USA, which are utterly different and very narrowly focused). It’s just that the GDPR’s much wider scope, reversal of the legal burden of proof, ending of Board-level deniability, higher fines, etc, collectively render the financial and criminal risks much more serious than before.

All facts and opinions set out above, including but not limited to spoken content and attachments/links, are provided for informational purposes only as a non-legal service to the public, and do not constitute legal advice or a substitute for legal counsel, and do not create any lawyer-client relationship, nor do they constitute advertising or provision of a legal service, nor are they the opinion of this web site or of its owner. The author is a co-founder of GDPR360 but does not speak in that capacity or in the capacity of a lawyer.