As many will by now be aware, a major new data privacy law – the “General Data Protection Regulation” (“GDPR”) will come into force in May 2018, introducing substantial changes to current European privacy laws. US based private fund sponsors that market fund interests to individual (i.e., non-institutional) investors in the European Union (“EU”) may become subject to regulation under the GDPR.
In line with current law, most organisations with a presence within the EU which use or hold data relating to living individuals – including by means only of equipment located within the EU – will fall within the scope of the GDPR. However, one of the most significant changes under the GDPR is to extend the jurisdictional application of the new law to non-EU fund sponsors holding or using data about individuals located in the EU, even in the absence of any EU presence. Accordingly, non-EU based private fund sponsors which are not caught by the current regime would be well advised to consider whether the forthcoming changes in laws will bring them within the scope of the GDPR.
Where the extra-jurisdictional provisions do apply, non-EU based sponsors are required to comply with the entirety of the GDPR or face potential fines up to the greater of EURO20m and 4% of worldwide revenue for the most serious infractions. Full compliance with the GDPR’s 99 articles will require, among other things, rapid reporting of data breaches to EU privacy regulators, disclosures about data usage to individual EU investors, compliance with various rights granted to individuals, the appointment of an EU representative (unless very limited use is made of EU investor data) and the maintenance of detailed internal records of data processing operations.
The GDPR will apply to US based private fund sponsors where:
Where either circumstance described above applies, the non-EU sponsor will be subject to the GDPR even if it has no physical EU presence and does not process data within the EU. Note, however, that the GDPR will not apply to offers to, or monitoring of behaviour of, trusts and institutional or other non-living person investors.
A key test for extra-territorial application of the GDPR to fund sponsors is likely to focus on whether an “offer” has been made to EU investors.
The GDPR makes it clear that mere online accessibility to non-EU products and services is not sufficient to apply the GDPR to non-EU businesses which are in possession of data relating to EU individuals (for example, as a result of a non-solicited and/or unexpected approach to the fund sponsor by an individual European investor).
Some form of targeting, solicitation or facilitation of EU trade or investment is required before an “offer” of goods or services will be deemed to be made. Factors which tend towards the making of an offer include:
The tracking of individuals over the internet will often constitute “monitoring” for the purposes of the GDPR. This would create a jurisdictional risk for a fund sponsor which routinely places tracking/persistent cookies on devices operated by website users. This provision of the GDPR also has the potential to unexpectedly bring non-EU organisations within the scope of the GDPR given that (i) the use of tracking technologies has become widespread and commonplace; and (ii) no intention to target is required where tracking technologies are used to track EU internet users.
At first blush, the monitoring gateway to GDPR application may appear broad and problematic. However, the GDPR implies that tracking technologies would usually process personal data which is used to make decisions about an individual or predict their personal preferences, behaviour or attitudes. Accordingly, the incidental placement of tracking technologies does not appear to be the focus of the monitoring provisions.
Our view is that, all other things being equal, privacy regulators are unlikely to focus their enforcement efforts on non-EU organisations which inadvertently invoke the extraterritorial provisions of the GDPR as a result of using tracking technologies where there is no active targeting, solicitation or facilitation of EU investment. Accordingly, whilst as a technical matter, no targeting is required to bring a non-EU organisation within the scope of the GDPR where monitoring of EU individuals occurs, in reality we expect targeting to be a relevant jurisdictional consideration for EU privacy regulators. Nevertheless, for organisations wishing to mitigate the risk of application of the GDPR, tracking technologies could be disabled in respect of EU countries or substituted, for EU users, with cookies that do not collect personal data or track website users (such as session cookies which are used to provide website functionality only).
Any regulator seeking to enforce the GDPR against a non-EU fund sponsor with no EU presence at all would face significant practical difficulties. Regulatory behaviours under the GDPR in respect of foreign enforcement therefore remains an area of considerable uncertainty. To date, regulators wishing to address egregious breaches of EU data protection laws have sought to invoke jurisdiction on the basis of a very limited presence within the EU by a foreign transgressor – this could consist, for example, of a single sales representative being present in an EU jurisdiction, even if the relevant business does not have any form of entity or branch established within the EU. Where there are no EU touchpoints at all, enforcement may, in time, be made more practical by the conclusion of cooperation agreements between EU privacy regulators and their foreign counterparts.
You can access further client alerts on the GDPR here by clicking on the “Latest Thinking” link.