This Proskauer blog discusses how the EU’s robust enforcement of cybersecurity and privacy regulations are increasing the risk of liability to PE fund sponsors & corporate parents for activities of their portfolio companies and subsidiaries. The blog highlights the $255 million fine recently imposed on What’s App Ireland, which was calculated by reference to its parent Facebook’s overall global revenue. It goes on to point out that parent companies and PE sponsors may now face direct enforcement action with respect to GDPR issues involving their affiliates – including those in which the sponsor or parent holds a minority stake.
As this excerpt indicates, the key to parental liability is whether the parent or sponsor is deemed to be engaged in an “undertaking” with its affiliate:
The GDPR refers to EU competition law jurisprudence to understand the concept of an “undertaking”. EU case law establishes that where a parent company (or potentially a PE sponsor) holds all, or nearly all, the shares in a subsidiary, a rebuttable presumption arises that both companies are part of an “undertaking”. With respect to lower levels of investment, the key is whether the shareholder is in a position to exercise “decisive influence” over the subsidiary entity’s commercial policy. While the existence of “decisive influence” is fact-specific, relevant factors include (for example) the parent company or PE sponsor’s:
– Veto rights: Veto rights relative to the affiliate or portfolio company’s budget, business plan, operational investments or the appointment of senior management are relevant factors. The crucial element is whether the right is sufficient to enable the parent company or PE sponsor to influence the strategic business behavior of a venture. Importantly, the mere existence of a veto right, even where not exercised, can be sufficient to establish “decisive influence”;
– Right to appoint board members: The right to appoint independent non-executive directors with observer roles (rather than executives with management power) is less indicative of “decisive influence”; and
– Power to have personal data protection rules implemented within a company.
To illustrate, “decisive influence” has been held to exist (under EU competition law) with a minority shareholding as low as 30% (for example, in the Fuji case, where there were common directors). Similarly, in the Prysmian case (under EU competition law), the investor was fined EUR37.3 million for the power cable cartel in which the company in which it had invested had engaged due to the “decisive influence” that was held to exist. The investor’s interest in the company through a fund vehicle was only approximately 33%, but its voting rights were far higher (at one point 100%) and it controlled the composition of the board of directors.
The blog recommends that fund sponsors and parent companies consider implementing risk mitigation measures, including identifying GDPR compliance issues during due diligence and remediating them pre- or post-closing, structuring investor rights to reduce the risk that they will cause the investor to be viewed as having “decisive influence,” and obtaining appropriate GDPR-related reps & indemnities, as well as post-closing covenants.
– John Jenkins