When the US (plaintiffs’) Securities Bar Meets the GDPR
Updated: Sep 9, 2021
What most GDPR Watchers Know As most General Data Protection Regulation (GDPR)-watchers know, the Regulation includes various high-profile enforcement mechanisms and legal remedies. These include, for example:
Fines. The enhanced fine structure described in Article 83 of the GDPR of up to €10 million in liability or 2% of the prior year’s worldwide annual gross revenue, for administrative infringements or up to €20 million, or 4% of the worldwide annual prior year revenue for more substantive infringements (in each case, whichever is greater).
Private Lawsuits. Under Articles 79 and 82 of the GDPR, affected persons can seek to assert a damage claim against a company for damages based on a GDPR violation; and
Under Article80(1), non-profit public interest privacy rights such as NYOB (None of Your Business), founded by noted privacy activist, Max Schrems can represent and even receive compensation on behalf of persons whose privacy rights have been violated.
Enter the US (plaintiff) Securities Bar Since the GDPR came into effect on May 25, 2018, many commentators have speculated about its effect on directors’ and officers’ liability with respect to GDPR compliance statements. Supreme Court precedent has long established that individuals and entities who have suffered harm due to securities fraud may sue to recover damages. Typically, plaintiffs must prove that the party who is alleged to have caused the harm: (a) materially misrepresented or omitted key information, (b) knew of the violation, (c) that there was a connection between the misrepresentation or omission, (d) and the purchase or sale of the security, and (e) that he or she suffered economic loss that was caused by a reliance upon the misrepresentation or omission.
In one case, Bhattacharya v. Nielsen Holdings PLC, et al., filed in the United States District Court for the Southern District of New York may provide some insight into how this type of claim can play out in today’s post-GDPR age.
In this case, the plaintiff, a shareholder of the media ratings company Nielsen Holdings, alleged that Nielsen and its officers and directors repeatedly misstated that GDPR compliance would not impact its business, in fact, depicting the impact of the GDPR as, essentially, a non-event. Then, the company issued a downward adjustment of its financial statements – reducing its free cash flow estimate by $250 million and issuing additional guidance to the effect that the impact of GDPR compliance was a direct contributor to the adjustment and that its compliance efforts had a direct impact on the company’s near-term growth rates. Following this release, Nielsen’s stock nosedived by more than 25 percent. The lawsuit contended that these materially false and misleading statements violated multiple sections of the Securities Exchange Act of 1934 – that Nielsen knowingly defrauded investors by materially underestimating the potential financial ramifications of its GDPR compliance.
The basic takeaways from this case are:
Compliance with the GDPR and other similar privacy laws being passed in the United States such as California’s CCPA, which is set to come into effect on January 1, 2020 and similar state-law privacy acts can and will exert a significant financial and logistical impact upon business growth for many companies – which must be accurately understood, calculated and stated;
A failure to properly and accurately represent the costs and risks entailed in complying with these laws can constitute a form of securities fraud; and
Statements issued by public companies concerning privacy laws will continue to be scrutinized by investors, and companies’ failure to understand the impact of their compliance obligations can and will lead to an increase in shareholder lawsuits, which will, in turn, cause both short-term immediate financial damage and longer term reputational impact.
The risks of privacy law compliance failures go beyond simple statutory fines.
Failure to adequately represent the costs and efforts entailed in achieving privacy law. compliance can, potentially constitute a form of securities fraud, particularly for publicly traded companies.
A well-executed information governance plan that combines record life cycle guidance with a sensitivity to data privacy can help companies avoid unnecessary litigation and mitigate regulatory risk. Please contact us for additional questions or to discuss how our solutions can fit your needs.