What most GDPR Watchers Know
As most General Data Protection Regulation (GDPR)-watchers know, the Regulation includes various high-profile enforcement mechanisms and legal remedies. These include, for example:
Fines
The enhanced fine structure described in Article 83 of the GDPR of up to €10 million in liability or 2% of the prior year’s worldwide annual gross revenue, for administrative infringements or up to €20 million, or 4% of the worldwide annual prior year revenue for more substantive infringements (in each case, whichever is greater).[1]
Private Lawsuits
Under Articles 79 and 82 of the GDPR, affected persons can seek to assert a damage claim against a company for damages based on a GDPR violation; and
under Article 80(1), non-profit public interest privacy rights such as NYOB (None of Your Business), founded by noted privacy activist, Max Schrems can represent and even receive compensation on behalf of persons whose privacy rights have been violated.
Enter the US (plaintiff) Securities Bar
Since the GDPR came into effect on May 25, 2018, many commentators have speculated about its effect on directors’ and officers’ liability with respect to GDPR compliance statements. Supreme Court precedent has long established that individuals and entities who have suffered harm due to securities fraud may sue to recover damages.[2] Typically, plaintiffs must prove that the party who is alleged to have caused the harm: (a) materially misrepresented or omitted key information, (b) knew of the violation, (c) that there was a connection between the misrepresentation or omission, (d) and the purchase or sale of the security, and (e) that he or she suffered economic loss that was caused by a reliance upon the misrepresentation or omission.[3]
One recent case, Bhattacharya v. Nielsen Holdings PLC, et al., filed in the United States District Court for the Southern District of New York may provide some insight into how this type of claim can play out in today’s post-GDPR age.
In this case, the plaintiff, a shareholder of the media ratings company Nielsen Holdings, alleged that Nielsen and its officers and directors repeatedly misstated that GDPR compliance would not impact its business, in fact, depicting the impact of the GDPR as, essentially, a non-event. Then, the company issued a downward adjustment of its financial statements – reducing its free cash flow estimate by $250 million and issuing additional guidance to the effect that the impact of GDPR compliance was a direct contributor to the adjustment and that its compliance efforts had a direct impact on the company’s near-term growth rates. Following this release, Nielsen’s stock nosedived by more than 25 percent. The lawsuit contended that these materially false and misleading statements violated multiple sections of the Securities Exchange Act of 1934 – that Nielsen knowingly defrauded investors by materially underestimating the potential financial ramifications of its GDPR compliance.
The basic takeaways from this case are:
Compliance with the GDPR and other similar privacy laws being passed in the United States such as California’s CCPA, which is set to come into effect on January 1, 2020 and similar state-law privacy acts can and will exert a significant financial and logistical impact upon business growth for many companies – which must be accurately understood, calculated and stated;
A failure to properly and accurately represent the costs and risks entailed in complying with these laws can constitute a form of securities fraud; and
Statements issued by public companies concerning privacy laws will continue to be scrutinized by investors, and companies’ failure to understand the impact of their compliance obligations can and will lead to increased shareholder lawsuits, which will, in turn, cause both short-term immediate financial damage and longer-term reputational impact.
Additional Relevance – Mergers and Acquisitions
Perhaps the best known and one of the most highly negotiated clauses within mergers and acquisitions agreements involves the parties’ stated commitment to adhere to clearly defined representations and warranties. Representations and warranties typically include a wide range of commitments ranging from representations regarding the truth and accuracy of financial statements, the absence of regulatory and legal liability or material legal costs and the status of companies’ regulatory compliance. Parties’ ability to comply with these terms exerts a significant impact at virtually all transaction stages ranging from pre-closing due diligence (or the failure to meet due diligence requirements) through post-transaction compliance and the threat of continued litigation – and a failure to adhere to them can and will lead to significant liability for all involved parties including potential fraud claims.
As a result, it is imperative for companies undergoing mergers and acquisitions to pursue a thorough and holistic approach towards assessing their privacy law compliance that involves and incorporates a range of disciplines including deep legal and regulatory understanding, technical knowledge of the elements required to achieve and maintain “privacy by design” and an understanding of the accounting mechanisms and costs entailed in achieving GDPR compliance.
Summary
The risks of privacy law compliance failures go beyond simple statutory fines.
Failure to adequately represent the costs and efforts entailed in achieving privacy law. compliance can potentially constitute a form of securities fraud, particularly for publicly traded companies.
Virtually all companies undergoing mergers, acquisitions or other significant transactions that require the adherence with representations and warranties regarding legal compliance and financial status risk significant liability when they fail to understand and properly calculate the costs inherent in privacy compliance.
AcquireTek’s integrated solution to simplifying mergers and acquisitions provides a platform for companies seeking to achieve a well-integrated and holistic solution to meeting their M&A compliance needs. Please contact me at phyllis.elin@acquiretek.com for additional questions or to discuss how our solutions can fit your needs.
_______________________________
[1] Fines carrying a potential maximum penalty of up to €10 million in liability or 2% of the prior year’s worldwide annual gross (whichever is higher), are triggered mostly by administrative infringements such as the failure to obtain parental consent prior to processing childrens’ personal data, internal technical failures (design and default, etc.), controller-processor relationship violation, regulatory cooperation, security breach notifications and similar matters. In contrast, the higher fine bracket of up to €20 million, or 4% of worldwide annual prior year gross revenue is statutorily triggered by infringements that are based on core violations of data protection principles such as unlawful consent, international transfer violations and the interference with data protection authority investigations.
[2] This general rule is subject to various exceptions that are beyond the scope of this post.
[3] See Dura Pharmaceuticals, Inc. v. Broudo, 544 U. S. 336, 341–342 (2005).
Comments