Managers assess impact of EU privacy rules

Money managers around the globe are considering the impact on their technology sector investments of incoming rules over data and its use — with awareness heightened by recent issues related to social media platform Facebook Inc.

Starting May 25, the European Union's General Data Protection Regulation comes into force, and with it a set of stringent rules and penalties for non-compliance. The regulation puts the onus on all companies that hold personal data of EU citizens — regardless of the firm's location — to keep that information safe from privacy and data breaches. EU citizens will be able to manage the amount of information they are releasing, who accesses it, and how it is used.

Breaches can result in a hefty fine, with companies hit with penalties of up to 4% of annual global revenue or €20 million ($24.6 million) — whichever is greater.

Any regulation that affects the technology sector would be a serious consideration for investors; technology companies account for 25% of the S&P 500 index; 21% of the Russell 1000 index; and 20.5% of the Russell 3000 index.​

Money management executives are working hard to figure out where the risks and opportunities might lie as a result of the far-reaching rules.

"It's really empowering the final client," said Lorenzo Angelini, portfolio manager-European ​ equities at Amundi in Dublin. "It is a big change — if you look at the technology ecosystem in general, the flow of data has been a source of value (for some firms) and a way to understand client behavior, target advertising and enhance services."

While the rules were debated for years, and the enforcement date known for some time, the issue has been brought into sharp focus for money managers and analysts by recent allegations against Facebook Inc. and its data protection processes.

"The timing of the Cambridge Analytica scandal (regarding Facebook and its user data) was interesting as it was out before GDPR comes into effect, but serves as a timely reminder of what's required under regulation," said Neil Campling, co-head of the global thematic group, specializing in technology, media and telecoms at Mirabaud Securities Ltd. in London. "It doesn't matter if (a company holding and using information) is a small enterprise or a large, multinational corporation, the policies apply regardless" of size and company location.

The rules carry "a whole variety of implications — businesses based around using those data sets, for example for target advertising, could be severely impacted," added Mr. Campling.

Allianz Global Investors' analysts in Frankfurt spent time last year running "a very thorough in-house analysis of the legal text (which) led us to the view that GDPR is more than just a series of boxes that corporates must tick to be compliant," said Marie Rupp, analyst at the money manager. "We believe it will be a game-changer for business(es) dealing with private data. So we are prepared to spend even more time in the month ahead to scrutinize the way things will take shape in certain sectors, and from this, understand the impact on our investment portfolios."

The impact of GDPR on portfolio holdings is being assessed in a number of ways by money managers and analysts. Some of the managers are not taking action on their exposures just yet, but rather watching and waiting for opportunities, and risks, to play out. However, one source working at a money management firm said he has heard from two equity managers that they are taking profits in the technology sector, using the Facebook issue as well as GDPR as a trigger to reduce holdings.

Shoaib Zafar, Geneva-based senior analyst at SYZ Asset Management, said the technology sector has been an overweight position for the firm for the past few years, with opportunities in both old technology such as hardware and newer ideas such as cloud computing.

While SYZ is not making any changes just yet to its technology holdings, it is watching for two potential impacts of GDPR and the Facebook issue. "Do advertisers delete Facebook, and will there be a churn of users?" Mr. Zafar said, noting that the "inactive" or less frequent users of Facebook are at risk of leaving the platform or deleting their data.

The risk around GDPR for some money managers is the impact on technology companies' revenues that come from advertising. "We are very much looking at how valuable is this business, and is it a business we want to own?" said Philip Smeaton, chief investment officer at Sanlam U.K. Ltd. in London. Executives will consider how exposed their portfolio companies are to advertising-type revenues, "profiting from people's data, and how much companies (are) protecting and securing it."

And for Sanlam U.K., the Facebook issue could present an opportunity. "We are always looking for investment opportunities, companies (that are) unique … Facebook for us is a company that would qualify to that. Whenever there is a step back in the market or an opportunity, we check if that uncertainty is a good entry point or not … But clearly there is a lot of uncertainty — will people turn off their Facebook accounts, (will the company) be restricted (regarding its) advertising, which would hurt their revenue and potentially profitability," Mr. Smeaton said.

Mirabaud Securities, whose clients are largely global equity institutional investors, moved to a negative view on Facebook this year. "It's a company that requires a huge amount of information on end users … and now that gets hurt by the inability to have that information as before. We turned negative directly (as a result) of GDPR," said Mr. Campling. But the firm has moved to a positive view on companies that provide data protection or defensive services.

Also considering the regulation from two angles is Amundi's Mr. Angelini. Executives are considering back-end implications of the new regulation — working to understand whether "the IT infrastructure that is already in place can sustain the workflow required" by GDPR. He said the other consideration relates to the front end — if a business is based on a flow of information that will no longer be there.

Amundi has been asking corporations for a number of months about the actions they are taking and what they expect from GDPR. "The focus I have is on the front end because we are not overly exposed to those themes, but more on the back end — what you want to have is a company with a nice infrastructure which is new, cloud-enabled (and) GDPR-proof." He said companies with silos are more at risk of losing track of data. "And there is the tail risk of something happening, someone stealing data, and that is a brand reputation type of risk," added Mr. Angelini.

And an ongoing focus will be the impact of GDPR on technology and social media firms' earnings and profitability. "Their capital expenditures have to go up, and already they are pretty high relative to a lot of other companies in corporate America," said Sunil Reddy, senior vice president and portfolio manager of Fiera Capital Inc.'s growth equity team in Dayton, Ohio.

Mr. Reddy said GDPR is just one piece of heightened scrutiny regarding data-heavy platforms, with considerations extending to the U.S., India and Indonesia, for example. "Looking over the next couple of years, will these potential regulatory changes impact growth rates, and if (growth rates) come down how will they impact margins and earnings? All those are uncertain and we'll be watching closely," he said.

Allianz Global's Ms. Rupp agreed: "By definition the scope of GDPR goes much beyond Europe ... so from the beginning, the U.S.-based tech giants were among the primary stakeholders of GDPR. The recent issues of data misuse are increasing the necessity of having a regulation for data protection, and ... not only in Europe. The U.S. will eventually have its own" version of GDPR, she said.

Guillermo Felices, head of research and strategy in BNP Paribas Asset Management's multiasset, quantitative and solutions unit in London, said the team there also is considering the risk of tighter regulation of the U.S. technology sector — an issue thrown up by the Facebook data privacy concerns.

From a macro point of view, any increased regulation "is a material uncertainty in a sector that has been so prominent that it could be a significant hurdle for the market to take — it may affect the way people perceive risk and volatility in particular. It may be one of those things that increases volatility to a slightly higher level than (markets have been used to) in recent months," Mr. Felices said.

However, it is important to put the regulatory issue into perspective and "frame it in the context of how profound and long" the U.S. tech sector rally has been. "The question in investors' minds is where does this end? I think that's what the market is trying to digest — whether this is a bump in the road or more fundamental and may derail the business model of these big giants, and whether it's hurt beyond repair," Mr. Felices added.