Data privacy concerns that spurred tough new regulations in Europe could soon be spreading to the U.S., with California making the first move. In the meantime, plan sponsors and asset managers need to pay attention as U.S. regulators figure out how to react.
Two years ago, the European Union enacted the sweeping General Data Protection Regulation to protect citizens' data and privacy rights. GDPR applies to multinational companies — including asset managers and advisers — if their principal base is in the EU, or they provide goods, services or employment to EU residents.
The restrictions, which became effective in May 2018, place a significant burden on companies to manage their employees' and customers' data, or risk dramatic fines up to €20 million ($22 million) or 4% of annual income, whichever is higher.
Any doubts about how seriously European regulators take the new data privacy law were quickly erased in January when France's data protection regulator, Commission nationale de l'informatique et des libertes, or CNIL, fined Google LLC €50 million for not doing enough to get consent from users before processing their data.
Europe-based asset managers and advisers applying for Securities and Exchange Commission registration are painfully aware of GDPR, as SEC officials sit on their applications while they figure out how to get typically requested information from managers such as financial statements, client profiles, trade records and even investment research involving personal data, without running afoul of GDPR.
Until that roadblock is cleared and they are allowed to register, EU-based asset managers including private fund advisers cannot raise money from U.S. investors, even if they are already registered for other investment vehicles.
"Right now, the status quo is, if you are based in the U.K. or EU, you will not get approved," said Michael Sherman, a partner in Dechert LLP's Washington office who counsels investment advisers and firms that have encountered similar data protection law issues in other countries.