In Lexology’s Getting the Deal Through: Digital Health 2021 (UK) Latham & Watkins considers the key regulatory and transactional issues faced by market players and practitioners.

By Frances Stocks Allen, Oliver Mobasser, Sara Patel, Mihail Krepchev, and Samantha Peacock

The UK has an active digital health market comprising both the private and public sectors. Venture capital funding in the digital health sector has increased significantly in recent years, with the majority of investment appearing to come from private investment firms. However, public financing through IPOs is also on the rise. The COVID-19 pandemic has further heightened the positive and dynamic investment climate for digital health technologies in the UK. In particular, the pandemic has highlighted the need for resilience in healthcare systems, including through digital health solutions. As a result, the pandemic has significantly accelerated uptake of digital health solutions in the UK and related investment opportunities, as well as challenging structural barriers that had previously slowed investment in digital health innovations.

Digital health in the UK is currently governed by a patchwork of different legal regimes, rather than bespoke legislation, while various regulatory and enforcement bodies have jurisdiction over the digital health sector.

By Paul A. Davies, Tom Evans, Nicola Higgs, Farah O’Brien, David Walker, Michael Green, Hannah Berdal, Anne Mainwaring, and Catherine Campbell

Green shoots emerge as PE firms consider new ways to incorporate ESG into dealmaking.

Market sentiment and the increasing importance of environmental, social, and governance (ESG) to firms’ competitiveness across the market, combined with wide-ranging and rapidly developing ESG regulatory reforms, are driving increased focus on ESG at both LP and GP levels across Europe. As a result, the market is showing demand for enhanced diligence, and a wider range of deal provisions are being considered in light of their potential to enhance the ESG outlook of PE investments.

Update confirms the introduction of an active “duty of care” and a dedicated regulator, as part of a comprehensive new online regulatory regime.

By Alain Traill, Rachael Astin, Gail E. Crawford, and Patrick Mitchell

Following a wave of commentary from industry, the social sector, and other organisations, on 11 February 2020 the UK government set out preliminary details of a new regulatory regime to govern content posted on online platforms. The details were released in an initial response to last year’s online harms white paper, with a full response expected this spring. While some changes have been made to the white paper proposals, seemingly in response to concerns raised by industry and other stakeholders, the government has confirmed that it will introduce an active “duty of care” on organisations to prevent certain content from appearing on their platforms.

The proposed new regime mirrors similar steps taken in other jurisdictions, e.g., Australia, to protect against harmful content online. It is also in-line with the direction of travel of platform regulation at a European level, taking into account, for example, changes to the AVMS Directive (EU) 2018/1808 (AVMSD) to regulate video-sharing platform services (VSPs) in relation to protection of minors and harmful content, and the planned EU Digital Services Act, which is likely to introduce changes to EU law regarding the liability of platform providers for content posted using their services.

Insights from Latham’s flagship event: Managing the risk and promise of digitisation in financial services.

By Fiona Maclean, Stuart Davis, and Alistair Wye

In a bid to keep pace with rapid advances in cloud adoption across financial services, regulators have published a raft of new guidance in the past year. Most recently, the European Insurance and Occupational Pensions Authority launched guidelines for insurers and reinsurers on outsourcing to cloud providers in July 2019, while the European Banking Authority (EBA) published updated guidance on outsourcing that came into effect on 30 September 2019, covering both cloud and other outsourcings.

We discussed some of the challenges facing financial institutions in the evolving area of cloud compliance at our recent event entitled Balancing the Scales: Managing the Risk and Promise of Digitisation in Financial Services. One key issue highlighted in the discussion is that the new EBA guidelines do not contain an overarching split between cloud and non-cloud arrangements, and there are no general exclusions or exceptions for new entrants or FinTech providers. Entities subject to the EBA guidelines will therefore face additional administrative burdens that they must balance with the need to stay ahead of the competition.

How can private equity firms identify and mitigate inherited liability risk from vulnerable portfolio companies?

By Tom Evans, Gail Crawford, Fiona Maclean, David Walker, Katie Peek, Catherine Campbell, and Amy Smyth

Ongoing big ticket regulatory fines coupled with high profile corporate veil cases indicate that private equity deal teams must remain alert to the risk of buyout firms inheriting liabilities from vulnerable portfolio companies. Increasing GDPR fine activity, including the UK Information Commissioners’ intention to fine British Airways £183 million and an international hotel group £99 million for GDPR failings, is of particular concern. In parallel, the UK Supreme Court recently examined the circumstances in which a parent company can be held accountable for its subsidiary’s actions. In our view, private equity firms should take careful but active steps to identify and mitigate this inherited liability risk; there is no doubt that PE funds are increasingly in the firing line.


GDPR and PSD2 are two legal initialisms that have both generated a great deal of press coverage in recent months, but they are seldom considered together.

By Christian F. McDermott, Calum Docherty and Brett Carr

There were around 122 billion non-cash payments in the European Union (EU) in 2016, with card payments accounting for 49% of all transactionsi and the trend is continuing: UK Finance recently reported that UK debit card payments overtook the number of cash transactions for the first time in the final quarter of 2017. As Europeans increasingly swap cash for cards and live their lives online, businesses have tremendous opportunities to take advantage of the vast amount of personal data generated by the increased use of payment services.

In the EU, activities in the payments sector are subject to the revised Payment Services Directive (2015/2366, known as PSD2). PSD2 was transposed in the UK primarily by the Payment Services Regulations 2017, the majority of which came into force on 13 January 2018.

By Gail Crawford and Calum Docherty

Her Majesty’s Government last week published a position paper outlining its preferred post-Brexit landscape for data protection. The high-level takeaways are hardly surprising: the government stresses that it intends to “remain a global leader on data protection” and, as we already know, the UK’s Data Protection Bill, announced in the Queen’s Speech, will implement the EU’s General Data Protection Regulation (GDPR).

The paper’s top priority is the frictionless movement of personal data between the UK and the EU. The government sets out the Schrems test – i.e., that standards in a non-EU country must be “essentially equivalent” to those applied in the EU – and emphasises that the UK will be in an “unprecedented position” at Brexit, as the UK will have fully implemented the GDPR and so have the same data protection standards as the remaining EU member states. The government priority, then, is for the UK and the EU “to agree early in the process to mutually recognise each other’s data protection frameworks” to allow the free flow of personal data to continue at the time of Brexit. This bespoke interim solution would be followed up with agreed timelines about longer-term arrangements, with the paper suggesting that the UK will ultimately seek an adequacy decision.

Data Protection - FingerprintBy  Gail Crawford and Danielle van der Merwe

Following the commencement of the Brexit negotiations earlier this week, the Queen announced in her speech on Wednesday a new law that will “ensure the United Kingdom retains its world-class regime protecting personal data”.

This bill will replace the current Data Protection Act 1998 in the UK. One of the bill’s main reported benefits is the implementation of the General Data Protection Regulation (GDPR) (and the new directive applying to law enforcement data processing), meeting the UK’s obligations while it remains an EU Member State. Crucially, the intention is for the bill to help put the UK in the best position to maintain its ability to share data with other EU Member States,  and internationally after the UK leaves Europe.

By Christian McDermott, Calum Docherty, Stuart Davis and Anne Mainwaring

The European Banking Authority (EBA) has published its consultation document on security measures for operational and security risks under the revised Payment Services Directive (PSD2).

Technology - dreamstime_xxl_19374657The WannaCry ransomware attack that swept across the globe last week revealed the destructive and indiscriminate nature of cyber threats. It attacked hospitals, telecoms networks and universities, seizing hold of important data and leaving users and systems administrators temporarily powerless. These are precisely the risks that the payments industry wants to avoid as it braces for the revised PSD2, which will come into force across the EU from 13 January 2018. As such, the EBA has published a consultation paper on security measures for operational and security risks under PSD2, setting out proposed requirements for payment services providers (PSPs) to mitigate the concomitant payment processing risks.

The consultation paper is one of the EBA’s three security mandates in PSD2, complementing the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication (submitted to the European Commission for adoption 23 February 2017), and the Guidelines on Major Incidents Reporting (which recently finished its consultation).

By Sophie Lamb and Samuel Pape

The latest global ‘WannaCry’ attack has again brought to the fore the need for sovereign and private parties to have in place adequate cyber-security measures and response plans to deal with cyber-attacks, including in the context of internationalData Protection - Fingerprint arbitration.  As attackers are becoming increasingly resourceful in their ability to exploit vulnerabilities, it is critical that participants in arbitration play their part in mitigating against this type of risk, particularly where sensitive information is involved and large sums are at stake. Even the arbitral institutions themselves are not immune, as was evidenced by the hack on the Permanent Court of Arbitration’s (PCA) website during a hearing of a high profile maritime border dispute.

The increase in transparency in investor-State arbitration through the publication of case documents during the proceedings might provide new opportunities for hacktivists to interfere with the arbitral process.  For example, hacktivists could use a form of social engineering that would involve impersonating a tribunal chairperson based on information from published procedural orders for the purposes of eliciting confidential information from the parties or co-arbitrators.  This type of ‘social engineering’ has become a common method of attack and has supplanted the more basic forms of phishing attempts.  Cyber-attacks can only be thwarted if all participants in arbitration remain alive to this type of threat.