Data Protection

Subscribe to Data Protection via RSS

Insights from Latham’s flagship event: Managing the risk and promise of digitisation in financial services.

By Fiona Maclean, Stuart Davis, and Alistair Wye

In a bid to keep pace with rapid advances in cloud adoption across financial services, regulators have published a raft of new guidance in the past year. Most recently, the European Insurance and Occupational Pensions Authority launched guidelines for insurers and reinsurers on outsourcing to cloud providers in July 2019, while the European Banking Authority (EBA) published updated guidance on outsourcing that came into effect on 30 September 2019, covering both cloud and other outsourcings.

We discussed some of the challenges facing financial institutions in the evolving area of cloud compliance at our recent event entitled Balancing the Scales: Managing the Risk and Promise of Digitisation in Financial Services. One key issue highlighted in the discussion is that the new EBA guidelines do not contain an overarching split between cloud and non-cloud arrangements, and there are no general exclusions or exceptions for new entrants or FinTech providers. Entities subject to the EBA guidelines will therefore face additional administrative burdens that they must balance with the need to stay ahead of the competition.

How can private equity firms identify and mitigate inherited liability risk from vulnerable portfolio companies?

By Tom Evans, Gail Crawford, Fiona Maclean, David Walker, Katie Peek, Catherine Campbell, and Amy Smyth

Ongoing big ticket regulatory fines coupled with high profile corporate veil cases indicate that private equity deal teams must remain alert to the risk of buyout firms inheriting liabilities from vulnerable portfolio companies. Increasing GDPR fine activity, including the UK Information Commissioners’ intention to fine British Airways £183 million and an international hotel group £99 million for GDPR failings, is of particular concern. In parallel, the UK Supreme Court recently examined the circumstances in which a parent company can be held accountable for its subsidiary’s actions. In our view, private equity firms should take careful but active steps to identify and mitigate this inherited liability risk; there is no doubt that PE funds are increasingly in the firing line.


GDPR and PSD2 are two legal initialisms that have both generated a great deal of press coverage in recent months, but they are seldom considered together.

By Christian F. McDermott, Calum Docherty and Brett Carr

There were around 122 billion non-cash payments in the European Union (EU) in 2016, with card payments accounting for 49% of all transactionsi and the trend is continuing: UK Finance recently reported that UK debit card payments overtook the number of cash transactions for the first time in the final quarter of 2017. As Europeans increasingly swap cash for cards and live their lives online, businesses have tremendous opportunities to take advantage of the vast amount of personal data generated by the increased use of payment services.

In the EU, activities in the payments sector are subject to the revised Payment Services Directive (2015/2366, known as PSD2). PSD2 was transposed in the UK primarily by the Payment Services Regulations 2017, the majority of which came into force on 13 January 2018.

FCA Chair hints that new regulation addressing data ethics in the FinTech space may be on the horizon.

By Nicola Higgs, Fiona Maclean and Terese Saplys

Will societies of the future be ruled by algocracy, in which algorithms decide how humans are governed? Charles Randell, Chair of the Financial Conduct Authority (FCA) and Payment Systems Regulator, addressed how to avoid this hypothetical scenario in a broad-ranging speech on that he delivered on 11 July 2018 in London.

Randell’s Remarks

Contributing Factors to an Algocracy

According to Randell, the following three conditions could collectively give rise to a future algocracy:

  • If a small number of major corporations were to hold the largest datasets for a significant number of individuals (as is currently the case)
  • Continuing vast and rapid improvements in artificial intelligence and machine learning that allows firms to mine Big Data sets with greater ease and speed
  • Further developments in behavioural science allowing firms to target their sales efforts by exploiting consumers’ decision-making biases

By Gail Crawford, Hayley Pizzey, Mark Sun, and Calum Warren

Click for larger image.

As European data protection regulators prepare to enforce the General Data Protection Regulation (GDPR) from May 2018, private equity firms must act to minimise the risk of becoming financially liable for the data protection failings of portfolio companies. After a recent spate of high-profile data breaches, the risks for financial sponsors are high.

Why is a Data Protection Failing at Portfolio Company Level a Serious Concern for a Buyout Firm?

The GDPR sets out defined obligations and extends EU data protection law’s territorial reach, catching any business that operates in the EU, or offers goods and services to — or monitors the behaviour of — EU data subjects (whether in the EU or not). Fines for noncompliance can be substantial — up to the higher of €20 million or 4% of an undertaking’s global annual turnover. The regime defers to the EU antitrust concept of “undertaking”, which in our view means fines may be calculated by reference to the combined revenue of an offending portfolio company and the buyout firm (including the firm and all other portfolio companies within its group). This leaves open the possibility of data protection regulators directly fining buyout firms for the failures of portfolio companies.

By Gail Crawford, Mark Sun and Katie Campbell

Click for larger image

Amid a growing number of high-profile corporate data breaches, cybersecurity is now a key issue for strategic acquirers. The hack of Yahoo, which came to light midway through its 2016 takeover by Verizon, resulted in a US$350 million purchase price reduction. The true extent of the hack has only recently been uncovered, demonstrating how damaging a large-scale data leak can be. With state-sponsored actors and opportunist hackers at work, and recent cyberattacks specifically aimed at obtaining inside information about transactions, a target’s cybersecurity must be front of mind. In our view, deal teams must consider how a data breach could impact a potential acquisition, before, during and after a deal.

Preparing for a Transaction — What Should M&A Deal Teams Scrutinise?

M&A deal teams must identify a target’s cyber assets and review security protocols and cyber defences, emphasising thorough technical due diligence. Diligence should include how data is stored and managed, where it is handled, and the data security measures implemented by third-party service providers. Acquirers should assess data sets including personal information, focusing on why information is being stored and whether storage is necessary and proportionate.

Acquirers should be alert to red flag issues; for example, lack of awareness about data protection and cyber issues; poor employee training on data security; failure to keep records of historic breaches; and regulatory investigations. Addressing poor practices post-close requires time and resources — buyers may prefer to factor costs into the purchase price, or require pre-closing remediation.

By Gail Crawford and Calum Docherty

Her Majesty’s Government last week published a position paper outlining its preferred post-Brexit landscape for data protection. The high-level takeaways are hardly surprising: the government stresses that it intends to “remain a global leader on data protection” and, as we already know, the UK’s Data Protection Bill, announced in the Queen’s Speech, will implement the EU’s General Data Protection Regulation (GDPR).

The paper’s top priority is the frictionless movement of personal data between the UK and the EU. The government sets out the Schrems test – i.e., that standards in a non-EU country must be “essentially equivalent” to those applied in the EU – and emphasises that the UK will be in an “unprecedented position” at Brexit, as the UK will have fully implemented the GDPR and so have the same data protection standards as the remaining EU member states. The government priority, then, is for the UK and the EU “to agree early in the process to mutually recognise each other’s data protection frameworks” to allow the free flow of personal data to continue at the time of Brexit. This bespoke interim solution would be followed up with agreed timelines about longer-term arrangements, with the paper suggesting that the UK will ultimately seek an adequacy decision.

Data Protection - FingerprintBy  Gail Crawford and Danielle van der Merwe

Following the commencement of the Brexit negotiations earlier this week, the Queen announced in her speech on Wednesday a new law that will “ensure the United Kingdom retains its world-class regime protecting personal data”.

This bill will replace the current Data Protection Act 1998 in the UK. One of the bill’s main reported benefits is the implementation of the General Data Protection Regulation (GDPR) (and the new directive applying to law enforcement data processing), meeting the UK’s obligations while it remains an EU Member State. Crucially, the intention is for the bill to help put the UK in the best position to maintain its ability to share data with other EU Member States,  and internationally after the UK leaves Europe.

By Sophie Lamb and Samuel Pape

The latest global ‘WannaCry’ attack has again brought to the fore the need for sovereign and private parties to have in place adequate cyber-security measures and response plans to deal with cyber-attacks, including in the context of internationalData Protection - Fingerprint arbitration.  As attackers are becoming increasingly resourceful in their ability to exploit vulnerabilities, it is critical that participants in arbitration play their part in mitigating against this type of risk, particularly where sensitive information is involved and large sums are at stake. Even the arbitral institutions themselves are not immune, as was evidenced by the hack on the Permanent Court of Arbitration’s (PCA) website during a hearing of a high profile maritime border dispute.

The increase in transparency in investor-State arbitration through the publication of case documents during the proceedings might provide new opportunities for hacktivists to interfere with the arbitral process.  For example, hacktivists could use a form of social engineering that would involve impersonating a tribunal chairperson based on information from published procedural orders for the purposes of eliciting confidential information from the parties or co-arbitrators.  This type of ‘social engineering’ has become a common method of attack and has supplanted the more basic forms of phishing attempts.  Cyber-attacks can only be thwarted if all participants in arbitration remain alive to this type of threat.   

By Gail Crawford and Christian McDermott

The recent cyberattack on Tesco Bank’s IT systems has prompted Rt Hon. Andrew Tyrie MP, Chairman of the Treasury Committee, to call on regulators to take action against vulnerable bank IT systems:

Making sure that banks improve their IT systems, and their resilience to cybercrime, is also a responsibility of regulators. We will raise this issue with them again shortly. We can’t carry on like this.

The call follows earlier correspondence on this topic between Andrew Tyrie, various major UK banks, the FCA and the PRA.