STRAIT Compliance Brief: Global Privacy Legislation - Private Fund Advisers and Schrems II

In the United States, the march of privacy legislation impacting private fund advisers has been somewhat slow and steady.  Traditionally, purely domestic private fund advisers have been required to maintain and distribute privacy policies that satisfy the Gramm-Leach-Bliley Act1 and Regulation S-P2.  These regulations have not proven to be high hurdles, and the privacy policies addressing them have commonly been form driven and static.  The SEC and CFTC have mildly increased the focus on privacy by promulgating Regulation S-ID and Subpart C of Part 162 of the CFTC regulations, respectively, or the so-called “Red Flag Rules3,” but avoidance of certain behavior can largely reduce the impact of those rules as well. 

The greatest change has been at the state level, most notably in California with the “California Consumer Privacy Act4,”  and New York with the “SHIELD Act5.” If within the laws’ jurisdictional limits, they require greater identification of, and restrictions on, the use of investor data, measures to provide investors the ability to address their data concerns, and notice of data breach issues.

Looking beyond the U.S., by far the most impactful privacy legislation has been the E.U.’s General Data Protection Regulation, or “GDPR6.” Since it came into effect in 2018, U.S. companies with any exposure to the E.U. have either been eliminating that exposure, if possible, or fundamentally changing7 how they gather, track, process, and outsource the processing of the data of E.U. citizens.  Most emerging managers are first exposed to GDPR with their first E.U. investor or the launch of a Cayman Islands fund, which adopted the Cayman Islands Data Protection Law8 that largely mimics GDPR.

Compliance has been complex, even for the regulators9, but most U.S. firms had largely become comfortable with their compliance infrastructure—until the courts got involved.  On July 16, 2020, in a case called “Schrems II,” the Court of Justice of the European Union invalidated10 the use by U.S. firms of the two fundamental means of compliance—the “Privacy Shield” (a framework between the Department of Commerce and the E.U. Commission) and Standard Contractual Clauses (cascading contractual obligation between data controllers, processors, and sub processors designed to protect the data of E.U. citizens, which was the route most advisers adopted)—due to U.S. surveillance laws.

The procedures of the U.S. Foreign Intelligence Surveillance Act of 1978 (“FISA”) were established for physical and electronic surveillance and collection. Section 702 of FISA authorizes the collection, use, and dissemination of electronic communications content stored by U.S. internet service providers and content hosts, such as Google, Facebook, and Microsoft. Those national security objectives were expanded under Executive Order 12333, which broadened the U.S. government's reach to "collect information concerning, and conduct of activities to protect against, international terrorism, proliferation of weapons of mass destruction, intelligence activities directed against the United States...and other hostile activities directed against the United States by foreign powers, organizations, persons and their agents.”

Though most investment advisers are unaware of any specific application of these laws to them, the mere possibility of their application to U.S. firms importing or exporting data to/from the U.S. was conclusive to the court in determining that the laws were incompatible with the goals of GDPR and that therefore the Privacy Shield and Standard Contractual Clauses could not provide adequate protection.

Since the ruling, the Department of Commerce and the E.U. Commission have continued to discuss11 a successor framework to the Privacy Shield, and there is talk of a “GDPR 2.0,” which will, among other things, address the weaknesses of the Standard Contractual Clauses. In the interim, several  “solutions” have been mooted (some dubious or administratively difficult), including greater encryption of data, commitments not to cooperate with the surveillance laws, and explicit consents by E.U. citizens to data importation/processing despite the surveillance laws.  None are magic bullets, leading some U.S.-based tech firms to consider suspension of data transfers altogether,12 so we await further guidance, which we are promised is forthcoming. Please contact STRAIT if you would like a copy of our form data transfer consent.

Fund Databases and Indices - AIFMD and the E.U. Benchmark Regulation

Several data providers have long offered hedge fund and private equity fund databases (e.g., Preqin, HFR, Bloomberg), whereby information is provided to subscribers about participating private funds and managers for reporting, or more notably, discovery/marketing of those funds and managers.  To avoid violation of marketing restrictions applicable to private funds, such as Regulation D,13 the data providers commonly qualify the subscribers as “accredited investors” or “professional investors,” as the case may be. In the U.S., the rules around such database services, though dated, are largely settled via a series of SEC no-action letters called the “Lamp Letters"14.  With recent “crowdfunding”15 regulation, their use has expanded and the offering diversified to include the ability to invest and not just discover, via database platforms.  Some broker-dealers have also launched “matchmaking” platforms that operate similarly but, by virtue of living within a regulated broker-dealer entity, permit the charge of a “success fee” for consummated investments, rather than just an access fee as with traditional databases.

Especially with the traditional databases, the providers are commonly strong on U.S. regulatory compliance.  However, they may be somewhat weaker on global regulatory compliance, though they often provide global access.  For example, in the E.U., the ability to market hedge funds or private equity funds (“Alternative Investment Funds”) is governed by AIFMD16 (the “Alternative Investment Fund Managers Directive”).  AIFMD operates to make it difficult for non-E.U. funds and managers to market to the E.U. by only providing access on a country-by-country basis and not market-wide, though requiring them to live up to the full scope of regulation as applied (sometimes disparately) on a country-by-country basis.  Other than the larger managers/funds willing and able to have a presence in the E.U. or willing to give up significant economics to get on a UCITS17  or other E.U. based distribution platform, most rely on a carve-out from the definition of “marketing” under AIFMD—“reverse solicitation.”  “Reverse solicitation” generally means that the non-E.U. manager/fund has made no effort to market their fund in the E.U., and the investors have instead come into the fund by discovering it on their own and thus reverse soliciting the fund.  It is still questionable whether contribution to a database available in the E.U. is “marketing” under AIFMD, including whether collecting investor qualifying certifications before access solves anything.  However, at the very least, doing so potentially weakens reliance on “reverse solicitation” by providing E.U. regulators a counter to the argument that the investor found the manager/fund on his or her own without the participation or “priming of the market” by the manager/fund.

At least one database provider has gone even further and potentially triggered the application of yet another E.U. regulation to participating U.S. managers and funds.  HFR publishes a number of hedge fund indiceshttps://www.hedgefundresearch.com/indices18 based on the data of contributing hedge funds. In reaction to the LIBOR scandal19, the E.U. began regulating and authorizing index or “benchmark” administrators via the E.U. Benchmark Regulation20 if their benchmarks are used in financial instruments and financial contracts in the E.U.  Such use has been defined rather broadly, even including passive use of a published benchmark without the consent of the administrator. However, the question of “use” could be resolved for at least some benchmarks if they follow the HFR model, which recently partnered21  with Aberdeen Standard Investments to provide an index fund based on their hedge fund indices.  If a benchmark is available in the E.U. or otherwise used in the E.U. and tied to the construction of an index fund, any U.S. manager/fund contributing to the index (whether part of the index fund or not) is potentially backdoored into the E.U. Benchmark Regulation.  This is due to the requirement that the authorized benchmark administrator imposes a “contributors code of conduct” on all relevant data contributors to the index, which regulates what data is provided and how.

About STRAIT

STRAIT provides a comprehensive range of compliance and regulatory services to the global financial services industry. Our services span a wide range of ongoing and project-based offerings, including regulatory filings, policy reviews, and regulatory exam support, as well as the development and execution of entire compliance programs. The experienced compliance team leverages STRAIT’s proprietary Compliance Control Framework to provide advisers with a real-time picture of task progress on a secure, cloud-based platform, enhancing both transparency and accountability while reducing overall risk.

__________________

1 https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act

2 https://www.sec.gov/rules/final/34-42974.htm

3 https://www.govinfo.gov/content/pkg/FR-2013-04-19/pdf/2013-08830.pdf

4 https://oag.ca.gov/privacy/ccpa

5 https://legislation.nysenate.gov/pdf/bills/2019/S133

6 https://gdpr.eu/

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

8 https://ombudsman.ky/data-protection-organisation/introduction

9 https://www.shlegal.com/insights/data-protection-update---august-2020#danish

10 https://iapp.org/news/a/the-schrems-ii-decision-eu-us-data-transfers-in-question/

11 https://www.commerce.gov/news/press-releases/2020/07/us-secretary-commerce-wilbur-ross-statement-schrems-ii-ruling-and 

12 https://www.theguardian.com/technology/2020/sep/22/facebook-says-it-may-quit-europe-over-ban-on-sharing-data-with-us

13 https://www.law.cornell.edu/cfr/text/17/230.500

14 https://www.sec.gov/divisions/investment/noaction/1997/lamptechnologies052997.pdf;

14 https://www.sec.gov/divisions/investment/noaction/1998/lamptech052998.pdf

15 https://www.sec.gov/smallbusiness/exemptofferings/regcrowdfunding

16 https://www.aima.org/regulation/aifmd.html

17 https://ec.europa.eu/info/law/undertakings-collective-investment-transferable-securities-ucits-directive-2009-65-ec_en

18 https://www.hedgefundresearch.com/indices

19 https://www.cfr.org/backgrounder/understanding-libor-scandal

20 https://www.esma.europa.eu/policy-rules/benchmarks

21 https://www.hedgefundresearch.com/news/aberdeen-standard-investments-and-hfr-launch-strategic-partnership-for-investable-hedge-fund