Parental Liability for GDPR Infringements: Lessons from EU Competition Law?


Today, Europe's highest court affirmed financial investors' liability for infringements of EU competition law by subsidiaries over which they exercise, or might be considered to exercise, "decisive influence".

The ruling by the Court of Justice of the European Union (the "CJEU") firmly entrenches the concept of parental liability under EU law and thus has important implications for financial investors, such as private equity firms, in relation to alleged breaches of EU competition law by their portfolio companies. In addition, it could, by extension, result in financial investors being held directly liable for infringements of the General Data Protection Regulation ("GDPR")[1] committed by their portfolio companies.

Scope of the GDPR

Having entered into force on 25 May 2018, the GDPR aims to provide a harmonised framework for the protection of personal data across the EU. It applies to the processing of (i) personal data by EU-based companies, regardless of whether the processing takes place in the EU; and (ii) personal data of a "data subject" in the EU by a non-EU company, where either goods or services are being offered to data subjects in the EU or any behaviour of data subjects is being monitored where that behaviour takes place in the EU.

This broad scope means that both EU companies and non-EU companies with EU-based subsidiaries or portfolio companies must comply with the GDPR. As a corollary, no financial investor which has invested in or plans to invest in portfolio companies in Europe can afford to ignore the GDPR, not least since GDPR infringements carry potentially severe penalties, including fines of up to the higher of 4 per cent of an undertaking's worldwide annual turnover or €20 million. In the case of a financial investor, "undertaking" may include the infringing portfolio company, the financial investor and each of its other portfolio companies.

EU competition law as a model for GDPR enforcement?

There remain unanswered questions about how the GDPR will be enforced in practice, including around the potential exposure of financial investors for GDPR infringements by their portfolio companies. In this regard, lessons can be drawn from enforcement under EU competition law, not least because the GDPR uses the same concept of "undertakings".[2]

The concept of parental liability for infringements of EU competition law by subsidiaries is well-established. Two or more legally separate entities may be treated as a single undertaking for the purposes of applying EU competition law if their relationship justifies regarding them as a single economic unit.[3] The test is whether a parent company exercises "decisive influence" over the commercial policy of its subsidiary.[4] For wholly owned subsidiaries, there is a rebuttable presumption that the parent company exercises decisive influence,[5] meaning that the European Commission (the "Commission") can regard the parent company as jointly and severally liable for fines resulting from infringements of EU competition law committed by one or more of its subsidiaries. Where the parent company does not hold all of the shares in its subsidiary, the presumption that it exercises decisive influence over the subsidiary will not necessarily apply and the Commission is required to demonstrate that the parent can – and does – exercise such influence (e.g. through the exercise of voting rights).

Importantly, even a minority shareholder may be found to exercise decisive influence over an investee company where, in addition to its shareholding, it holds rights over such company which are greater than those customarily granted to such a minority shareholder in order to protect its financial interests (such as certain veto or consent rights).

For example, in 2014, the Commission found Goldman Sachs Group, Inc. ("Goldman Sachs") jointly and severally liable for part of a €105 million fine imposed on Prysmian Group ("Prysmian") – a company in which it held a minority stake (31.8%) – for breaching EU competition law by allegedly participating in cartel conduct.

The Commission concluded that Goldman Sachs (acting through its private equity portfolio manager, GS Capital Partners) exercised decisive influence over Prysmian during the period of infringement, particularly because it indirectly held voting rights that enabled it to appoint and remove members of Prysmian's board of directors and Goldman Sachs' representatives on such board were bestowed with "the broadest possible powers of management".[6]

Goldman Sachs appealed against the Commission's decision to the CJEU, claiming that the Commission was wrong to hold it jointly and severally liable for the infringement allegedly committed by Prysmian and that the Commission had failed to demonstrate to the requisite legal standard that Goldman Sachs actually exercised decisive influence over Prysmian during the relevant period.[7]

In a ruling handed down today,[8] the CJEU dismissed Goldman Sachs' appeal in its entirety. Siding with the Commission, the CJEU upheld the joint and several fine against Goldman Sachs, concluding that because Goldman Sachs "[was] able to exercise all the voting rights associated with its subsidiary's shares, in particular in combination with a very high majority stake in the share capital of that subsidiary, it can be presumed that the parent company determines the economic and commercial strategy of the subsidiary, even if it does not hold all or virtually all of the subsidiary's share capital."[9]

How can financial investors manage GDPR infringement risk post-Prysmian?

Financial investors typically either acquire controlling interests in their investee companies or a significant minority interest in them, coupled with a reasonably comprehensive set of veto or consent rights in respect of key shareholder and/or board decisions. As is evident from the Prysmian case, either approach is capable of conferring upon the financial investor "decisive influence" over its investee company. Post-Prysmian, European regulators are likely to be increasingly confident in attributing liability for breaches of EU law (including potentially GDPR infringements) committed by investee companies to their financial investors who hold such interests and/or rights.

This development puts the onus on financial investors to ensure that thorough legal due diligence is carried out on a target company's compliance not only with EU competition law, but also with GDPR and other data protection legislation. As regards the latter, it is critical for financial investors to gain a detailed understanding of how the target company captures, stores, uses, processes and transfers data, including personal data, throughout its business.

To help our clients evaluate the current state of their compliance with the GDPR, Orrick has produced an online GDPR Readiness Assessment Tool

Any material non-compliance with the GDPR or other data protection legislation identified during the due diligence process should be addressed by measures such as a remediation plan (to be implemented either pre-signing or pre-completion of the acquisition depending on the time required to complete such remediation) or specific indemnities. Post-completion, the financial investor should also ensure that the target and its subsidiaries (if any) comply with a robust data protection policy and that the management team receives training on data protection compliance.

Whilst these measures may not absolve the financial investor from liability for GDPR or other data protection infringements by one or more of its portfolio companies, they ought to reduce the risk of such infringements occurring in the first place and/or mitigate (to some extent at least) the financial investor's liability for such infringements.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ L 119, 4.5.2016, p. 1–88.
[2] See, for example, recital 150 of the GDPR: "Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes."
[3] Case C-97/08 P Akzo Nobel and Others v Commission [2009] ECR I-8237, at 56.
[4] Akzo, at 58.
[5] Akzo.
[6] Case AT.39610 – Power Cables, decision of 2 April 2014, at 5.2.2.
[7] Case T-419/14 The Goldman Sachs Group v Commission, OJ C282/41, 25.8.2014. Prysmian has also appealed the Commission's decision (Case T-475/14 Prysmian and Prysmian cavi e sistemi v Commission, OJ C315/68, 15.9.2014).
[8] See related press release:
[9] Ibid.