To what extent can private equity sponsors be subject to enforcement action under the General Data Protection Regulation for the actions of their portfolio companies — whether independently of, or in conjunction with, those companies?
It’s a question that we continue to receive, nearly seven years after the GDPR took effect. Most commonly, the question arises in the diligence context, both on the buy- and sell-side. But we also see it raised whenever a large fine, calculated by reference to an organisation’s annual global turnover (usually, in the context of U.S. Big Tech), is issued.
It’s an important question because the maximum penalties that can be issued under the GDPR are determined, in the case of an “undertaking”, according to the “total worldwide annual turnover” of its preceding financial year (see Articles 83(4), (5) and (6)). The GDPR does not define “undertaking”. However, Recital 150 makes clear that the term should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union — that is to say, EU competition law.
Since May 2018, the Court of Justice of the European Union has given little attention to interpreting undertaking liability for the purposes of the GDPR. The exception is C-807/21 Deutsche Wohnen, in which the CJEU confirmed (albeit in obiter) that the meaning of “undertaking” is to interpreted by reference to Articles 101 and 102 TFEU, such that it covers “an economic unit even if in law that economic unit consists of several persons, natural or legal”, given that the economic unit “consists of a unitary organisation of personal, tangible and intangible elements which pursues a specific economic aim on a long-term basis”.
Case C-383/23 ILVA A/S
On 13 February 2025, the CJEU issued the first judgment that addresses the question directly.
In C-383/23 ILVA A/S, the Court largely affirms the conclusions of Advocate General Medina’s Opinion of September 2024, in which AG Medina held that where a GDPR fine is imposed on a controller or processor that is — or forms part of — an undertaking, the total annual turnover of the undertaking (i.e., parent) is used to calculate the maximum amount of the fine that may be imposed on the infringing entity. Importantly, the CJEU confirms that such liability can arise even where the parent entity — or the other entities in the group — are not responsible for the infringing conduct.
Moreover, the Court makes clear that the determination of the maximum amount of the fine should be distinguished from the actual calculation of the fine, which requires the supervisory authority (1) to ensure that it is effective, proportionate and dissuasive, and (2) to consider, among other things, the nature, gravity and duration of the breach of the GDPR, the number of individuals affected and the level of damage they suffered, and the measures taken by the infringing party to mitigate the damage.
In practice, the key question is whether a parent company exercises “decisive influence” over the conduct of its subsidiary(ies). The factors that private capital firms should consider in determining whether they exercise such control are therefore both general and specific.
- General Factors to be considered include the decision-making power of the parent company, the scope of the infringing conduct and the number of entities of the undertaking that are involved.
- Specific Factors to be considered include the type of investment into (i.e., passive, active, joint ventures or otherwise) and the number of board seats they hold in each portfolio company, as well as how their “influence” manifests on the commercial and strategic decisions of investee companies.
Lastly, as AG Medina noted in her ILVA A/S Opinion: “It is settled case-law that, in the particular case in which a parent company holds, directly or indirectly, all or almost all of the capital in a subsidiary which has committed an infringement of the competition rules, the parent company is able to exercise decisive influence over the conduct of the subsidiary and there is a rebuttable presumption that the parent company does in fact exercise such influence.” The same principle also applies to voting rights, both in conjunction with and irrespective of the specific shareholdings of a parent in its subsidiary companies.
What’s Next?
Parental liability-related enforcement is more advanced in respect of EU competition law. Since 2021, multiple fines have been issued and investigations undertaken at the supranational and domestic levels in relation to private equity investors’ liability for the conduct of their — current and former — portfolio companies.
By contrast, the parental liability doctrine has not extended to GDPR enforcement; not yet, at least.
However, given the number of GDPR penalties issued each year (more than 2,000 to date), this won’t be the case for much longer — statistically speaking, at least. Moreover, at least two of the EU’s flagship digital laws make reference to an “undertaking”: Article 90 of the AI Act and Article 3(x) of the Digital Services Act.
As such, the CJEU’s decision in ILVA A/S is unlikely to be the last that we will hear about parental liability for subsidiary non-compliance with European data rules, both in the corporate and private capital contexts.
Subscribe to Ropes & Gray Viewpoints by topic here.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.