We have been getting a lot of questions lately about whether and how GDPR may apply to US and Asia based managers of venture capital funds. This is a rapidly evolving area, however, there is a sound legal view to the effect that many of the managers we work with are simply outside the scope of GDPR, and not bound by it at all. The question at its heart is a jurisdictional one: can and does the reach of the EU regulators extend to a fund manager outside the EU that may have some connectivity, no matter how limited, with the EU?
Let’s examine the case of a US or Asia based manager that doesn’t have an office, legal registration or any personnel in the EU – a category which fits a vast supermajority of clients we work with. If you don’t fit this category (i.e. if you have a Paris office or two staff in Belgium), this article doesn’t apply to you – your EU connectivity places you squarely inside of the scope of GDPR and you should get further, detailed professional advice. But returning to the former category, we note that, looking directly to the language of the law itself, there are three ways that a firm might be jurisdictionally “captured” by GDPR. Two can be stricken right away on our assumed facts: first, firms that are located in an EU member state (which should be read broadly to include offices, personnel or legal registrations); and second, firms that while not being technically located in an EU member state are located “in a place where Member State law applies by virtue of public international law”; the example given is operating inside a consular mission in a country outside the EU. Those which are the subject of this article should have easily passed through these first two gates.
Which brings us to the third way GDPR may apply to a firm. The law states that: “This regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to either (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior (NTD: “their” being data subjects in the Union) as far as their behavior takes place within the Union.”
The key language above, highlighted, is “data subjects in the Union”. This plainly refers to individuals in the EU, and not entities (the GDPR concerns protection of the data rights of individual human beings, called “data subjects” in its parlance, and doesn’t extend protections to entities). So arises, essentially, a B2B versus B2C distinction. If a venture capital manager in say Silicon Valley or Beijing is marketing to high net worth individual investors inside the EU, which some but not many managers we work with do, GDPR will apply under this third jurisdictional test. However, mostly, fund managers outside the EU we work with, if marketing at all into the EU, are marketing only to entities – think that French fund of funds, and so forth. If this “B2B” marketing covers the extent of the venture firm’s activity with respect to the EU, it appears plain on the language of the law that GDPR simply does not apply. To be very clear, this would, in our view, cover even a situation where an individual associated with that French fund of funds inks his name, phone number and email address into a subscription agreement as a contact party, and so forth. Since the venture firm is outside the scope of GDPR, the law doesn’t apply even in respect of that limited capture of the individual’s information in the entity’s subscription agreement.
While analysis has been made that probably the venture manager on Sand Hill Road with a few bits of EU data is not the intended subject of GDPR, it appears there is a better position legally than just hoping for non-enforcement. This jurisdictional analysis should be the first stop in determining potential obligations under GDPR. With that said, at a broader level, GDPR is about transparency and security of data processing, and avoiding data breaches or at least as a fallback having plans to respond to such breaches quickly and efficiently. We have been working with clients recently, in no small part because of the directionality of GDPR and attendant media coverage and client relations inquiries, to update policies to a sensible, modern standard.