There are three types of regulation that govern data: direct regulation aimed specifically at the data privacy of individuals, indirect regulation arising from the governance of the sale of goods or the provision of services, and cybersecurity laws which restrict the expatriation of data.
The EU’s GDPR is at the forefront of privacy regulation. It is harmonised across all member states and, because of the structure of trade agreements, it is driving many non-EU countries to regulate in the same or similar fashion.
Regulation that protects purchasers of goods and services, such as the Legal Instruments of the UK's Financial Conduct Authority or the USA's HIPPA laws, often contain clauses that also govern the use of data. These regulations, and the applicable/ governing law are often specific to an individual country and industry, and are seldom harmonised (even across the EU).
Cybersecurity laws are country-specific, more favoured in Asia, and often contradict data privacy regulation (or make compliance with another country's regulation very difficult). They also tend to be indiscriminate.
Why data regulation matters to the investment thesis
Data protection tend to focus on data privacy breaches, such as peoples’ data being stolen en mass through poor cybersecurity (although they do provide for prosecution due to lack of governance mechanisms). Conversely, financial regulators tend to focus on lack of processes (which typically become evident after an investigation into mass mis-selling). Regardless of motivation or trigger, the majority of regulation relies of self-policing rather than reporting.
To enforce this self-policing approach, most regulators rely on imposing fines that are financially significant to the shareholders of the company in breach, and which also signals the need for compliance to the industry at large. These financial penalties are designed to have a material impact on the EBITDA of the investment thesis. The leading example of this approach is the EU and GDPR:
in 2021 alone, Amazon was fined €746m, WhatsApp €225m, Austrian Post €9.5m and Vodafone España €8.15m for data breaches.
There is anecdotal evidence to suggest that these fines have an impact on the valuation multiple on exit. As a result of the 2020 data breach, British Airways now faces the largest group claim over a data breach in the UK’s history, and TalkTalk is still facing a group claim arising from its data leak in 2014 which seems to have been factored into its valuation in the 2021 buy-out.
EU and UK GDPR
UK GDPR and EU GDPR are now different laws that may or may not diverge.
At the time of writing, they are legally equivalent and thus allow for the continued exchange of data between the EU and the UK using common infrastructure. (equivalence was signed into EU law on 28th June 2021 when the EU approved UK GDPR adequacy and passed the Law Enforcement Directive). This is valid only until 27th June 2025.
There is a political risk of divergence on or after 27th June 2025. It is difficult to predict how big this risk is, but given the nature of politics it could happen, and given the value at risk, it makes financial sense to plan for a worst-case scenario.
Data privacy regulation in North America
Canada has a relatively strict data protection regime, resulting from a complex set of federal and provincial data laws and consumer protection laws.
Across the USA, in contrast, there is almost no harmonisation of data protection regulation. Laws that do exist are focused on specific use cases, such as the protection of children’s data in healthcare, and are a mix of state and federal enactments. Indeed,
there is very little protection of a person’s data at all in the USA - the data collected by the vast majority of SaaS products and services (even in regulated industries) is not regulated at all, and companies do need permission to harvest your data for marketing and sales purposes.
The exception is the California Consumer Privacy Act (CCPA) passed in 2018. It is a strong regulation akin to GDPR and, because of the size of the California market, is driving harmonisation of data privacy across the USA amongst national service providers who wish to operate there. Colorado and Virginia also have consumer data protection laws but whilst there is some talk of enactment in other states, there appears to be little political appetite amongst the majority of states (of the Federal Government) to follow suite.
Data privacy regulation elsewhere
Outside of Europe and North America, regulation is a country-by-country issue. There is a growing movement in Asia to introduce data protection regulation, but each country is implementing their own laws that are not harmonised.
Many Asian countries have highly restrictive cybersecurity regulations that forbid the transfer of personal data outside of the country.
Whilst the application of these cybersecurity laws can appear to be arbitrary from a market perspective, when they are invoked, the sanctions are often severe and financially punitive.
Ability to respond to shifts in regulatory requirements
Responding to a regulatory change should not impact the investment thesis - unless the business model is built upon unregulated acquisition and exploitation of personal data. Most changes are incremental and there is a large commonality across the individual data privacy regimes throughout the world, so changes are unlikely to have a large impact upon existing governance, processes and culture.
Given the trends in data privacy regulation, it is probable that the primary area to be impacted by changes and divergence in regulation is likely to be data residency (the country where data is processed and stored) – specifically, a need for multiple countries of data residency.
Operating additional countries of data residency requires additional data management infrastructure (technology, processes and policies) and also additional technical infrastructure to acquire and exploit the data. Multi-residency infrastructure can be complex, with material Capex and Opex requirements. However,
if the transition is planned for and well managed, the total cost of establishing an additional country of data residency is not likely to impact the investment thesis. However if not planned and done in fire-fighting mode, this can be an expensive activity that impacts the company’s ability to meets the investment milestones.
Information Commissioner's Office (ICO), United Kingdom, 2022.
Morrison & Foerster LLP, 2022.
NY Wirecutter, New York Times, 2022.
The European Data Protection Board (EDPB).