Data sovereignty: Compliance complex

It’s been six months since Chinese ride-hailing platform Didi Chuxing was fined USD 1.2bn for a raft of data protection and data privacy transgressions in the wake of its US listing. Since then, data regulations have sprung up around the globe and existing legislation has been reinforced. Cross-border IPOs and expansions have slowed. And the term data sovereignty has entered the private equity lexicon.

Didi’s fine is by no means the starting point for these trends, but it’s easily the most dramatic catalyst for awareness among investors.

The company received about USD 10bn in private funding from the likes of SoftBank Vision Fund, Silver Lake, Mubadala Investment, and Temasek Holdings in the six years prior to its IPO. Within days of completing the USD 4.4bn offering, Chinese regulators launched an investigation, Didi was barred from onboarding new customers, and the stock tanked. Didi never recovered and it was delisted in May 2022.

Meanwhile, data protection fining has taken off.

Although predated by laws in Hong Kong and Singapore, the EU’s General Data Protection Regulation (GDPR) – which came into force in 2018 – is considered the gold standard for rigour and the template for similar rules globally. It levied 342 fines worth EUR 171.6m (USD 134m) in 2020. This jumped to 511 fines worth EUR 1.1bn in 2022. Based on current progress, the 2023 total will hit EUR 2.4bn.

Private equity is starting to take notice. It is well accepted that greater sustainability reporting requirements and the increasingly virtual nature of post-pandemic investing have deepened the importance of cybersecurity. But smart data handling now means more than preventing a hack or theft.

Cyber insurance, for example, will not protect an organisation guilty of transgressing data protection regulations. Indeed, the insurance holder’s premiums will only increase after such an incident, along with its reputational damage. While investors must have their policies and response protocols in place, the frontline of defence is ultimately portfolio company-level vetting and audits.

“It’s par for the course that you carry out financial due diligence, operational due diligence, and legal due diligence. So it’s sensible to include cyber due diligence as a necessary component of the diligence process,” said Lester Lim, a Hong Kong-based senior vice president in the cyber risk practice at Kroll who has more than 20 years of experience as a PE investor with the likes of RimAsia Capital Partners and GE.

“The cost of a breach is materially higher than it’s ever been in the past with privacy-related fines now figuring alongside the financial impact of business interruption or ransom payments. If you’re going to make an investment and there are potential financial, operational and legal liabilities to mitigate, then cyber should be alongside that.”

Privacy and politics

The essential understanding in all this is that it’s not just about the protection of individuals – it’s about the protection of national interests, an agenda with many more unpredictable variables.

Didi rushed to list ahead of the introduction of a new data security legislation, having misjudged the strength of regulatory will. Proposed additional compliance measures were then issued for data-rich companies pursuing offshore listings, but the US-China dynamic was lost on no one. Chinese social media platform TikTok had already spent two years under review in the US on national security grounds.

Data sovereignty is widely described as having been slowly smouldered for the past six years before catching fire in 2022-2023. Much of the current momentum traces back to March of last year, when Visa and Mastercard suspended operations in Russia in response to the Ukraine war. Russia has subsequently moved to bring more transaction processing capacity onshore.

In the meantime, requirements around the localisation of data processing have been rapidly adopted and enhanced in other jurisdictions. Saudi Arabia and Brazil are commonly flagged as the strictest regimes globally. In Asia, it’s China and India.

Technically, navigating this landscape can be as simple as partnering with global cloud service providers like Amazon, Google, and Microsoft that provide the necessary infrastructure. But many businesses will have to modify their models to make this work, while negotiating fast-evolving regulations. In some cases, aggregated, anonymised information can go cross-border. In others, it can’t.

In Apis Partners’ portfolio, these issues are most relevant to Eureka, a Singapore-based enterprise analytics and audience profiling platform that collects data in areas such as consumer movements in urban centres and credit and insurance scores.

Southeast Asia, India, and the Middle East are the core markets, and the company has made initial forays into Africa and the US. Much of Eureka’s staff has relocated to Abu Dhabi as part of a Middle East push. Other investors include Riyad Capital, but Saudi Arabia is seen as still too tough to crack in the foreseeable future.

“One of the things we look at is their readiness of data localisation,” said Udayan Goyal, a managing partner and co-founder of Apis.

“We need to make sure that whatever company we’re looking at, their systems and processes are architected so that if they go into a country – or if the countries they’re already processing data in suddenly require localisation – they can quickly transition to that model. It’s an important part of our diligence.”

Getting personal

The tip of the data sovereignty issue is personal information, which is increasingly viewed as a point of national security. This is an important understanding because breaches in personal data tend to be better publicised than those involving trade secrets, intellectual property, or other kinds of business intelligence.

The trend toward outsourcing of data functions with cloud and software-as-a-service providers does not make this easier to control, especially as adjacent classes of data such as location information from connected cars come into the mix. Incidents involving swathes of a better-informed public are increasingly likely to generate complaints to regulators.

“In the past, you didn’t have to tell people that your data has been stolen. Now, depending on where you are, you do. And when you report it, the incident changes. It’s no longer in your control, and you need a communications plan,” said Jim Fitzsimmons, a Singapore-based principal in the cybersecurity consulting team at Control Risks.

“The more forward-thinking private equity firms are seeing this and starting to dig into their portfolios to identify risks.”

Essential diligence questions on this front will establish whether personal data is collected and whether the business is considered important infrastructure in the local economy or likely expansion economies. Data platforms that only run on a single unified database will not be able to split data across geographies in the event localisation is required.

If the target company has experienced a breach in the past, it must be sussed out. Share purchase agreements should therefore include a provision that requires the seller to indemnify the buyer for residual liabilities related to previously undisclosed data breaches.

Best practice also includes knowing when the data privacy policies of targeted companies were drafted and if they need to be revised. This should be done with an awareness that it is common for uncredentialled staff to be responsible for signing off on policies or tweaking them periodically to keep up with fast-changing regulations.

It’s difficult to overstate how erratic this policy environment has become. Gabriela Kennedy, a cyber law-focused partner at Mayer Brown in Hong Kong, distributes a weekly update to clients that reveals at least two changes in the law somewhere in the region every week.

“Many companies in Asia Pacific have developed processes that comply with very high benchmarks like GDPR and apply that across multiple jurisdictions. The difficulty with that is you have a patchwork of legislation in Asia that is different to GDPR and constantly changing,” Kennedy said.

“You can no longer just say that if you have sorted out your compliance in the US and Europe that should suffice. Given the increase in business in Asia Pacific for many PE firms and the shifting sands of regulation here, a new focus should now be on this part of the world – especially given the trend toward sanctions for non-compliance tied to annual turnover.”

Kennedy has observed an uptick in private equity firms looking for help. Much of this work involves writing indemnities and warranties, as well as training investors on crisis management. Her main focus is helping existing portfolio companies get data-ready for exit.

Challenged in China

China is the most difficult jurisdiction in Asia to do this. The core legislation, the Personal Information Protection Law (PIPL), is broad; terms such as “important data” and “core national data” are seen as flexibly applicable depending on circumstances. PIPL allows regulators to fine companies up to 5% of their annual revenue (GDPR goes up to 4%).

Investor concerns range from being forced to divest assets locally at a lower valuation to not being able to incorporate a China subsidiary into a larger regional network due to difficulty getting data out of the country. If, for example, a foreign judge demanded information that Chinese authorities would not allow to be disclosed, the company would be forced into contempt of court.

Following the Didi investigation, Chinese regulators pursued measures requiring local companies holding personal information on more than 1m users to report to relevant agencies about data security prior to an offshore IPO. It was partly – though not wholly – responsible for large US IPOs by Chinese technology companies coming to a standstill.

“We have a pre-investment checklist for companies with sensitive data to see if they have data protection and privacy policies in place,” said one investor at a Chinese VC firm. “If the company is anything related to patient data, you better not focus on an exit outside of your home country. The listing channel is important for GPs from day one.”

The threat of Chinese companies on US exchanges being delisted appears to have receded as of December when US regulators gained full access to the relevant company audits for the first time.

Earlier this month, Hesai Technology, a developer of sensors for driverless cars, completed the largest US IPO by a Chinese company since Didi, raising USD 190m. The company has traded in positive territory to date and had a market capitalisation of USD 2.8bn as of February 19.

Autonomous driving is not an industry without its data sensitivity concerns, but two pre-IPO investors in the company told AVCJ they got comfortable with the company on the basis that its data would not be considered a security problem on IPO. Hesai raised about USD 540m in private funding between 2020 and listing. None of the external investors sold any shares in the IPO.

“Given the current geopolitical tensions, you have to work with GPs to make sure companies are well protected and there are no accidental exposures in terms of compliance rules,” said Kenneth Leong, a partner, CFO, and COO at Axiom Asia, which backed a USD 173m Series C round for Hesai in January 2020.

“That’s not only part of due diligence – it’s also always part of the ongoing operational work because it’s a very sensitive topic, and it becomes important at exit.”

Deal disruption?

While implementation of a systems architecture overhaul can be expensive, data sovereignty risk has not been noticeably priced into deals, yet. It does factor into terms that can result in broken transactions, however. In some circumstances, investors will require selling shareholders to bear the risk of previous data breaches, which can be insurmountably unpalatable.

The phenomenon has also had minimal impact on investment targeting. The risks around cross-border data transfers do not appear to be considered steep enough to offset the natural advantages of a multi-jurisdictional strategy versus a single-country strategy. Likewise, the general appeal of acutely data-sensitive industries such as healthcare and financial services remains unchecked.

Even the idea that data processing localisation is driving a boom in data centre construction is a muted cause-and-effect. Joe Gooi, CEO of SC Zeus Data Centers, a unit of Singapore’s SC Capital Partners that recently raised USD 2bn for project development in the industry, said the primary demand driver was the digitalisation of economies, not their decoupling.

“In Southeast Asia, it used to be that Singapore was the regional hub for e-commerce players around the region. Now, the Indonesian government, for example, has set up a data sovereignty law and doesn’t want their data centres outside their jurisdiction for security reasons,” Gooi said, adding that the Indonesia data centre space had become somewhat oversaturated.

“But that is just one factor, not the key factor. If a country has a lot of data sovereignty laws [requiring onshore data centres] but we don’t see a lot of [commercial] demand, we wouldn’t do it.”

All this is not to diminish the significance of the data sovereignty trend as a due diligence and operational issue throughout the supply chain, even in seemingly less digital domains. As more devices – including cars – are connected to data collecting and processing systems, hardware is getting sucked into the historically software-oriented nexus of cybersecurity and geopolitics.

Keith Toh, a partner at industrial technology specialist Novo Tellus Capital Partners, said 70% to 90% of his firm’s portfolio is profoundly impacted by themes around geopolitics-driven onshoring and offshoring.

The idea is that supply chains are shortening with fewer jurisdictions working together in deeper relationships – a development known as friend-shoring or ally-shoring. This puts pressure on the remaining links in the chain to play more roles, have more infrastructure, and understand more security issues.

“There are entire black markets, grey markets, and shadow economies built around this. It’s difficult to wrap one’s head around just how mature that ecosystem has become,” Toh said, describing a host of cyber and data-related threats across semiconductor and electronics supply chains.

“Cybersecurity has now entered a meta-level of impact that’s quite profound across the entire investment value chain for us. It has to do with the fundamental technology shifts in our industries that are changing the way customers interact with companies. It is permeative. It’s spread into the entire environmental context where our companies operate.”

Off the radar

Novo Tellus’ portfolio companies don’t handle the kinds of datasets that typically run afoul of data privacy regulations, but their downstream customers do. As such, it has an opening to explore one of the most concrete ways an investor can approach data sovereignty as a value-add opportunity.

This far down the supply chain, relevant value-add is mostly about technical improvements to how data is handled inside machines. Better semiconductor design, for example, allows connected device providers responsible for sensitive datasets to handle information more safely. This in turn keeps those companies out of the headlines and off the radar of privacy compliance monitors.

It’s an interesting revelation that, even at the hardware level, so much of the support for portfolio companies coping with data sovereignty challenges boils down to keeping a low profile. Ultimately, this could mean that in a landscape where any customer, stakeholder, or regulator can trigger an action possibly leading to a fine, more investments may be agreed without any media notice at all.

“The minute you put money in, it has a bizarre signalling effect. Suddenly, the company is well capitalised, and the outside world sees that,” said Apis’ Goyal.

“Maybe the company had a breach in the past and was ignored because it was a fledgling start-up and the various affected stakeholders couldn’t get anything out of them. Now, there’s an opportunity.”

• Tweet  
• Facebook  
• LinkedIn  
• Google plus  
• Save this article  
• Send to  

• Topics
• Regulation
• Greater China
• South Asia
• Southeast Asia
• North America
• Europe
• Technology
• Expansion
• IPO
• Cybersecurity
• Asia
• USA
• Europe
• Apis Partners
• Axiom Asia Private Capital
• Novo Tellus Capital Partners
• China