One of the novelties in the recast European Insolvency Regulation (EIR 2015), in force since 2017, is its set of rules for data protection. Generally, the aims of most national insolvency laws and those of data protection laws are contradictory. The former are designed to facilitate access to information by creditors and courts. Data protection-rules, however, aim rather to restrict access. The EIR 2015 tries to overcome this conflict. It wishes to create “… the proper balance by ensuring access to no more information than what is necessary for the efficient and effective conduct of cross-border insolvency proceedings” (see recital 3). For the full data-protection rules in the EIR 2015, see Articles 78 to 83.
GDPR. The EU’s general data protection rules date from 2018. (See the reference list below for the General Data Protection Regulation (GDPR), applicable as of 25 May 2018 in all member states, which aims to harmonize data privacy laws across the EU). Where information and data are engrained in an insolvency and restructuring process, it is important that insolvency practitioners are knowledgeable about these rules. The method in any insolvency case for processing personal data (including collecting, recording, storing, using, disclosing or transmitting that data) should be tested against the GDPR and in particular its special rules on different categories of personal data. Insolvency practitioners (IPs) should be acquainted with the GDPR and fully comply with it. Failure to do so may trigger large fines of up to €20 million under Article 83(5) of the GDPR.
Standards etc. Compliance with the rules and principles of data protection ensures processing that is lawful, fair and transparent, limited in purpose and scope, accurate, carried out for only as long as necessary, secure, confidential and accountable (Article 5 GDPR). Recitals 167 and 168 of the GDPR confer specific powers on the European Commission to ensure uniform conditions for its implementation. Recital 167 suggests that the Commission should consider specific measures for micro, small and medium-sized enterprises. Recital 168 provides the following: “The examination procedure should be used for the adoption of implementing acts on standard contractual clauses between controllers and processors and between processors; codes of conduct; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country, a territory or a specified sector within that third country, or an international organisation; standard protection clauses; formats and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules; mutual assistance; and arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board.” One may need to read this complex sentence twice. The “Board” mentioned is the European Data Protection Board, which was established by the GDPR. This broad set of activities is clear evidence that the subject is rather complex. Why should any individual IP invent the wheel just by him- or herself?
Developing Codes of Conduct. Related to this long list, Article 40 of the GDPR (which has 11 subparagraphs) foresees the development of codes of conduct. It says that EU member states, their supervisory authorities, the European Data Protection Board and the European Commission shall encourage “the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.” Article 40(2) of the GDPR calls for associations and other bodies representing categories of controllers or processors. They may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of the GDPR. In essence, codes of conduct are similar to practical guides providing easily understandable interpretation of the GDPR’s abstract rules.
Support for such Codes. Recently, in Dutch literature, it has been noted that, in practice, relatively little use has been made of the opportunity offered by the GDPR to draw up a code of conduct by associations of insolvency practitioners to determine how the GDPR is dealt with. The author, Mincke Reijneveld, a PhD candidate at Radboud University in Nijmegen, sketches that there are many advantages for IPs in drawing up a code of conduct: it would create clarity, legal certainty, help to demonstrate compliance with the GDPR and could also lead to a practical and cost-effective handling of the GDPR. At the same time, she is pragmatic in noting that it could take a long time to draw up a code of conduct and the result could be quite static once approved by the national supervisory authorities. A few years ago, Ilya Kokorin, a PhD candidate at Leiden University’s Department of Financial Law, and myself were just as positive about drawing up such a code of conduct when we co-authored an article in International Corporate Rescue. We suggested that in the world of restructuring and insolvency, national associations of turnaround managers, IPs, accountants and insolvency lawyers, as well as representative bodies such as INSOL Europe should step forward because data protection laws will play even bigger role in the future, with the full functioning of national insolvency registers in the EU, their interconnectivity and the establishment of a centralized search engine via the European e-Justice portal. Another consideration is that the capital structures of companies in the 21st century will be starkly different from those of the past century. Once driven by hard assets such as real estate, natural resources and machinery, modern businesses have become highly dependent and valued on the basis of intangible assets – claims, licenses, know-how, customer and database data and goodwill. The increased value of data in debtors’ insolvency estates together with the expansive process of digitisation and data collection (big data) will bring data protection issues to the forefront of legal and insolvency practice.
General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, OJ L 119, 04.05.2016
Mincke Reijneveld, ‘Een AVG-gedragscode voor curatoren’, FIP September 2021/6
Ilya Kokorin and Bob Wessels, ‘Cross-Border Cooperation and Communication: How to Comply with Data Protection Rules in Matters of Insolvency and Restructuring’, in: 16 International Corporate Rescue 2019, 98ff.
This is a slightly adapted version of a regular column Bob Wessels is writing for Global Restructuring Review (GRR) on the topic of cross-border restructuring and insolvency in a European context. GRR is a subscription-only publication and the column appeared in GRR on 27 September 2022. See globalrestructuringreview.com