Data Protection Report - Norton Rose Fulbright

Many businesses are suffering serious financial difficulties as a result of COVID-19, particularly those in the retail, hospitality and tourism sectors.  For many of these businesses the one asset that will undoubtedly retain value, despite the pandemic, will be their customer database.  This valuable commodity could help attract potential purchasers.

But this is a tricky area to navigate, particularly following the General Data Protection Regulation (GDPR), since both the ICO and the FCA have started to pay more attention to this area.  For example, in February of this year, the FCA and ICO issued a joint statement warning regulated firms and insolvency practitioners of their responsibilities when dealing with personal data.  This followed reports that some insolvency practitioners and FCA authorised firms had attempted to sell clients’ personal data to claims management companies.

Insolvency practitioners and prospective purchasers therefore need to ensure that they conduct a careful analysis of the data in question, asking probing questions about the nature and quality of consents that were obtained in relation to the use of that data and the information that data subjects were given about how it would be used.

What are the legal mechanisms to sell or utilise personal data in an insolvency situation?

There are two ways that a purchaser may try to benefit from a distressed business’ customer list: 1) by buying the share capital of the company (a share sale); and 2) by buying the customer list as a standalone asset (an asset sale).

Legal challenges arise for a purchaser wishing to use the distressed business’ customer list in both cases, but in an asset sale (which is often preferred to a share sale in an insolvency context) these challenges are often insurmountable, as explained further below.

Share sales

A purchaser may decide to buy a distressed business, or part of it, as a going concern, with the sole intention of utilising the customer list to market its own products and services.

Can this be done?

It depends.

The Privacy and Electronic Communications Regulations 2003 (PECR) generally requires an entity sending any marketing to consumers via “electronic mail” (e.g. email or sms) to have the relevant consumer’s consent (unless the “soft opt-in” rule described below applies).

Under GDPR, if a purchasing company is seeking to rely on a consent obtained by a third party, that company must have been expressly named in the original consent language.  In most situations it is very unlikely that this will have happened and therefore it is unlikely that a purchaser would be able to send their own marketing emails directly to the customers of the distressed company it has acquired.

However, in a share sale the distressed company continues to exist as a going concern and this may help the purchaser benefit from the distressed company’s customer database. For example, if the distressed company’s original consents expressly stated that its marketing would promote the products and services of other companies or group companies, it may be possible for the distressed company to promote the buyer’s products or services in its own marketing emails and vice versa.  This is why the precise language of the consents must be reviewed carefully.

Another option to explore is the “soft opt-in” rule under PECR.  This rule means that a company may be able to send marketing communications to its existing customers about the company’s similar products and services, provided those customers gave their details directly to the company and they were given the chance to opt-out of marketing at the time their details were collected.  Therefore, a distressed company could, in theory, send direct marketing communications to its customers relating to the buyer’s products/services if the distressed business already involves selling third party products and the buyer’s products are similar.  This could also apply vice versa for the buyer.

However, this approach should be treated with caution, particularly as the ICO’s draft direct marketing code of practice (the Draft Code) suggests that this type of activity could trigger increased regulatory responsibilities for both parties.  The Draft Code explains that if one party ‘instigates’ the sending of a direct marketing message by another party then both parties are responsible for complying with PECR: “…if Company A is encouraged by Company B to send its marketing then both companies require consent from the individual under PECR – Company A because they are the sender and Company B because they are instigator”.  This section of the Draft Code could have far reaching and perhaps unintended consequences for organisations whose business it is to sell and promote third party goods and services.  However, the Draft Code has not yet been finalised and therefore is still subject to change.

Asset sales

As explained above, GDPR makes very clear that, in order for a purchaser to rely on consent to use personal data in an acquired customer database for marketing purposes, the purchaser must have been specifically named at the time that data subjects gave their consent.  It is highly unlikely (almost impossible) this will have happened prior to a proposed asset sale and therefore an asset sale of customer data should ring alarm bells if the primary purpose of the proposed sale is for the purchaser to benefit from the target’s customer database.  If the sale is to go ahead, a degree of risk will have to be accepted by the purchaser that they may not be able to use the customer database in the way they intended or that doing so may be in contravention of data protection law.

The soft opt-in described above will also not be helpful to the purchaser in the context of an asset sale, as a company can only benefit from this rule if they themselves obtained the individuals’ contact details. In the case of an asset sale, the company that obtained the individual’s details will not have been acquired.

Who will be liable for breaches of data protection law in these situations?  Could insolvency practitioners be held directly liable?

Companies who buy, sell or utilise personal data, whether via a share sale or asset sale, will all be “on the hook” for data protection compliance and will be held to account by the ICO as data controllers of the relevant personal data.  Contractual warranties and indemnities from a distressed seller may be agreed but they may be of little value if the seller is likely to be wound-up shortly after the sale. And, even following a rescue, the seller is still likely to be at risk of insolvency for a time afterwards.  The liability of insolvency practitioners for breaches of data protection law is a little more complex and there are two leading authorities (Green and South Pacific Personal Loans) that deal with the question of whether insolvency practitioners can be considered to be data controllers and whether they would be held responsible for decisions relating to the sale, purchase or use of personal data.

In Southern Pacific Personal Loans Ltd [2013] EWHC 2485 (Ch), the High Court held that liquidators of a company in creditors’ voluntary liquidation were not data controllers for the purposes of the then data protection law, the Data Protection Act 1998 (DPA ’98).  The case involved the fall out of a lending business from the Lehman Brothers Group which was subject to a large number of PPI claims. The liquidators applied to the court for directions as to the nature of their obligations and liabilities in respect of subject access requests that were received in high volumes by Southern Pacific and whether they could dispose of the data.  The court held that the liquidators were not data controllers and were just acting as agents of the company and that in order to comply with the fifth principle of the DPA ’98 relating to data retention they should dispose of the data held on behalf of the company as soon as possible as it was no longer necessary to administer the redeemed loans.  This was subject to two qualifications: 1) that Southern Pacific should retain sufficient data to enable it to respond to the extant subject access requests; and 2) data could not be disposed of if its retention was necessary to enable the liquidators to discharge their statutory duties.  The important point was that the liquidators were not under a statutory duty to retain data so that it could “remain available to be mined by former customer or claims handling companies with a view to making claims against third parties”.

In the more recent case of Green v Group Ltd & Others [2019] EWHC 954 (Ch), the High Court considered whether to appoint the joint administrators of companies within the Cambridge Analytica group as liquidators despite objections from a creditor who asserted that the administrators had breached duties arising under data protection laws. The creditor sought an enforcement notice (under the DPA ’98) against the two group companies to request that they comply with a subject access request to provide details of his personal data potentially held by the companies.

The court had to decide whether to appoint the administrators as liquidators taking into account the objections made by the creditor. It found that none of the objections to the appointment of the administrators as liquidators were serious enough to prevent their appointment and made a number of useful observations about the role of administrators in the context of their data protection duties.

The court affirmed the view in the Southern Pacific Personal Loans that an administrator is not automatically the data controller of personal data, provided that they do not take decisions as principal on behalf of the entity. The court also stated that it was for the data subject to pursue his data rights and if the data subject did so, the two questions that the joint administrators had to ask themselves were:


  1. Is it in the interests of the general body of creditors, or a necessary part of the discharge of their statutory duties, to help the data subject pursue his data rights?
  2. If they decided not to help, would that have caused unfair harm to the interests of the data subject as a creditor?


In this case, the administrators were entitled to decide that it was not in the best interests of the creditors as a whole to embark on a search for the data subject’s data, and on the facts of this case treating the data subject in the same way as other ‘data claimants’ would not cause unfair harm to the data subject’s interests as a creditor.  The judgment notes that:

  • there is no general duty on administrators to investigate “data breaches” occurring before their appointment;
  • the duty of the administrators is to seek to achieve the objectives of the administration process as quickly and efficiently as reasonably practicable;
  • as part of their duties in relation to asset recovery and statutory reporting, the administrators were bound to examine material available to them to investigate potential breaches of duties owed by the directors of the company, but not in relation to particular third parties which was the province of external regulators.  Neither was it their investigatory duty to examine breaches of duty by the company to particular third parties if they considered that there was no prospect of a distribution to such third parties; and
  • it would be the duty of administrators as officers of the Court to assist a regulator in such investigations insofar as it did not impede the achievement of the purposes of the administration.


The administrators decided not to search for the data subject’s data through the 700 terabytes on servers which had been seized by the ICO and to which the company did not have access, in circumstances where employees (being other creditors) were imminently either to be transferred to a purchasing company, or made redundant.  The administrators had treated the data subject claimant in the same way as other data claimants.

Although these cases provide some helpful guidance, there is still some uncertainty as to what sort of specific decisions about the processing of data might lead an insolvency practitioner to be considered as acting as a data controller rather than merely processing data as agent of an insolvent company. It is also unclear what sort of action the ICO would take in an insolvency context and against whom.  In Southern Pacific Personal Loans, at the request of the court, the ICO was represented at the hearing and argued that the liquidators were, along with Southern Pacific, data controllers at the commencement of the liquidation.

Our take

Careful consideration of data protection law is essential if the main driver for an asset or share sale is the distressed company’s data.  Whilst case law supports arguments that insolvency practitioners are not generally data controllers, it does leave the door open that they may have data protection responsibilities if they start to exercise discretion and decision making over personal data.  This supports the position expressed by the ICO in Southern Pacific Personal Loans and in the joint statement with the FCA which reminded insolvency practitioners of their obligations under data protection law.  As a result, insolvency practitioners need to exercise caution and be mindful of the restrictions explained in this article and more broadly under GDPR and PECR.