On January 19, 2021, the UK Information Commissioner’s Office (“ICO”), published a letter, dated September 11, 2020, clarifying that the transfer of personal data from UK-based firms to the Securities and Exchange Commission (“SEC”) for regulatory compliance purposes may be permissible under the General Data Protection Regulation (“GDPR”) as implemented in the UK. As we summarize in this Client Alert, the ICO’s guidance assesses the lawfulness of such transfers as a matter of public policy, indicates how the ICO will approach its enforcement role, and highlights specific considerations that UK-based firms must follow to comply with SEC and GDPR regulatory requirements. In so doing, the ICO has established a path for SEC-regulated entities based in the UK to comply with both SEC document production requirements and GDPR.
Background
SEC-regulated entities must comply with requests for documentation made by SEC staff, such as during an examination of such entities’ compliance with US federal securities laws, rules, and regulations. This requires the production of information, documentation, and other records, which may include personal data and/or sensitive categories of personal information. EU- and UK-based investment managers were subject to a moratorium between 2018 and October 2020 where they were not able to register as investment advisers with the SEC due to concerns that GDPR prohibits necessary data transfers and therefore prevents regulatory compliance. The SEC Office of International Affairs and the ICO worked to resolve this issue with regards to UK-based firms. The correspondence around this issue has been published by the ICO and SEC.
ICO’s Analysis
The ICO reaffirmed the application of GDPR to the types of transfers required for SEC compliance; however, the September 2020 letter identifies a narrow avenue by which such transfers may occur based on the needs of public policy. The ICO recognized that UK-based firms (including UK issuers that have equity securities or depository receipts registered with the SEC that are listed on a US exchange or market) may be subject to SEC regulation, and that such regulation requires the international transfer of personal data in accordance with GDPR.
However, it also identifies that the derogation provisions of GDPR (Article 49) hold that data protection rights may be balanced against other human rights, and concludes that in certain limited circumstances, even where no adequacy decision is in place assessing a third country’s data protection laws, and no safeguards are otherwise available to sufficiently protect individuals to an essentially equivalent level as under EU law, if public policy requires certain transfers, they may occur under specific conditions.
The ICO’s analysis of Article 49 determined that SEC regulatory activities support UK financial stability, which is an important “reason of public interest”, within the meaning of the derogation provision of GDPR.
Specifically, the ICO determined:
- There are important reasons of public interest embedded in UK law supporting transfers for this purpose. The SEC’s regulatory practices are consistent with key international standards recognized by UK law, and compliance with such standards prevents financial crimes and reinforces the integrity of the financial system.
- Transfers pursuant to Article 49 must be of “strict necessity” for important reasons of public interest. This test requires that the data exporter pay particular attention to the necessity principle in the context of interpreting the public interest derogation, and that strict necessity must also incorporate proportionality.
- SEC requests are strictly necessary and proportionate to ensure regulatory compliance. SEC-regulated firms must comply with regulatory examinations or be deemed in violation of US securities laws, but so too must such firms be duly satisfied that requests are within the scope of SEC’s regulatory powers.
Takeaways
UK-based firms may transfer personal data for the purpose of SEC regulatory compliance. “It is possible for SEC regulated UK firms to transfer personal information to the SEC on the basis of the derogation set out in Art 49.1(d) – the transfer is necessary for important reasons of public interest.” This determination is specific to UK firms. It will be for the SEC to agree to a similar basis with other data protection authorities in the EU in relation to EU firms.
This solution is imperfect and based on current conditions. The ICO appears to recognize the need for such transfers to allow UK-based firms to be registered with, and regulated by, the SEC. This appears to be a pragmatic response to recognizing the legitimate authority of US government agencies to regulate in appropriate ways, and in a manner similar to regulation in the UK and EU. In this instance, the solution was driven by the dialogue between the SEC and ICO to achieve a workable solution via the GDPR derogation provision. This is a very fact-based assessment, based on current legal conditions, and about which the ICO reserves the right to change its mind. The ICO has also indicated that it would prefer a long-term solution that does not rely on an Article 49 derogation, stating it “would expect the UK firms and SEC to work together to try and put in place an Article 46 transfer tool.”
This analysis is consistent with other EU Regulators’ guidance. The ICO echoes and reiterates the data protection principles at the center of the Schrems II decision by the Court of Justice of the European Union and other EU data regulators. For instance, the European Data Protection Board’s recent draft guidance on the European Essential Guarantees emphasized the need for institutional protection, independent oversight, and the right of data subjects to redress should a third country’s laws fail to protect personal information to the same level as that required by EU law. The ICO’s analysis here is premised on the strict confidentiality requirements surrounding personal information collected through SEC examinations, further protections offered through Freedom of Information Act requests, audits performed by the US Government Accountability Office, and other official US government oversight functions.
Companies must continue to comply with other GDPR obligations, including providing notice to customers. The derogation relates to the transfer tools, but not other obligations incumbent upon data controllers. For instance, all processing, including cross-border transfers, must have a lawful basis, and data controllers must be transparent in their processing. This means that UK-based companies subject to SEC regulation must provide privacy notices to their customers setting out how personal data will be handled, including potential transfers to the SEC.
SEC-regulated UK firms must perform necessity and proportionality analyses and maintain supporting documentation. The accountability principle requires that data controllers maintain documentation regarding determinations that requests for information are properly within the regulatory scope of the SEC. The September 2020 letter states that the ICO will continue to investigate complaints filed by data subjects, but “would not find there to be a breach of the GDPR transfer rules if the [SEC-regulated UK firm] provided evidence that it carefully considered and appropriately applied” the public interest derogation rules.
This article can be downloaded here.
