A letter sent by the UK’s Information Commissioners Office (the “ICO”) to the US Securities Exchange Commission (the “SEC”) back in September 2020 (the “Letter”) has recently been made publicly available. In summary, the ICO provides its views on those UK firms who have regulatory obligations in the US (e.g. to prevent and/or enforce actions against money laundering, fraud or sanction evasion) which may result in the disclosure of personal data to the SEC. The introduction of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and more recently the court decision in Schrems[1] that the EU-US Privacy Shield can no longer be relied upon (please see our summary on this here), has subsequently put into question the ability for SEC regulated firms to comply with their disclosure obligations in cases where personal data would need to be transferred. SEC regulated firms in the UK therefore find themselves in a difficult position, as failure to provide the requested information would violate their regulatory requirements and deemed impeding an examination which could result in enforcement action.

INFORMATION  DISCLOSURE

As part of the SEC’s role in monitoring and overseeing SEC regulated firms both within and outside the US, firms may be required to disclose certain information such as:

  • firm policies and procedures;
  • staff lists;
  • employee disciplinary history;
  • employee personal trading records;
  • customer complaints;
  • customer agreements; and
  • internal communications.

The information listed above may include both personal data and special category data (as defined under GDPR).

SECURITY OF INFORMATION  

The SEC have confirmed that all information received is maintained securely and is in compliance with US laws on confidentiality. Information disclosed cannot be subsequently disclosed by the SEC unless required by law e.g. a properly issued subpoena. The SEC itself is also subject to external oversight and audit by the US Government Accountability Office.

IMPLICATION OF GDPR

Those UK firms who are also under the regulatory purview of the SEC are required to comply with GDPR when required to disclose information internationally. The ICO confirms in its Letter that such UK firms could rely on Article 49.1(d) of GDPR to transfer the personal data, on the basis that the transfer is necessary for important reasons of public interest. For example, compliance with the SEC rules by such UK firms helps both the prevention of UK financial crimes being committed, and prevent the commission in the US of conduct that would amount to financial crime in the UK. Furthermore, those UK firms who are also regulated by the Financial Conduct Authority, are required to deal with all regulators (including those based overseas) in an open and co-operative way.

On this basis, those UK firms seeking to rely on this derogation may do so upon also considering whether the transfer of information is necessary and proportionate. Based on the examples given above, it is likely that UK firms will be able to establish this, and with respect to proportionately, it is understood from the SEC that requests are not regular and the information will be specific as opposed to requiring substantial amounts of information to be shared.

In the event that either special category data or criminal records data needs to be disclosed to the SEC, UK firms should ensure that they have appropriate measures in place to comply with the additional processing conditions set out in Articles 9 and 10 of GDPR.

NEXT STEPS

The ICO has suggested that the SEC consider putting in place an Article 46 safeguard (e.g. a legally binding instrument between public authorities, binding corporate rules, or standard data protection clauses) and is willing to engage with the UK government if necessary. However, in the meantime, UK firms who are regulated by the SEC may rely on the Article 49.1(d) of GDPR which provides for public interest derogation in order to share personal data.

To review the Letter please click here.

For more information, and any guidance or advice on GDPR data transfer rules,Cleveland & Co External in-house counselTM, your specialist outsourced legal team, are here to help.

[1] Please see Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems