On January 19, 2021, the UK Info Commissioner’s Workplace (“ICO”), printed a letter, dated September 11, 2020, clarifying that the switch of private information from UK-based corporations to the Securities and Trade Fee (“SEC”) for regulatory compliance functions could also be permissible beneath the Normal Knowledge Safety Regulation (“GDPR”) as applied within the UK. As we summarize on this Consumer Alert, the ICO’s steering assesses the lawfulness of such transfers as a matter of public coverage, signifies how the ICO will method its enforcement position, and highlights particular issues that UK-based corporations should comply with to adjust to SEC and GDPR regulatory necessities. In so doing, the ICO has established a path for SEC-regulated entities based mostly within the UK to adjust to each SEC doc manufacturing necessities and GDPR.
SEC-regulated entities should adjust to requests for documentation made by SEC workers, reminiscent of throughout an examination of such entities’ compliance with US federal securities legal guidelines, guidelines, and laws. This requires the manufacturing of knowledge, documentation, and different data, which can embody private information and/or delicate classes of private data. EU- and UK-based funding managers have been topic to a moratorium between 2018 and October 2020 the place they weren’t capable of register as funding advisers with the SEC attributable to issues that GDPR prohibits essential information transfers and subsequently prevents regulatory compliance. The SEC Workplace of Worldwide Affairs and the ICO labored to resolve this concern close to UK-based corporations. The correspondence round this concern has been printed by the ICO and SEC.
The ICO reaffirmed the applying of GDPR to the sorts of transfers required for SEC compliance; nevertheless, the September 2020 letter identifies a slim avenue by which such transfers might happen based mostly on the wants of public coverage. The ICO acknowledged that UK-based corporations (together with UK issuers which have fairness securities or depository receipts registered with the SEC which might be listed on a US alternate or market) could also be topic to SEC regulation, and that such regulation requires the worldwide switch of private information in accordance with GDPR.
Nevertheless, it additionally identifies that the derogation provisions of GDPR (Article 49) maintain that information safety rights could also be balanced in opposition to different human rights, and concludes that in sure restricted circumstances, even the place no adequacy choice is in place assessing a 3rd nation’s information safety legal guidelines, and no safeguards are in any other case obtainable to sufficiently defend people to an basically equal degree as beneath EU legislation, if public coverage requires sure transfers, they might happen beneath particular circumstances.
The ICO’s evaluation of Article 49 decided that SEC regulatory actions assist UK monetary stability, which is a vital “purpose of public curiosity”, inside the which means of the derogation provision of GDPR.
Particularly, the ICO decided:
1. There are essential causes of public curiosity embedded in UK legislation supporting transfers for this objective. The SEC’s regulatory practices are according to key worldwide requirements acknowledged by UK legislation, and compliance with such requirements prevents monetary crimes and reinforces the integrity of the monetary system.
2. Transfers pursuant to Article 49 have to be of “strict necessity” for essential causes of public curiosity. This take a look at requires that the information exporter pay explicit consideration to the need precept within the context of decoding the general public curiosity derogation, and that strict necessity should additionally incorporate proportionality.
3. SEC requests are strictly essential and proportionate to make sure regulatory compliance. SEC-regulated corporations should adjust to regulatory examinations or be deemed in violation of US securities legal guidelines, however so too should such corporations be duly happy that requests are inside the scope of SEC’s regulatory powers.
UK-based corporations might switch private information for the aim of SEC regulatory compliance. “It’s attainable for SEC regulated UK corporations to switch private data to the SEC on the idea of the derogation set out in Artwork 49.1(d) the switch is critical for essential causes of public curiosity.” This willpower is particular to UK corporations. It is going to be for the SEC to comply with an analogous foundation with different information safety authorities within the EU in relation to EU corporations.
This answer is imperfect and based mostly on present circumstances. The ICO seems to acknowledge the necessity for such transfers to permit UK-based corporations to be registered with, and controlled by, the SEC. This seems to be a practical response to recognizing the legit authority of US authorities businesses to control in acceptable methods, and in a fashion much like regulation within the UK and EU. On this occasion, the answer was pushed by the dialogue between the SEC and ICO to attain a workable answer through the GDPR derogation provision. This can be a very fact-based evaluation, based mostly on present authorized circumstances, and about which the ICO reserves the correct to alter its thoughts. The ICO has additionally indicated that it might choose a long-term answer that doesn’t depend on an Article 49 derogation, stating it “would anticipate the UK corporations and SEC to work collectively to attempt to put in place an Article 46 switch device.”
This evaluation is according to different EU Regulators’ steering. The ICO echoes and reiterates the information safety ideas on the heart of the Schrems II choice by the Courtroom of Justice of the European Union and different EU information regulators. For example, the European Knowledge Safety Board’s current draft steering on the European Important Ensures emphasised the necessity for institutional safety, unbiased oversight, and the correct of knowledge topics to redress ought to a 3rd nation’s legal guidelines fail to guard private data to the identical degree as that required by EU legislation. The ICO’s evaluation right here is premised on the strict confidentiality necessities surrounding private data collected via SEC examinations, additional protections supplied via Freedom of Info Act requests, audits carried out by the US Authorities Accountability Workplace, and different official US authorities oversight capabilities.
Firms should proceed to adjust to different GDPR obligations, together with offering discover to clients. The derogation pertains to the switch instruments, however not different obligations incumbent upon information controllers. For example, all processing, together with cross-border transfers, should have a lawful foundation, and information controllers have to be clear of their processing. Which means that UK-based corporations topic to SEC regulation should present privateness notices to their clients setting out how private information might be dealt with, together with potential transfers to the SEC.
SEC-regulated UK corporations should carry out necessity and proportionality analyses and preserve supporting documentation. The accountability precept requires that information controllers preserve documentation concerning determinations that requests for data are correctly inside the regulatory scope of the SEC. The September 2020 letter states that the ICO will proceed to analyze complaints filed by information topics, however “wouldn’t discover there to be a breach of the GDPR switch guidelines if the [SEC-regulated UK firm] offered proof that it rigorously thought-about and appropriately utilized” the general public curiosity derogation guidelines.