On 19 January 2021, the Information Commissioner’s Office (ICO), published a letter dated 11 September 2020, available here, explaining that personal data transfers from UK based companies to the Securities and Exchange Commission (SEC) for the purposes of regulatory compliance may be permitted under the General Data Protection Regulation (GDPR).
Firms regulated by the SEC must fulfil requests for documentation made by the SEC and make their books, records or documents available for inspection, to ensure compliance with U.S. federal securities laws, rules and regulations. This calls for the production of information, documentation, and other records, which may include personal data and special category personal data.
The ICO reiterated that transfers of personal data from SEC regulated UK firms (including UK issuers that have equity securities or depositary receipts registered with the SEC or those that are listed on a U.S. exchange or market) to the SEC will need to comply with the GDPR rules on international transfers. However, in its letter, the ICO said that GDPR is not a barrier to international data transfers and identified a pathway for transfers to take place based on the principle of public interest under Article 49(1)(d) GDPR.
The ICO acknowledged that when relying on the derogation provisions in Article 49 GDPR, data protection and privacy rights must be balanced against other human rights. In limited circumstances, even with the absence of an adequacy decision under Article 45 GDPR, and a lack of safeguards under Article 46 GDPR, transfers may be required from time to time on the basis of the Article 49 GDPR derogations, such as public interest.
The ICO stated that in their view, “it is possible for SEC regulated UK firms to transfer personal information to SEC on the basis of the derogation” under Article 49(1)(d) GDPR because of three main considerations:
- “There are important reasons of public interest embedded in UK Law”, as required under Article 49(4) GDPR.
Compliance with SEC Rules aids in preventing financial crimes and enhances the regulatory objective of maintaining and protecting the integrity of the UK’s financial system.
- As per the European Data Protection Board (EDPB) guidelines, the transfer must be “one of strict necessity” for important reasons of public interest.
The data sender must take note of the necessity principle and be aware of precise and particularly solid justifications. What this means in practice is that organisations will need to identify the exact basis in EU or UK law in order to apply the relevant public interest derogation.
- SEC requests analyzed by the ICO were strictly necessary and proportionate.
The ICO noted that similar to requests received from any UK regulator, SEC regulated firms must be satisfied that requests are within the scope of regulatory powers and requirements and should keep records as part of a fully auditable governance process. Additionally, such requests should not be large scale and systematic.
It is possible for SEC regulated UK firms to transfer personal data to the SEC by relying on the Article 49(1)(d) GDPR ‘public interest’ derogation. At the same time, companies should still be compliant with their other GDPR obligations including their accountability and transparency obligations.
The ICO has voiced preferences for a long-term solution that does not rely on the Article 49(1)(d) GDPR derogation and is willing to work together with the SEC to create an Article 46 GDPR transfer tool. The ICO will continue to investigate potential complaints by data subjects and assess organisations’ evidence for such transfers, which should indicate that the derogation was appropriately applied.