The UK Information Commissioner’s Office (“ICO”) has published a letter sent to the U.S. Securities and Exchange Commission. The ICO confirms that it is possible for SEC regulated UK firms to transfer personal data to the U.S. where the transfer is necessary for important reasons of public interest (the derogation in Article 49(1)(d), GDPR). UK financial services firms and institutions that are required to transfer personal data to the U.S. to respond to SEC requests, and remain compliant with the GDPR, will view this as a welcome clarification. The ICO, however, has emphasised that reliance on an Article 49 derogation should not be relied on as the “rule,” but must continue to be assessed on a case-by-case basis.
The letter focuses on the obligations of certain UK domiciled firms or branches that are registered or regulated by the SEC, including investment managers, brokers, and exchanges, which may or may not also be regulated in the UK by the FCA or PRA. The SEC is entitled to request from those firms books, records, and other materials to evaluate compliance with relevant legal obligations (including the prevention of money laundering, fraud and evasion of sanctions).
The records requested by the SEC may include emails sent and received by employees, together with information such as employee disciplinary history, financial transaction records, and customer complaints, all of which are likely to include personal data.
Transfer under GDPR
Transfers of personal data outside of the UK are restricted unless the personal data is being transferred to a country which has been recognised by the ICO as providing adequate protection. If there is a restricted transfer, the transfer must comply with the transfer provisions set out in Chapter V of the GDPR. There are transfer tools available to facilitate lawful transfers to countries outside the UK, but in the wake of Schrems II, data transfers to the US are subject to increased regulatory hurdles. When none of the approved transfer mechanisms (such as Standard Contractual Clauses) are available, the GDPR does recognise that certain transfers can nevertheless proceed on the basis of the Article 49 derogations.
Important reasons of public interest
The ICO’s letter confirms that it is possible for UK firms to transfer personal data to the SEC pursuant to Article 49(1)(d) of the GDPR, which allows transfers of data that are necessary for important reasons of public interest. The ICO emphasised that there are overlapping “lines of public interest” between the UK and U.S., noting that there are benefits in UK firms complying with SEC rules, including enhancing the integrity of the UK financial system.
The ICO also noted the requirement in Principle 11 of the FCA Handbook for firms to “deal with its regulators in an open and cooperative way” and the guidance in PRIN 1.1.6G that makes clear that Principle 11 applies to world-wide activities and the duties owed to overseas regulators.
The ICO, however, did stress that the GDPR derogation should be used on a case-by-case basis and should not be considered as the rule. We’ve summarised the ICO’s three key takeaways:
- Important reasons of public interest embedded in UK law: after exploring these issues with the SEC and the UK Financial Conduct Authority, the ICO concluded that there were a number of overlapping lines between the UK public interest and in the SEC’s regulation of SEC regulated UK firms.
- The test which should be applied is one of “strict necessity”: in practice this means that it is crucial to be able to identify the exact basis in EU and UK law for the relevant public interest, and then carefully apply the necessary and proportionate test according to GDPR requirements.
- Strictly necessary and proportionate: firms must be satisfied that the request from the SEC is within the scope of the SEC’s powers, and records must be maintained to evidence that they have considered this. Requests should not be “large scale and systematic”.
It is worth noting that the ICO appears to have taken some comfort from reassurances provided by the SEC that “it is the SEC’s practice to limit the type and amount of personal data it requests during examinations to targeted requests based on risk and relates to specific clients and accounts, and employees” and that information received by the SEC is retained in “a secure manner and, under strict US laws of confidentiality, information about individuals cannot be onward shared save for certain uses publicly disclosed by the SEC”.
The ICO’s letter provides reassurance to UK firms that documents containing personal data may be transferred to the SEC in response to regulatory requests and in the context of enforcement action. It will be interesting to see whether the ICO issues additional guidance in relation to transfers of personal data to other global regulators and authorities, and if so whether it will adopt the same position. In the meantime, provided that the tests set out in the ICO’s letter are met, there are good reasons for firms to adopt the same approach in response to requests from other regulators.
The ICO does caution, however, that reliance on the Article 49 derogations must not be considered as the rule. Firms should always consider the possible application of other safeguards set out in the GDPR. Article 49 derogations are still considered a “last resort” solution. Of course, any reliance on Article 49(1)(d) will require identification off an important public interest as well as satisfying the “necessary and proportionate” test. Nevertheless, this approach will be welcomed by both UK firms and the SEC.