ICO Clarifies the Position on UK Personal Data Transfers to the U.S. SEC

The UK Information Commissioner’s Office has published guidance on the transfer of personal data from UK-based firms to the U.S. Securities and Exchange Commission (SEC).

UK firms that are regulated by the SEC have been left wondering how to justify sharing personal information with the SEC within the confines of the EU General Data Protection Regulation (GDPR).  Luckily, the wondering can cease because the UK Information Commissioner’s Office (ICO) has published an open letter putting those issues to bed.

The SEC has legal authority to request and examine records and other documentation to ensure the proper legal administration of SEC-regulated UK firms to detect money laundering, fraud, and sanction evasion. This means UK issuers that have equity securities or depository receipts registered with the SEC and are listed on a U.S. trading platform may be required to provide a broad range of information to the United States in response to a request.

The process for obtaining information starts with the SEC sending a request to the UK-based firm for the production of certain books and records, which can include staff and customer information. It is then up to the firm to consider whether such a request is lawful and strictly necessary and proportionate for the purposes of the stipulated reasons contained in the request.

IN SUMMARY

Although the letter is specific to the SEC’s powers, it provides some useful guidance that can be applied more broadly on the provisions in the GDPR that allow for a transfer of personal data to “third countries” such as the United States without contractual safeguards where the transfer is “necessary for important reason of public interest.” However, firms should still be mindful of the risks of any onward transfers by the SEC to U.S. service providers, which may be subject to U.S. surveillance laws, and should take into account supplemental measures that may be required following the decision of the Court of Justice of the European Union in the Schrems II case (see our briefing here).

CONCERNS OVER PROTECTION OF PERSONAL DATA

The ICO letter considers the following three areas:

• The reasons of public interest embedded in UK law for the purposes of the derogation under Article 49(1)(d) of the GDPR;
• The “strict necessity” test when considering the public interest derogation; and
• The nature of requests from the SEC being strictly necessary and proportionate.

In the absence of an adequacy decision, a transfer of personal information from the UK to a third country, such as the United States must be protected by an appropriate safeguard as set out in Article 46 of the GDPR (such as standard contractual clauses). The GDPR also provides limited derogations as an alternative to relying on the safeguards; however, these can only be used on a case-by-case basis. The ICO letter provides helpful guidance on the application of the derogation, under Article 49 (1)(d) of the GDPR, which allows a transfer that is “necessary for important reason of public interest.”

The ICO has clarified that in order to use the public interest derogation, the transfer must be one of “strict necessity.” In practice, the exporter of the personal information must be able to identify a precise basis in UK law for the relevant public interest, and must ensure tests of necessity and proportionality are also applied. Therefore, the ICO advised that any SEC requests should strictly remain within the scope of the SEC’s regulatory powers and that such requests should not be large scale and systematic. The ICO noted that compliance with the SEC rules help prevent U.S. misconduct that may amount to a UK financial crime. In addition, SEC-regulated UK firms may also be regulated by the UK Financial Conduct Authority (FCA) and therefore, as required by law by virtue of the FCA Handbook, firms must “deal with its regulators in an open and cooperative way” including world-wide activities. In summary, the ICO has confirmed that there is scope for transfers to the SEC to be based on Article 49 (1)(d).

GDPR COMPLIANCE

In addition to ensuring there is sufficient protection of transfers of personal data, SEC-regulated UK firms should make sure that there is a lawful basis under Article 6 of the GDPR for the transfer, as well as ensuring a secondary Article 9 basis is satisfied when processing criminal records data and special category data. The ICO suggests that firms should ensure their privacy policies are easily accessible and clearly set out how personal data is collected and handled. Moreover, it is important that firms keep records of their processing of personal data, including the reasoning of relevant decisions regarding international transfers.

BREXIT

Although the ICO letter was sent when the UK was in the Brexit transition period (whilst EU laws still applied), the guidance remains valid as the GDPR has (effectively) been implemented into UK domestic law (UK GDPR). The ICO does not anticipate any significant changes to its approach to the application of the UK GDPR to the transfers of personal data by SEC-regulated firms to the SEC.

Stephanie Pong, London Trainee Solicitor, contributed to the drafting of this alert.