The UK’s Information Commissioner (“ICO”) has recently issued a letter to the U.S. Securities and Exchange Commission (“SEC”) confirming that SEC-regulated UK domiciled firms (“UK Regulated Firms”) can share personal data with the SEC when seeking to comply with regulatory obligations, in compliance with the UK GDPR. After a long delay, the ICO’s letter has prompted the SEC to begin accepting applications from UK Regulated Firms.

Background

A large number of UK domiciled firms or branches are registered, required to be registered or otherwise regulated by the SEC in the U.S. Under US law, UK Regulated Firms must maintain certain books and records, which may contain personal data, and provide these to the SEC on request. This enables the SEC to evaluate a firm’s compliance with SEC regulatory requirements and U.S. law.

As the GDPR places restrictions on the transfer of personal data to the U.S., when the GDPR came into force on 25 May 2018, the SEC became concerned about its ability to request information from and regulate UK and EU based firms. Soon after the GDPR entered into force, the SEC delayed approvals of UK and EU based firm’s applications for SEC registration.

The UK has now left the EU, and as of 1 January 2021, the EU GDPR ceased to have direct effect in the UK. However, under the European Union (Withdrawal) Act 2018, the body of EU law (including the GDPR) is incorporated into UK law and the UK GDPR now applies in the UK (“UK GDPR”).

Following lobbying from UK-based firms, on 19 January, the ICO published its letter to the SEC which analyses the UK GDPR’s impact on UK Regulated Firms’ ability to comply with SEC data requests while also complying with UK GDPR requirements.

Key points from the ICO letter

  • The ICO letter concludes that the UK GDPR does not prohibit transfers of personal data to the SEC in relation to the SEC’s evaluation of UK Regulated Firms’ compliance with U.S. regulatory requirements. Specifically, the ICO states that UK Regulated Firms may be able to rely on the Article 49.1(d) UK GDPR ‘public interest’ derogation, which allows UK Regulated Firms to make transfers of personal data to the SEC without implementing an Article 46 UK GDPR transfer mechanism, such as Standard Contractual Clauses. In its letter, the ICO concludes that there are several “overlapping lines of public interest which are recognised in UK law”, including that the SEC’s regulatory practices are consistent with international standards recognised by UK law, and compliance with those standards helps to prevent UK financial crimes being committed and ensures firms deal with their regulators in an open and cooperative way.
  • The ICO states that the test which should be applied to any transfer of personal data, as a result of a SEC request, should follow European Data Protection Board guidance on Article 49 (“EDPB guidance”) and therefore be one of ‘strict necessity’ for the purposes of public interest. This means that UK Regulated Firms must be able to identify the exact basis in UK law for the relevant public interest and ensure that the transfer is ‘necessary and proportionate’. UK Regulated Firms should be able to satisfy themselves that any requests are within the scope of the SEC’s powers and regulatory requirements; and keep records to show that the firm has actively considered and assessed this issue.
  • In line with EDPB guidance, the ICO states that the requests by the SEC must not be ‘large scale and systematic’. Where this is the case, the public interest derogation may no longer apply.
  • UK Regulated Firms must comply with their other UK GDPR obligations in respect of the transfer of personal data to the SEC. These include: (i) complying with transparency obligations and ensuring relevant privacy notices include information on the possibility of data transfers to the SEC; (ii) ensuring records of processing include any transfers to the SEC; and (ii) ensuring that there is a lawful basis in place for the transfer of personal data, including where the requested data includes special category or criminal records data.

What next?

The SEC clearly views the ICO’s letter as confirmation that the UK GDPR does not prevent UK Regulated Firms from complying with SEC information requests (see the statement from the SEC acting Chairman available here). However, the ICO’s letter and the Article 49 public interest derogation does not give a carte blanche to UK Regulated Firms. In particular, the EDPB guidance is clear that Article 49 derogations should only be used on a case-by-case basis. The ICO expects UK Regulated Firms and the SEC to work together to implement a longer term Article 46 transfer tool, such as standard contractual clauses, to enable continued data transfers to the SEC.

The ICO’s letter appears to be a pragmatic response to ensure that the SEC can regulate relevant UK firms in line with US law requirements. It comes after lobbying from within the UK and discussion with the SEC to achieve a practical way forward to allow the SEC to re-start registration of UK Regulated Firms. The ICO’s letter only addresses transfers of personal data from UK Regulated Firms. As such, the SEC has confirmed that it is only accepting applications from UK firms, not EU firms. It is uncertain whether EU supervisory authorities will follow the view of the ICO, especially as the ICO did not address the issue of onward sharing by the SEC, which has particular relevance given the recent judgment by the CJEU in Schrems II.

The ICO had to tread carefully, on the one hand satisfying the SEC that UK law would not prevent UK Regulated Firms from sharing personal data with the SEC and on the other hand not wanting to take a position that might prejudice the ongoing discussions with the European Commission to secure an adequacy decision for transfers of personal data from the EEA to the UK.

It remains to be seen whether the very narrow interpretation of Article 49 derogations adopted by the EDPB, in particular their position that Article 49 derogations cannot be relied upon for large scale and systematic transfers, is correct as a matter of law. The EDPB’s interpretation is certainly consistent with the non-legally binding recitals of the GDPR but it is at odds with the legally binding text of Article 49 itself which only limits the scope of the derogation relying on compelling legitimate interests to non-repetitive transfers concerning a limited number of data subjects. None of the other derogations are explicitly limited in this way. With greater reliance likely to be placed on the Article 49 derogations as a result of the Schrems II ruling, we anticipate this issue is likely to be the focus of appeals of regulatory enforcement action concerning international transfers in due course.