On 19 January 2021, the UK Information Commissioner’s Office (the “ICO”) published its September 2020 letter to the Securities and Exchange Commission (the “SEC”) analysing the GDPR’s impact on UK-based SEC-regulated firms’ (“SEC–Regulated UK Firms”) ability to comply with SEC data requests. Although the letter was greeted by Acting SEC Chairman Roisman as confirmation that the “UK GDPR does not impose legal barriers to the transfer of personal data […] directly to the SEC for regulatory or enforcement purposes”, SEC–Regulated UK Firms may still need to scrutinise data requests and have procedures in place to ensure GDPR compliance.
We cover the key takeaways for SEC Regulated UK Firms, including investment advisors, here.
What was the issue? As anyone following the fallout from the Court of Justice of the European Union’s decision in Schrems II will know, the GDPR restricts the transfer of personal data to “third countries”, including the U.S., subject to limited exceptions.
Due to these restrictions, the SEC became concerned about the extent of its ability to regulate UK and EEA-based firms. Not long after the GDPR came into force in May 2018, the SEC started delaying approvals of UK and EEA-based investment managers’ applications for registration. Following the September 2020 ICO letter, the SEC started accepting UK-based investment advisers’ applications.
What did the ICO find? The ICO said that SEC–Regulated UK Firms can, in principle, transfer personal data to the SEC in response to lawful data requests on the basis that the transfer is “necessary for important reasons of public interest.” The ICO relied on the fact that SEC oversight helps prevent financial crimes in the UK and that FCA-regulated firms must work with regulators globally in an open and cooperative manner under the FCA Handbook Principles for Businesses.
What does it mean in practice? The ICO’s view means that the SEC’s starting point will almost certainly be that the UK GDPR does not prevent SEC–Regulated UK Firms from complying with the SEC’s data requests. That said, the ICO’s letter shows that the public interest derogation is not a “blank cheque” and firms will still need to take steps to ensure UK GDPR compliance when producing data.
In particular, the ICO said that SEC Regulated UK Firms should:
- satisfy themselves that the requests do not exceed the SEC’s powers or regulatory requirements, and be able to show that the firm actively considered the issue. The ICO also suggested that, if the SEC requests become “large scale and systematic”, the public interest derogation may no longer apply;
- comply with their UK GDPR transparency obligations and highlight the possibility of data transfers to the SEC in investor, employee and other relevant privacy notices; and
- where the requested data might include special category or criminal records data, confirm and record that there is an appropriate “lawful basis” for the transfer.
Although not explicitly mentioned in the ICO’s letter, firms will also need to comply with the UK GDPR’s data minimisation principle when responding to the SEC’s data requests. This requires firms to share only personal data that is truly necessary for the stated purpose of the data request.
What is next? Though it drew on guidance issued by the European Data Protection Board, the ICO’s letter applies only to SEC Regulated UK Firms. The position of EU data protection authorities on this issue is not clear, and the persuasiveness of the ICO’s position with EU DPAs may be diminished after Brexit.
The ICO’s letter has potential implications for UK firms’ responses to data requests from third-country enforcement and regulatory bodies other than the SEC. In cross-border white collar enforcement matters, for example, companies often rely on the derogation for transfers “necessary for the establishment, exercise or defence of legal claims” (see our June 2018 FCPA Update). The ICO’s interpretation of the public interest exemption could provide an alternative route for complying with data requests in that context.
* * *
To subscribe to the Data Blog, please click here.