SEC data transfers from UK lawful, says ICO

Out-Law News | 10 Feb 2021 | 10:02 am | 2 min. read

UK-based financial services companies compelled to share information about customers or staff with the US Securities and Exchange Commission (SEC) can do so without breaching UK data protection law, the Information Commissioner's Office (ICO) has confirmed.

Data protection law expert Jonathan Kirsop of Pinsent Masons, the law firm behind Out-Law, said the clarity provided by the ICO is "welcome comfort to regulated businesses who have long struggled to marry the regulatory requirements of the US with the data protection frameworks in the UK and Europe". However, he said firms would still be required to ensure transfers to the SEC are "truly necessary and proportionate for the regulatory purposes of the SEC" and so "will still need to apply rigour to analysing the scope of requests".

Many financial services companies based in the UK, such as investment companies, fund managers and securities exchanges, are regulated by the SEC in the US too, in addition to by the UK's Financial Conduct Authority and Prudential Regulatory Authority.

US law provides the SEC with wide-ranging powers over the firms it regulates, including the power to require firms to share information, such as emails, written notes and documents, with it for the purposes of enabling the SEC to evaluate their compliance with their regulatory requirements.

The information to be shared can contain personal data, such as staff lists, employee disciplinary records and details of customer complaints and agreements. While the SEC does not publish the information it receives and the firms are obliged to share the information to meet the requirements of US law, the transfer of that personal data to the US is subject to compliance with UK data protection law.

The UK General Data Protection Regulation (UK GDPR), which effectively mirrors, in UK legislation, the EU GDPR that used to have direct effect in the UK prior to Brexit, places restrictions on organisations' international transfer of personal data. While some arrangements are in place to enable the continued flow of data from the UK to some jurisdictions, including, in the short-term at least, with the EU, where such arrangements do not apply, businesses can still proceed to transfer personal data outside the UK to so-called 'third' countries in accordance with safeguards or derogations provided for in the legislation.

One of the derogations provides that the transfer of personal data can go ahead if "the transfer is necessary for important reasons of public interest".

In a recently published letter sent to the SEC, the deputy commissioner at the ICO James Dipple-Johnstone said that UK regulated firms can rely on this public interest derogation to transfer personal data to the US regulator. He said the ICO considers that the transfer of personal data for the purposes of meeting the regulatory requests of the SEC would be "strictly necessary and proportionate", which is the legal test for the transfer of personal data to be lawful under the public interest derogation.

However, Dipple-Johnstone said the derogations "should be used on a case by case basis with the appropriate thought taken and recorded by the companies concerned", and emphasised that additional data protection obligations will apply when the SEC requests personal data of a particularly sensitive kind – 'special category' data or criminal records data – be shared with it.

The ICO hopes a long-term solution, such as standard contractual clauses to be executed by the SEC, to enable data transfers to the regulator on a more reliable basis, but Kirsop of Pinsent Masons said this "laudable" aspiration is "unlikely imminently".

Kirsop said UK firms will also need to account for data protection risks associated with the potential onward sharing of data by the SEC.

"There may still be ancillary concerns unresolved relating to onward sharing by the SEC, including with service providers subject to US surveillance laws and therefore in the firing line of the decision in the Schrems II case," he said.

In a statement issued in response to Dipple-Johnstone's letter, acting chairman of the SEC, Elad L. Roisman, said: "The clarity provided by the ICO is a welcome development demonstrating that securities regulatory oversight frameworks can coexist with robust data protection standards. The ICO analysis also exemplifies the important cooperative relationship the SEC has established with UK authorities in carrying out our investor protection missions."