ICO Confirms UK Corporations Could Depend on Public Curiosity Derogation for SEC Transfers
On January 19, 2021, the UK Information Commissioner’s Office (“ICO”) published its analysis of the application of the UK General Data Protection Regulation (the “UK GDPR”) to transfers from UK-based firms or branches that are registered, required to be registered or otherwise regulated by the U.S. Securities and Exchange Commission (“SEC”). Such firms or branches include investment advisers, securities-based swap dealers and other market participants. The ICO also reviewed the application of the UK GDPR to transfers made by UK issuers that have equity securities or depositary receipts registered with the SEC and listed on a U.S. exchange or market.
In a letter to the SEC, the ICO stated that the UK GDPR does not prohibit direct transfers to the SEC in connection with the SEC’s evaluation of UK firms’ compliance with U.S. obligations or the SEC’s prevention and enforcement relating to unlawful behavior. Specifically, the ICO stated that UK firms subject to U.S. regulatory obligations may rely on the public interest derogation for the transfer under the UK GDPR, allowing UK firms to make transfers without implementing a transfer mechanism such as Standard Contractual Clauses. However, the ICO also expects UK firms and the SEC to work together to try to implement an Article 46 transfer mechanism where possible, and that the Article 49 derogations should only be used on a case-by-case basis, “with the appropriate thought taken and recorded by the companies concerned.”
Regarding the Article 49 public interest derogation, the ICO stated that there were several overlapping lines of public interest recognized in UK law, including the fact that compliance with SEC rules by SEC-regulated UK firms assists in preventing financial crimes. In assessing the requirement that any transfer made in reliance on the derogation be of “strict necessity” for important reasons of public interest, the ICO highlighted that UK firms must be satisfied that SEC data requests are within the scope of the SEC’s regulatory powers and the firms should keep relevant records that evidence this. Further, requests that rely on this derogation should not be large scale and systematic.