UK: Companies Transferring Compliance Data to SEC Can Use Article 49 of GDPR

February 1, 2021Alerts

Transfers for compliance with U.S. law can generally be done under the General Data Protection Regulation (GDPR) Article 49 derogation, said the United Kingdom's Information Commissioners Office (ICO) in a letter to the U.S. Securities and Exchange Commission (SEC), but it's better to try to implement an Article 46 transfer tool and you still need to make sure the transfers aren't large scale or systematic.

Asked to examine compliance with GDPR by UK companies that are required to make filings with the SEC, which may include personal data (including special category data) as well as criminal background information, the ICO issued a letter analyzing the legal framework.

ICO says that companies should first try to put together an Article 46 transfer mechanism, but that if one is not possible, the Article 49 derogation of "necessary for important reasons of public interest" could apply.

General Points

  • Submissions by UK companies to the SEC are a transfer of personal data from the EU to the U.S. and need to comply with Chapter V of GDPR.
  • UK companies should first try to put in place an Article 46 transfer tool to facilitate the SEC submissions.
  • While the Article 46 tool is being put in place, or if one is not possible, the Article 49 derogation of "necessary for important reasons of public interest" may be used.

Article 49 Requirements Are Met

There are important reasons of public interest embedded in UK law:

  • The UK is signatory to the Financial Stability Board (FSB) which includes the financial authorities from many countries.
  • Compliance with SEC rules by SEC-regulated UK firms helps prevent UK financial crimes from being committed and helps prevent the commission in the U.S. of conduct that would amount to a UK financial crime.
  • UK law requires entities regulated by the UK Financial Conduct Authority to deal with its regulators in an open and cooperative way.

SEC requests are strictly necessary and proportionate:

  • Limited Data: SEC limits the type and amount of personal data it requests during examinations to targeted requests based on risk and related to specific clients, accounts and employees.
  • Secure Storage: The information is maintained in a secure manner.
  • Limited Disclosure: The examinations are non-public, and per U.S. law, the information cannot be onward shared other than for certain uses publicly disclosed by the SEC, including in an enforcement proceeding, pursuant to a lawful request of the U.S. Congress, of a properly issued subpoena, or to other regulators that have demonstrated the need for the information and provide assurances of confidentiality. The information is also subject to the U.S. Freedom Of Information Act (FOIA) that protects confidential information.
  • Limited Use: The SEC uses what it obtains solely for its own lawful, regulatory purpose and is subject to audit by the U.S. Government Accountability Office and other governmental oversight.

UK firms must still:

  • be duly satisfied that the requests are within the scope of the regulatory powers and requirements.
  • keep record of their considerations to evidence this.
  • make sure that Article 49 derogation is not used for large-scale and systematic transfers. (SEC requests are never regular and predictable but larger SEC UK entities may receive more requests).

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert or assistance with GDPR compliance issues, contact Odia at [email protected] or 215.444.7313.