GDPR: Transferring International Data from the UK to a US Regulated Firm (SEC)
Posted on 3 Feb 2021
Are data transfers to the SEC still lawful after Brexit?
In September 2020 the Information Commissioner Office (“ICO”) was asked to provide a view on the regulation of international data transfers that apply to UK firms regulated by the US Securities and Exchange Commission (“SEC”).
Under US regulatory laws, SEC-regulated firms, including UK domiciled firms or branches, must process certain information and make it available to the SEC. This, in particular, applies to investment advisers and securities-based swap dealers but also UK issuers that hold equity securities or depositary receipts registered with the SEC and listed on the US market.
Such information may contain personal data and when provided to the SEC it becomes subject to international data transfers under the UK GDPR.
General Principles for Data Transfer under UK GDPR
The general principle for international transfers under the UK GDPR is that personal data which is transferred to third countries continues to be protected by appropriate safeguards as set out in Chapter 5. Article 44 of UK GDPR: “All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this regulation.”
The UK GDPR also recognises that there are circumstances when balancing data protection and privacy rights against other human rights is required and that in some cases it is necessary and proportionate for a transfer to take place without the required protection. Such derogations are set out in Article 49 of the regulation and are based on consent, the performance of contract or public interest.
Further, as explained in the European Data Protection Board (EDPB) ’s guidelines on Article 49 of the EU GDPR, these derogations must be exceptons to the rule. That means that the derogation should not be relied on for making transfers “on a large scale and in a systematic manner”. Whether a transfer is being performed on a large scale and in a systematic manner will be considered on a case by case basis.
Data transfers to the SEC-exception to the rule
In the instance of transfers to SEC, the ICO clarified that the UK firms can rely on Article 49 as the transfers are necessary for important reasons of public interest. Indeed, SEC requests aim to evaluate compliance with legal obligations designed to ensure the proper legal administration of SEC-regulated UK firms and to prevent or enforce against potential illegal behaviour such as money laundering, fraud or sanction evasion.
Nevertheless, the ICO emphasised that this is an exception to the rule. It further recommends and expects the SEC and the UK firms in question to work together to put in place, as a long terms solution, international data transfers safeguards as set out in Article 46 of the UK GDPR. This may, however, be very difficult in light of the European Court of Justice decision in Schrems II (link to our article on this) which emphasises difficulties associated with the US security laws. Therefore, it seems pragmatic and necessary for firms to assess their transfers to determine whether they may rely on derogations in Article 49 or should they look for an alternative basis for data transfers.
How can we help?
If you would like to find out whether your non-EEA business is in the scope of the GDPR, Laven’s Data Protection specialists can provide an accurate assessment of this. If you are in scope, Laven has a range of GDPR and European Representative services that will help ensure you remain compliant and avoid the large penalties for a breach.
For more information on Laven’s EU representative services click here to check out our partner website, eurorep.eu.
For more information on our GDPR services, click here.