Law 360 shared this piece recently about how the U.S. Securities and Exchange Commission recently announced that U.K. authorities will permit U.K.-based companies to transfer personal data of U.K. data subjects to the SEC to facilitate its investigations even in the absence of a subpoena or other legal obligation.

I’ve been talking to my colleague, Matthew Negus, in detail about this and we have put together few key points below…. These are based on our take of the ICO position on the use of the public interest derogation from data transfer restrictions under the GDPR as a mechanism for sharing data with the SEC.

  • The ICO has published correspondence on its view of the application of the GDPR international data transfers requirements in relation to the obligation on SEC regulated firms in the UK to provide certain information and records to the SEC on request.
  • In what is likely to be welcome news for international-based Compliance, Legal and Data Protection functions of US Banks who have long grappled with an uneasy trade-off between EU data export restrictions and the need to meet SEC requirements to disclose personal data about non-US based employees, the ICO considers that it may be appropriate to transfer such data on the basis that the transfer is necessary for important reasons of public interest (i.e., pursuant to Article 49(1) GDPR).
  • In particular, the ICO considers that there are important reasons of public interest ‘embedded in UK law’, and that responding to SEC requests would be necessary and proportionate if, following EU law, the UK firm is satisfied that the request is within the scope of the SEC’s powers, and that such requests are not large-scale and systematic. Firms should take note of the importance of carefully considering the application of the public interest derogation, documenting the assessment and being able to provide evidence upon request. The ICO indicates it would not consider a breach of the GDPR transfer rules if the firm provided evidence that it had carefully considered and appropriately applied the public interest derogation. 
  • To its credit, the ICO recognises this as a problematic area and expects UK firms and the SEC to work together to develop an Article 46 transfer tool longer term. The ICO also welcomes the SEC’s willingness to discuss the potential for one. This certainly would be a positive development given that SEC regulated firms cannot participate in certifications schemes overseen by the Federal Trade Commission or US Department of Commerce.
  • Whilst the UK is free to chart its own path post-Brexit, the continued free-flow of personal data between the UK and the EU is crucially important to both sides and there is much riding on the UK being granted a permanent adequacy decision by the European Commission. As a result, the UK Government must ensure it does not stray too far from the approach and interpretation of such Data Protection matters as the rest of the EU, otherwise the much-prized adequacy designation could be in jeopardy, particularly as its interpretation of the public interest derogation for this type of transfer is likely to be at odds with the interpretation of the European Data Protection Board and other EU Data Protection Authorities.

Our Privacy & Data Compliance Services practice has huge experience in supporting clients navigate the choppy waters of cross-border data transfers. Please reach out to Robert Grosvenor, Matthew Negus or Samita Patel if you need further help in this area.