October 22, 2021

Volume XI, Number 295

Advertisement
Advertisement

October 21, 2021

Subscribe to Latest Legal News and Analysis

October 20, 2021

Subscribe to Latest Legal News and Analysis

October 19, 2021

Subscribe to Latest Legal News and Analysis

ICO Confirms UK Firms May Rely on Public Interest Derogation for SEC Transfers

On January 19, 2021, the UK Information Commissioner’s Office (“ICO”) published its analysis of the application of the UK General Data Protection Regulation (the “UK GDPR”) to transfers from UK-based firms or branches that are registered, required to be registered or otherwise regulated by the U.S. Securities and Exchange Commission (“SEC”). Such firms or branches include investment advisers, securities-based swap dealers and other market participants. The ICO also reviewed the application of the UK GDPR to transfers made by UK issuers that have equity securities or depositary receipts registered with the SEC and listed on a U.S. exchange or market.

In a letter to the SEC, the ICO stated that the UK GDPR does not prohibit direct transfers to the SEC in connection with the SEC’s evaluation of UK firms’ compliance with U.S. obligations or the SEC’s prevention and enforcement relating to unlawful behavior. Specifically, the ICO stated that UK firms subject to U.S. regulatory obligations may rely on the public interest derogation for the transfer under the UK GDPR, allowing UK firms to make transfers without implementing a transfer mechanism such as Standard Contractual Clauses. However, the ICO also expects UK firms and the SEC to work together to try to implement an Article 46 transfer mechanism where possible, and that the Article 49 derogations should only be used on a case-by-case basis, “with the appropriate thought taken and recorded by the companies concerned.”

Regarding the Article 49 public interest derogation, the ICO stated that there were several overlapping lines of public interest recognized in UK law, including the fact that compliance with SEC rules by SEC-regulated UK firms assists in preventing financial crimes. In assessing the requirement that any transfer made in reliance on the derogation be of “strict necessity” for important reasons of public interest, the ICO highlighted that UK firms must be satisfied that SEC data requests are within the scope of the SEC’s regulatory powers and the firms should keep relevant records that evidence this. Further, requests that rely on this derogation should not be large scale and systematic.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 29
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement