Data protection law expert Jonathan Kirsop of Pinsent Masons, the law firm behind Out-Law, said the clarity offered by the ICO is “welcome consolation for regulated companies that have long struggled to link US regulatory requirements with data protection frameworks. ” UK and Europe “. He said, however, that companies must continue to ensure that transfers to the SEC are” genuinely necessary and proportionate for the SEC’s regulatory purposes, “and therefore” must continue to rigorously analyze the size of the requests “.

Many UK-based financial services companies such as investment companies, fund managers and stock exchanges are regulated by the SEC in the US in addition to the UK Financial Conduct Authority and the Prudential Regulatory Authority.

United States law gives the SEC extensive powers over the companies it regulates, including the power to require companies to exchange information such as emails, written notes, and documents so that the SEC can assess their compliance with its regulatory requirements.

The information to be shared may include personal information such as employee lists, employee disciplinary records, and details of customer complaints and agreements. While the SEC does not publish the information it receives and companies are required to disclose the information in order to comply with US law, the transfer of this personal information to the US is subject to compliance with UK data protection law.

The UK General Data Protection Regulation (UK GDPR), which effectively mirrors the EU GDPR in UK legislation, which had a direct impact in the UK prior to Brexit, restricts the international transfers of personal data by organizations. While some precautions have been taken to allow the continuous flow of data from the UK to some jurisdictions, including at least in the short term with the EU where such precautions do not apply, companies can still transfer personal data outside the UK to so-called “third countries” “In accordance with the protective measures or exemptions provided for in the legal provisions.

One of the exceptions provides that the transfer of personal data can take place if “the transfer is necessary for important reasons of public interest”.

In a recent letter to the SEC, ICO Deputy Commissioner James Dipple-Johnstone stated that UK regulated companies can rely on this public interest exemption to submit personal information to the US regulator. He said the ICO believed that the transfer of personal information was “strictly necessary and proportionate” for the purpose of meeting regulatory requirements from the SEC. This is the legal test for submitting personal data to be lawful under the public interest exemption.

Dipple-Johnstone said, however, that the exemptions “should be used and recorded on a case-by-case basis with the appropriate considerations of the companies concerned,” stressing that additional data protection obligations apply when the SEC requests personal information from particularly sensitive persons of the type – data of the Special category or criminal record data – are shared with her.

The ICO is hoping for a long-term solution, such as standard contractual clauses that need to be executed by the SEC to allow more reliable data transmission to the regulator. Pinsent Masons’ Kirsop said, however, that this “laudable” endeavor is “unlikely to be imminent.” .

Kirsop said UK firms must also consider privacy risks associated with the possible disclosure of data by the SEC.

“There may be unresolved ancillary concerns regarding disclosure by the SEC, including with service providers subject to US oversight laws, and therefore in the firing line of the Schrems II case,” he said.

In a statement released in response to Dipple-Johnstone’s letter, SEC Acting Chairperson Elad L. Roisman said: “The clarity that the ICO offers is a welcome development that shows that framework for the Securities supervision can coexist with robust data protection standards. The ICO analysis also exemplifies the important collaborative relationship the SEC has established with the UK authorities in carrying out our investor protection missions. “