On January 19, 2021, the Office of the UK Information Commissioner (“ICO”) published its analysis of the application of the UK General Data Protection Regulation (“UK GDPR”) to transfers from UK based companies or branches that are registered with the US Securities and Exchange Commission (“SEC”) or otherwise regulated. These firms or branches include investment advisers, security swap dealers, and other market participants. The ICO also considered applying the UK GDPR to transfers from UK issuers whose stocks or depository receipts are registered with the SEC and listed on a US stock exchange or market.
In a letter to the SEC, the ICO stated that the UK GDPR does not prohibit direct transfers to the SEC in connection with assessing UK companies’ compliance with US obligations or preventing and enforcing illegal behavior by the SEC. In particular, the ICO stated that UK companies subject to US regulatory obligations may be able to rely on the public interest exemption when transferring under the UK GDPR, allowing UK companies to make transfers without implementing a transfer mechanism such as standard contractual clauses. However, the ICO also expects UK companies and the SEC to work together to attempt to introduce an Article 46 transfer mechanism whenever possible and that the Article 49 exemptions should only be applied on a case-by-case basis, “with the appropriate thought from the affected companies recorded and recorded. “
Regarding the Article 49 Public Interest Exemption, the ICO noted that UK law recognized several overlapping lines of public interest, including the fact that SEC-regulated UK companies were preventing compliance with SEC rules contributing to financial crimes. In assessing the requirement that a transfer made under the exemption is “strictly necessary” for important public interest reasons, the ICO emphasized that UK companies must be satisfied that SEC data requirements under the Regulatory powers reside with the SEC and the US agency Corporations should keep relevant records to demonstrate this. In addition, requests based on this exemption should not be voluminous and systematic.