Entities registered with the U.S. Securities & Exchange Commission (SEC) must maintain certain books and records and can be subject to the SEC’s examination, inspection, and enforcement authority. Responding to SEC requests can require cross-border transfers of personal data, and this has historically risked non-compliance under foreign data protection law.
The SEC has been proactive in seeking positions from foreign data protection regulators that may provide a path to compliance for SEC registrants to transfer personal data in connection with SEC requests. Earlier this year, the UK’s Information Commissioner’s Office (UK ICO) published a letter to the SEC indicating the formal steps SEC registrants could take to enable transfers to the SEC in connection with books and records inspections and examination requests directed towards a broad swath of securities industry participants the SEC regulates, including investment advisers, investment companies, broker-dealers, credit rating agencies, transfer agents, clearing agencies, exchanges and trading venues, as well as UK issuers listed in the U.S.
More recently, the Swiss Federal Data Protection and Information Commissioner (“Swiss DPC”) released its framework for SEC registrants to be able to provide personal data in response to SEC examination and inspection requests, while maintaining compliance with Swiss data protection laws.
At a high level, both the Swiss DPC framework and the UK ICO recognize an overriding public interest in responding to the SEC examination and inspection requests, notwithstanding the potential data protection challenges they may pose. Similarly, both the UK ICO and the Swiss DPC omit any reliance on notions of adequacy following the European Court of Justice’s Schrems II decision. However, in contrast to the UK ICO, the Swiss DPC indicated that Swiss data protection law may permit transfers to the SEC by a potentially broader set of entities than were addressed by the UK ICO. These include investment advisers, broker-dealers, clearing agencies, transfer agents, as well as “Swiss-based entities that are not registered with the SEC, including audit firms, in furtherance of examinations of SEC registrants or in other limited circumstances.”
The Swiss DPC’s framework is notable for providing multiple legal bases for cross-border transfers of both customer and employment data as two primary categories of personal data that tend to be implicated in SEC requests. More specifically, the Swiss DPC is of the opinion that, in principle, Swiss data protection law permits transfers of personal data to the SEC on the following bases:
1) Contract performance: The Swiss DPC holds that the necessity of performing customer agreements and employment contracts can justify transferring personal data to the SEC for examinations. This is the case because (a) a registered entity has to subject itself to SEC jurisdiction to provide the U.S.-facing services it contractually obligates itself to provide to its customers, and (b) the SEC provides sufficient assurances of confidentiality under Swiss financial regulatory law.
2) Public interest: Similarly, the Swiss DPC holds that transfers of personal data to the SEC can be justified if the disclosure is “necessary” in order to protect an “overriding public interest.” According to the Swiss DPC, supervisory activity by foreign regulatory authorities can constitute an overriding public interest under Swiss law. The existence of an overriding public interest must be established on a case-by-case basis – a pure hypothetical interest is not sufficient. In principle, the Swiss DPC notes that Switzerland’s Financial Market Supervisory Authority Act contemplates data sharing with the SEC, and as such “advocat[es] direct transmissions to the SEC.”
However, the Swiss DPC requires registered entities to ensure safeguards are in place prior to transferring personal data to the SEC:
a) Transparency: The Swiss DPC requires registered entities to make it “evident” to their customers that personal data may be transferred to the SEC. While the Swiss DPC considered requiring request-by-request notices every time the SEC serves examination notices on a company, it ultimately decided for a more practicable approach. It instead permitted existing practice to continue, i.e. using “contractual provisions” provided at the establishment of the customer relationship to inform customers that personal data may be transferred to regulators like the SEC. Registered entities may want to consider reviewing their standard customer terms & conditions and privacy notices to make sure such data transfers are made sufficiently “evident.”
b) Risk Assessment: Although the Swiss DPC agrees that – “in principle” – personal data can be transferred to the SEC, it requires a case-by-case analysis confirming that “there are not any overweighing interests of the data subject[s]” that stand in the way of the transfer. This assessment is required irrespective of whether a company believes its contracts permit data to be transferred to the SEC, or whether it takes the position that an SEC request creates an overriding public interest in the transfer. This will oblige registered entities to document risk assessments at the outset of SEC examinations that identify data subject interests, and assess why the need to provide data to the SEC outweighs identified impacts to data subjects. While companies may develop template assessments that can serve as a starting point for each SEC request they receive, the Swiss DPC seems clear it expects every SEC examination, investigation, or similar inquiry to have its own bespoke risk assessment. If possible, working with the SEC to reduce the quantity of personal data required to be (at least initially) produced may also provide a lessened risk profile.
By comparison, although the UK ICO also references the need for transparency with customers as it relates to potential data transfers to the SEC, the UK ICO imposes two guardrails on the process: (i) the firms must be satisfied that the SEC requests are within the scope of the SEC’s regulatory powers and the firms must maintain records of this analysis as a safe harbor in defense of any allegations of a breach of the UK GDPR’s data transfer rules; and (ii) SEC requests should not be large or systematic. While not expressly required by the Swiss DPC, these points could also be advisable to address in Swiss-facing risk assessments under headings of (i) lawfulness and (ii) proportionality, which Swiss data protection law generally requires in connection with transfers of personal data.
Lastly, the Swiss DPC expressly states its position does not address how other provisions of Swiss law, such as criminal provisions for breaches of bank secrecy, may affect the ability to share records with the SEC. The Swiss DPC states only that a criminal provision in Swiss data protection law – which criminalizes the sharing of “sensitive personal data” or “personality profiles” – would not “generally” render employees of Swiss registered entities subject to prosecution; instead, they would only be “exceptionally liable to prosecution” due to the limited scope of the crime.
These criminal law risks may still require registered entities to scrutinize proposed data transfers before making them. However, the Swiss DPC and the SEC have largely clarified the framework that can be followed to ensure that data transfers to the SEC in connection with examinations comply with Swiss data protection rules.