Switzerland and United Kingdom Issue Guidance for Data Transfers to SEC

Businesses and organizations registered with the U.S. Securities and Exchange Commission are often required to share personally identifiable information (PII) with the regulatory body.

But for entities that have operations outside of the U.S., complying with SEC requests has created a legal conundrum since the European Court of Justice’s Schrems 2.0 ruling–which invalidated the EU-U.S. Privacy Shield agreement and banned data transfers to third-countries that don’t meet the General Data Protection Regulation’s (GDPR) security and privacy standards.

Now, organizations have a way to comply with SEC requests, as the Swiss Federal Data Protection and Information Commissioner (DPO) released a framework through which the SEC can process information requests from EU entities. The UK Information Commissioner’s Office (ICO) also published a letter to the SEC outlining the steps SEC registrants should take to remain compliant with UK law.

The Swiss DPO’s framework requires the following conditions be satisfied before a data transfer to the SEC: the transfer is needed to fulfill a contractual obligation to a client and/or the SEC; the SEC agrees to Swiss standards of confidentiality; the data transfer serves a public interest; entities make their customers aware (via contractual provisions) that personal data may be transferred to the SEC; and that entities conduct a case-by-case risk assessment of each data transfer to ensure that customers would not be harmed by having their data transferred.

The UK ICO’s guidance takes a similar approach, citing a need for transparency, but also requires entities to verify the SEC’s data transfer requests are relevant to the SEC’s regulatory purview, and that “SEC requests should not be large or systematic.”

For additional information, read JD Supra’s report.