The Securities and Exchange Commission (SEC) works with a global network of securities regulators and law enforcement authorities to facilitate cross-border regulatory compliance and help ensure that international borders are not used to escape detection and prosecution of fraudulent securities activities. In connection with these efforts, the SEC has obtained personal data of non-U.S. citizens.
The SEC has safeguards in place to protect personal data, as discussed further below. In addition, the SEC adheres to the Fair Information Practice Principles (FIPPs) and applicable laws to ensure suitable privacy protections are appropriately afforded to all persons, regardless of citizenship and immigration status with respect to all information about individuals that it collects, maintains, uses, or disseminates. The SEC has also signed the IOSCO Administrative Arrangement for the transfer of personal data between European Economic Area (“EEA”) and non-EEA securities regulators (“the Administrative Arrangement”) and is committed to have in place the safeguards set out in the Administrative Arrangement.
How and Why Does the SEC Process and Transfer Personal Data
The SEC may obtain personal data about non-U.S. citizens in connection with its operations. Functions that require the SEC to obtain and process personal data about non-U.S. citizens include examinations of regulated entities, investigations into possible violations of the federal securities laws, and prosecutions of civil suits in the federal courts as well as in administrative proceedings. In examinations, investigations, and enforcement actions, the SEC reviews individuals’ financial transactions and communications and other personal data to help it determine whether the federal securities laws are being complied with and, where appropriate, to establish that violations exist. The SEC will not use personal data in a manner that is incompatible with its regulatory, supervisory, or enforcement purposes or with the purpose for which the information was obtained.
The SEC obtains personal data for its examinations, investigations, and enforcement actions from a variety of sources, including from the entities and individuals it examines and investigates; from other regulators, both domestic and foreign; from entities and individuals with information about the persons being examined or investigated; and from publicly available sources. The SEC provides information security protections for the personal data that it receives to protect the personal data from accidental or unlawful access, destruction, loss, alteration, or unauthorized disclosure. Those protections include both technological protections and policies and procedures that all SEC employees must follow.
The SEC may transfer personal data about non-U.S. citizens that it obtains in examinations, investigations, and enforcement actions to others to further its examinations, investigations, and enforcement actions. For example, the SEC may transfer personal data in the course of examinations to verify that customer assets are where regulated entities claim they are. The SEC may also transfer personal data in the course of both examinations and investigations to obtain additional information from people and entities with information about the matters being examined or investigated. If the SEC brings an enforcement action, the SEC may transfer personal data to the parties to the litigation, to the court, and to other people and entities involved in the litigation.
The SEC may also transfer personal data it has obtained in examinations and investigations to other authorities, including authorities who investigate and bring criminal actions, to support their regulatory and enforcement efforts. Those authorities include agencies of the United States, state regulators, self-regulatory organizations, and foreign authorities. Whenever appropriate, the SEC transfers personal data to other authorities pursuant to assurances of confidentiality. When the SEC transfers personal data to foreign authorities, it generally relies on cooperation arrangements, including memoranda of understanding such as the IOSCO Multilateral Memorandum of Understanding, that contain strict confidentiality provisions and use restrictions. The SEC transfers personal data when it has reason to believe the receiving authority will comply with the applicable confidentiality provisions.
For transfers of data to which the Administrative Arrangement applies, the SEC will only transfer personal data that are adequate, relevant, and limited to what is necessary for the purposes for which they are transferred. The SEC will also ensure that to the best of its knowledge the personal data that it transfers are accurate and, where necessary, up to date.
Can Non-U.S. Citizens Learn If the SEC Has Their Personal Data and Get Access to It?
Under the Freedom of Information Act (“FOIA”) (5 U.S.C. § 552), all persons, regardless of citizenship, may request access to data about them in SEC records and can obtain records that do not come within a FOIA exemption or exclusion. The SEC’s FOIA regulations explain the process for making a FOIA request, and a FOIA request can be made through the SEC’s website. Adverse decisions can be appealed to the SEC’s Office of General Counsel, and this right of access is enforceable in court.
Records containing personal data about non-U.S. citizens may come within FOIA exemptions and may therefore not be disclosed. Records or information compiled for law enforcement purposes are exempted from disclosure under FOIA to the extent disclosure could “interfere with enforcement proceedings,” cause “an unwarranted invasion of personal privacy,” “disclose the identity of a confidential source” or “disclose techniques and procedures for law enforcement investigations or prosecutions.” SEC records contained in or related to examination, operating, or condition reports are generally exempt in their entirety.
Can Non-U.S. Citizens Ask the SEC to Confirm that Their Personal Data Are Complete, Accurate, and Up to Date and Ask the SEC to Delete or Not Use Data that Is Not Complete, Accurate, or Up to Date?
To facilitate the SEC’s receipt of accurate information, the SEC allows non-U.S. citizens to request amendment or correction (including deletion) of records using the procedures described in the SEC’s Privacy Act regulations if they believe records maintained by the SEC are not accurate, timely, or complete or are not necessary or relevant to accomplish a statutory purpose of the SEC (even though the Privacy Act applies solely to U.S. citizens or aliens lawfully admitted for permanent residence). Non-U.S. citizens may also use the procedures described in the SEC’s Privacy Act regulations to request an accounting of instances in which personal data has been disclosed. The procedures for seeking amendment, correction, or an accounting of disclosures do not apply to records that contain investigatory materials compiled for law enforcement purposes, and they do not apply to records that are not retrieved by the name of an individual or by an identifying number, symbol, or other identifying particular assigned to the individual.
Non-U.S. citizens may appeal a denial of a request to amend or correct records or to provide an accounting of transfers to the SEC’s General Counsel. A non-U.S. citizen (other than an alien lawfully admitted for permanent residence) cannot bring suit for an alleged failure to amend or correct records or otherwise comply with the Privacy Act unless he or she has that right under the Judicial Redress Act of 2015, 5 U.S.C. § 552a note. The Judicial Redress Act allows non-U.S. citizens to challenge a denial of a request for amendment or correction in a U.S. court if the records at issue were transferred to a U.S. agency pursuant to the Data Protection and Privacy Agreement, which applies to transfers of personal datafor purposes of preventing, investigating, detecting, or prosecuting criminal offenses.
Who Should Non-U.S. Citizens Contact if They Believe Their Personal Data Has Not Been Handled Properly?
Non-U.S. citizens who are seeking amendment or correction of a record should follow the procedures described in the SEC’s Privacy Act regulation as discussed in the prior section. Requests may be made by facsimile (202-772-9337), email (firstname.lastname@example.org), or using the Office of FOIA Services’ online form. Requests may also be mailed (in envelopes marked “Privacy Act Amendment Request”) to:
Office of FOIA Services
Securities and Exchange Commission
100 F Street NE, Mail Stop 2745
Washington, DC 20549
Non-U.S. citizens who believe information about them may have been improperly disclosed can contact the SEC’s privacy officials at email@example.com or can mail a question or complaint to:
Securities and Exchange Commission
Office of Information Technology
100 F Street, NE
Washington, DC 20549-2654