On January 19, the UK Information Commissioner’s Office (ICO) published its analysis of the impact of UK data protection law on transfers of personal data from certain UK-based firms to the SEC. Specifically, the ICO considered the application of the UK General Data Protection Regulation (UK GDPR) to transfers from UK-based firms or branches that are registered, required to be registered, or otherwise regulated by the SEC, including investment advisers and securities-based swap dealers. In addition, the ICO reviewed the application of the UK GDPR to transfers from UK issuers that have equity securities or depositary receipts registered with the SEC and listed on a US exchange or market. The ICO concluded that the UK GDPR does not impose legal barriers to the transfer of personal data from these entities directly to the SEC for regulatory or enforcement purposes.

The clarity provided by the ICO is a welcome development demonstrating that securities regulatory oversight frameworks can coexist with robust data protection standards. The ICO analysis also exemplifies the important cooperative relationship the SEC has established with UK authorities in carrying out our investor protection missions.

The ICO’s letter clarifies that the UK GDPR permits UK firms’ transfers of personal data to the SEC directly in connection with, among other things: (1) the SEC’s evaluation of the firms’ compliance with legal obligations in the United States, including during an examination; and (2) the SEC’s efforts to prevent and enforce against potential unlawful behavior. The ICO letter explains how UK firms with regulatory obligations to the SEC can rely on the “public interest” derogation of the UK GDPR when directly transferring personal data to the SEC.