Direct transmission of information to the SEC

(Translated by DeepL)

In a Memorandum dated 25 June 2021, the Federal Data Protection and Information Commissioner gives his opinion on the lawfulness of the transfer of personal data to the Securities and Exchange Commission (SEC) by Swiss companies registered with this American authority.

The SEC contacted the Federal Commissioner in December 2020 to find out if and under what conditions Swiss companies could transmit personal data to it as part of its oversight. Even if the Memorandum does not specify it, one imagines that the SEC feared that Swiss companies would invoke data protection in order not to fully cooperate with it.

The Commissioner begins by recalling the content of art. 42c of LFINMA. This provision sets out the conditions under which those subject to the law may directly transmit information to foreign financial market supervisory authorities. One of these conditions consists of guaranteeing the rights of clients and third parties, in particular their right to data protection (cf. Circular FINMA 2017/6 Cm 30).

The Commissioner therefore examines whether the transfer of data to the SEC complies with Swiss data protection law, in particular the rules on the cross-border communication of data (art. 6 DPA).

Art. 6 para. 2 DPA subjects the communication of personal data abroad to an alternative set of conditions in a State that does not have legislation ensuring an adequate level of protection. As the United States does not have such a level of protection, the Commissioner will examine whether one of the conditions set out in Art. 6 para. 2 DPA is met.

Firstly, such communication is valid if the person concerned freely consents to it. If the person suffers a disadvantage in the absence of consent, the consent may nevertheless be valid if two cumulative conditions are met : (1) there must be a relationship between the disadvantage and the purpose of the processing and (2) the disadvantage must not be manifestly disproportionate.

In this case, the fact that the person is refused any contractual relationship if they do not give their consent does not invalidate the consent in the eyes of the Commissioner. Indeed, a Swiss company cannot offer its services to customers who do not accept the transfer of their data to the SEC. There is therefore a relationship between the consent and the aim pursued by the Swiss company and the disadvantage is not disproportionate for the customers. On the contrary, for employees, consent cannot be given freely, because the resulting disadvantage would be the loss of their job. This disadvantage would thus be disproportionate.

Consent must be given in an informed manner, i.e. the data subject must have been informed that their data may be transmitted to the SEC. In addition, consent may be revoked at any time. Finally, according to the Supervisor, if the contract is terminated, consent can no longer serve as justification for a data transfer.

Secondly, communication abroad is also valid if ‘the processing is directly related to the conclusion or performance of a contract and the data processed concern the contracting party’ (art. 6 para. 2 let. c LPD).

The Supervisor considers that this condition is in principle met in the present case, even after termination of the contract. Nevertheless, the data subject (customer or employee) may have overriding private interests. The Swiss company must therefore analyse, on a case-by-case basis, whether such overriding private interests exist before transmitting the data to the SEC. Furthermore, the Commissioner expressly does not take a position on the compatibility of the transfer of data with criminal law, in particular from the perspective of banking secrecy (art. 47 LB).

Thirdly, communication abroad is valid if there is an overriding public interest (art. 6 para. 2 let. d LPD). Given that FINMA considers that art. 42c LFINMA expressly permits the direct transmission of information to the SEC, the Commissioner also infers the existence, in principle, of an overriding public interest. Nevertheless, as with the contract, the data controller must still examine whether the person concerned may have overriding private interests.

In a second part, the Supervisor examines whether the communication to the SEC complies with the other provisions of the LPD, in particular the principles of good faith and recognisability (art. 4 para. 2 and 4 LPD). The Supervisor considers that companies must inform data subjects in advance of the potential communication of their data to the SEC, but that they must not inform them after having actually transmitted them to the SEC upon request.

Finally, with regard to the duty of discretion, the violation of which is a criminal offence (art. 35 DPA), the Supervisor emphasises that this provision has a limited scope of application. Only sensitive data are covered. However, financial data are not in themselves sensitive data. Although the revised version of this standard covers all personal data (art. 62 nLPD), this standard should not apply if the communication respects data protection.

This opinion of the Supervisor has been criticised by Vasella on datenrecht.ch. This author emphasises in particular that consent may continue after the end of a contractual relationship if the general terms and conditions expressly provide for this. Furthermore, he notes that when the communication is directly related to the conclusion or performance of a contract, there is no longer any need to examine whether there is still a possible overriding private interest, contrary to what the Commissioner maintains.

The Ombudsman emphasises that his review is limited to Swiss law and does not cover European law. Regarding the transfer of data to the SEC from the perspective of the GDPR, the Information Commissioner’s Office (UK data protection authority) considers that the public interest allows such communication (art. 49 para. 1 let. d GDPR). The fact that this authority mentions neither the possibility of consent nor that of contract fulfilment is probably due to the European approach, which is much stricter than ours (cf. EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, N 13 and 30).