FDPIC: Statement on the disclosure of personal data to the US SEC

EN DE FR

from

David Vasella

18.08.2021

Industries

Financial market

Authority

FDPIC

Laws

DSG 16, DSG 62, FINMASA 42c

Topics

Foreign announcement, Data secrecy

Take-Aways (AI)

The FDPIC considers transfers to the SEC to be possible in principle, provided that FINMASA Art. 42c and FINMA Circulars meet the requirements.
Legal basis for transfers: Consent pursuant to Art. 6 para. 2 lit. b FADP, contract processing pursuant to Art. 6 para. 2 lit. c or overriding public interest pursuant to lit. d.
Companies must weigh up individual interests; transparency obligation applies to procurement, in principle no general obligation to provide subsequent information.

In a letter dated August 4, 2021, the FDPIC submitted to the U.S. Securities and Exchange Commission (SEC) on the issue of the Admissibility of data transfers by certain Swiss financial firms to the SEC a Opinion issued and published.

The background to the opinion is a requirement under U.S. law: Swiss financial firms must also provide certain documents to the SEC upon request if they are registered or required to register with the SEC in a certain capacity (e.g., as asset managers/investment advisors, as broker-dealers or as SBSDs, security-based swap dealers) or if they are regulated by the SEC. This currently appears to affect approximately 75 firms or branches established in Switzerland. In the course of an examination, the SEC can demand certain information directly from the company concerned, depending on the specific subject of the examination, e.g. internal process documentation, employee lists, VR protocols, customer contracts, transaction documentation, etc. The SEC treats this information confidentially. The SEC treats this information confidentially, as it informs the FDPIC (reproduced in the opinion of the FDPIC), but information can be passed on to other authorities and is apparently subject to the US right of public access (freedom of information).

The FDPIC assesses the relevant Swiss law in this context as follows:

Applicable provisions

The FDPIC’s opinion does not address the legal situation according to the GDPRalthough this may apply to the relevant Swiss companies. However, the FADP is applicable. The application exclusions of Art. 2 of the current FADP do not apply, in particular the exclusion of pending proceedings according to Art. 2 (2) lit. c FADP.

Art. 42c FINMASA

The FDPIC first expresses its opinion on Art. 42c para. 1 FINMASA. This provision allows the direct transmission of non-public information by supervised entities to the competent foreign financial market supervisory authorities and other foreign entities entrusted with supervision. As a result, Art. 271 SCC is not violated in this case either (on the basis of Art. 14 SCC). This direct transmission – unlike that under Art. 42c para. 2 FINMASA – is only permissible to authorities that use this information exclusively for the enforcement of financial market law or forward it to other authorities, courts or bodies only for this purpose and that are bound by official or professional secrecy (Art. 42c para. 1 in conjunction with Art. 42 para. 2 FINMASA). In addition, the rights of the persons concerned must always be safeguarded. – To this end, FINMA has published the recently partially revised Circular direct transmission published. It also publishes a List of authorities, which are expected to meet the requirements, including the SEC.

The FDPIC is content here with a reference to the list of authorities and adds that FINMA recently confirmed (to whom and when remains open) that there is no reason to believe that a direct transfer to the SEC would not meet the requirements of Art. 42c para. 1. FINMA apparently also considers the principle of speciality (Art. 42c para. 1 in conjunction with Art. 42 para. 2 FINMASA) to be respected, although the SEC has confirmed to the FDPIC that it may pass on information to other authorities.

Admissibility of disclosure according to Art. 6 DSG

With reference to Art. 6 DPA, the FDPIC states that Art. 42c FINMAG is No basis for the transmission to an insecure third country such as the U.S., especially since Art. 42c para. 1 FINMASA states that the rights of clients and third parties must be protected, and the aforementioned FINMA Circular states that bank-client confidentiality, the provisions on data protection and the rights arising from the employment relationship must be protected under this heading.

At least, however, Art. 6 (2) DPA could help:

There could possibly be a Consent into the transfer must be obtained from the data subjects (Art. 6 para. 2 lit. b FADP):

Such consent is voluntaryeven if the company concerned would not enter into a contract with the data subject without such consent. The FDPIC justifies this with the factual necessity of the transfer to the USA, i.e. arguably with the fact that it is not abusive to require consent here. The consent could also in GTC be obtained.
If a customer revokes consent, the customer relationship would have to be terminated so that the company does not violate U.S. law.
In the event of a Termination of the contract could the Consent no longer a basis for the transmission. This is likely to be incorrect; there is nothing to prevent the GTCs from obtaining consent that outlasts the contract. However, the GTC should explicitly state that the consent survives the contract.
A Employee can in no way voluntarily consent to disclosure of his or her information to the SEC because he or she may not voluntarily work for an appropriate company and the loss of employment would be unacceptable.

Likewise, the exception of the Contract processing (Art. 6 para. 2 lit. c DSG), because the disclosure is necessary for the performance of the contract of the company subject to the information obligation with the customer:

This would apply even if the contract in question no longer existed, i.e. after a contract termination. However, a balancing of interests must also be carried out: The context of the contract does not permit disclosure to arbitrary authorities; it must be examined, for example, whether the relevant foreign law is comparable to Swiss law and whether the foreign authority is subject to appropriate confidentiality provisions. Both are the case here.
Art. 6 para. 2 lit. c DSG applies. also for employee dataThe SEC shall be entitled to demand the disclosure of such information to the extent that the disclosure to the SEC is directly related to the employment relationship; Article 328b of the Swiss Code of Obligations shall also not preclude such disclosure. Here, however, it must again be examined whether there is really an overriding interest in the disclosure.

In addition, there is also a Overriding public interest in the disclosure to the SEC. It is true that a public interest pursuant to Art. 6 para. 2 lit. d DPA must be examined with reference to the individual case, not with reference to a general practice. However, the legislator had already made an assessment in Art. 42c FINMASA that direct transmission should be possible.

Additional weighing of interests in case of justification by contractual connection?

The FDPIC states that even if the disclosure itself is justified by the contractual context, an additional balancing of interests must be carried out:

The FDPIC […] is […] of the opinion that – from the perspective of data protection – a cross-border transfer of data to the SEC can be justified either by contract (Art. 6 para. 2 let. c FADP; see above 2.4.3 and 2.4.4) or by an overriding public interest (Art. 6 para. 2 let. d FADP; see above 2.4.5), provided that, in the individual case, there are not any overweighing interests of the data subject that do not allow for the disclosure. It is the duty and responsibility of the relevant Swiss firm to analyze whether there could be such overweighing interests of the data subject.

What the FDPIC bases this requirement on remains unclear, however, and is also not justified (except with a reference to Art. 13 DPA, which is not actually relevant). Art. 6(2)(c) FADP (contractual connection) is already an expression of a legal balancing of interests; there is no room for a further balancing of interests (unlike in the case of overriding public interest). The requirement to take the interests of the data subjects into account can also be justified by the fairness requirement and, in the employment relationship, by the duty of care, but even then the explicit legislative values should not dissolve in a cloud of general weighing of interests. As a result, it would be more appropriate to allow the application of Art. 6(2)(c) DPA (contractual connection) to suffice and to examine special conflicting interests only if they have been actively raised and justified by the data subject and if they carry particular weight.

Transparency

The FDPIC notes that both the principle of transparency and the duty to inform under the revDSG apply to the Stage of procurement and not any other processing refers. The company subject to the reporting obligation usually provides information about the contractual relationship when the contractual relationship is established. This is sufficient; in this case, the company does not have to provide further information about the actual disclosure or the associated processing.

In this way, the FDPIC also states that, in principle, there are No obligation to provide follow-up information if the procurement changes at a later date (subject to a change of purpose, if this is regarded as a new procurement, and subject to consent in the individual case).

Big and small professional secrets

The FDPIC expressly leaves open whether a disclosure can also be made under the title of a special professional secrecy (bank client secrecy, FINIG secrecy, etc.) is permissible or whether a waiver must be obtained. In any case, it would be conceivable to obtain a waiver in the general terms and conditions. It would also be conceivable, but probably more tricky, to simply make a clear reference to transfers to the SEC. A customer who nevertheless concludes a contract with the company subject to the information obligation has impliedly consented and cannot have any discernible secret intent in the facts of the case that such a transmission should not take place.

The FDPIC then also addresses Art. 35 FADP and Art. 62 revDSG, i.e.. the “minor professional secrecy” or “data secrecy”, i.e. the prohibition of the disclosure of secret, job-related data (according to Art. 62 revDSG; only of personality profiles or data requiring special protection according to the DSG). It does not go into details here, but holds that in his opinion, disclosure in conformity with data protection does not violate Art. 35 FADP or Art. 62 revDSG. In our view, this is correct. The legal nature of Art. 62 revDSG is not clear and already disputed, but according to our interpretation, disclosure of secret personal data cannot be a crime if it meets the requirements of data protection law. In this sense, Art. 62 revDSG is a norm under data protection law.

FDPIC: State­ment on the dis­clo­sure of per­so­nal data to the US SEC

Appli­ca­ble provisions

Art. 42c FINMASA

Admis­si­bi­li­ty of dis­clo­sure accor­ding to Art. 6 DSG

Addi­tio­nal weig­hing of inte­rests in case of justi­fi­ca­ti­on by con­trac­tu­al connection?

Trans­pa­ren­cy

Big and small pro­fes­sio­nal secrets