EU regulations often cast a shadow far beyond the borders of Europe. More than a year since its implementation, this extra territorial impact has been highlighted once more as the EU’s General Data Protection Regulation (GDPR) hinders certain EU firms wishing to conduct business in the US.
As a reminder, GDPR is the EU data protection regime that looks to safeguard the use of personal data of EU citizens regardless of where that data is transferred to or from. Hence, yet another European regulation with global impact. Under GDPR, the transfer of personal data outside the European Economic Area is subject to certain rules and depends on whether the European Commission has approved the third country through what’s known as “an adequacy decision.” In lieu of such agreement, data transfers between EU and the third country are more difficult. Currently, the US does not have such an agreement in place.
A Disconnect Across the Pond
Recently, it’s come to light that the US Securities and Exchange Commission (SEC) has been refusing investment advisor applications from some EU firms because they believe GDPR will prevent them from complying with SEC regulations. For example, the SEC requires access to certain information such as emails and other electronic communications in order to conduct their supervisory and investor protection work.
If the SEC continues to refuse these types of applications, it would effectively mean EU firms servicing US clients would be unable to continue to do so unless all operations related to that client, including the portfolio managers, were moved to a jurisdiction not affected by the GDPR – a large burden for EU-based cross border asset managers.
However, others argue the SEC’s concerns are unfounded, given the fact that GDPR contains provisions requiring firms to share data with a third country regulator upon a legitimate request. GDPR’s Article 49 derogation means that personal data can be transferred if it is necessary for the completion of activities by the data exporter, which would include a regulator request in a market in which the GDPR firm operates. While the issue is significant, it may also be short lived. The SEC and the European Commission plan on meeting in February 2020 in an attempt to find a common ground with regard to data privacy concerns on both sides of the pond.
There has also been much debate and speculation on whether the US will frame their own federal regulation on data privacy. So far, some states have taken the issue into their own hands, like California’s Consumer Protection Act (CCPA). But it’s also unlikely we see a US regulation as far reaching as GDPR in the near future.
What’s Brexit Got to Do with It?
GDPR’s reach is not just an issue between the EU and US. Our old friend Brexit means that the UK and EU also need to consider what their exchange of data looks like in a post-Brexit world.
For now, the UK remains an EU member state, as such it has already adopted GDPR. However, should the UK ultimately leave the EU, particularly without a deal, then UK-regulated firms will have to consider how to ensure ongoing compliance with GDPR. There are 3 primary routes to compliance, post-Brexit:
- Adequacy Decision: EU regulators deem the UK as equivalent, but this process can take time and as we’ve highlighted before is both a political and regulatory decision.
- Binding Corporate Rules (BCR): BCRs are internal data transfer rules for multinationals. They allow firms to transfer data to countries without a deemed “adequate” level of protection so long as the firm itself operates to GDPR standards regardless. They are a hugely challenging undertaking for a firm and can be lengthy.
- Model Contract Clause: these are EU approved contractual clauses that may be used by an EU data controller to non-EU or EEA controller or processor.
All eyes now turn to the highly anticipated February meeting between the US and EU. In an era of unprecedented global interconnectedness and interdependence, but heightened bilateral trade and political tension, there are asset managers on both sides of the Atlantic who will hope the meeting results in agreement. A positive outcome would facilitate the continued exchange of information and the ability to conduct business seamlessly in each other’s territory.