On 12 February 2019, the European Data Protection Board (“EDPB”)[1] adopted its first opinion on an “administrative arrangement,” which provides a new mechanism for the transfer of personal data between European Union (“EU”) financial supervisory authorities and securities agencies and their non-EU counterparts.

Under the EU’s General Data Protection Regulation 2016/679 (“GDPR”), personal data cannot be transferred from the European Economic Area (“EEA”) to a third country unless the European Commission has decided that such third country is “adequate” from a data protection laws perspective, or “appropriate safeguards” are in place to ensure that the treatment of personal data in the hands of the recipient reflects the GDPR’s high standards. Article 46 of the GDPR provides for various safeguarding options, including the possibility of “provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.[2] No such “administrative arrangements” have been approved by the EDPB until now.

The EDPB’s opinion comes after the draft administrative arrangement was submitted to the Chair of the EDPB in January 2019 by the European Securities and Markets Authority (“ESMA”) and the International Organisation of Securities Commission (“IOSCO”). The EDPB’s opinions are intended to ensure consistent application of the GDPR throughout EU member states. Where any matter is of general application or will produce effects in more than one member state, the EDPB can examine and give an opinion on the matter. Once adopted, each member state’s data protection supervisory authority should not deviate from the approved standards.

Purpose and key features of the administrative arrangement

The administrative arrangement will be available to all market regulators in the EEA; the EDPB noted in its opinion that the new mechanism is necessary to ensure “efficient international cooperation” between financial supervisory authorities and regulators. In making its assessment as to the adequacy of the administrative arrangement proposed by ESMA and IOSCO, the EDPB highlighted the following guarantees set forth therein:

  • Definitions of GDPR concepts and data subject rights: the administrative arrangement accurately reflects key data protection definitions and concepts, as these are provided for in the GDPR.
  • Principle of purpose limitation and prohibition on further use: the administrative arrangement is predicated on the idea that the financial supervisory authorities have specific responsibilities and regulatory mandates; transfers may only take place within the framework of such mandates (and not in a manner which is incompatible with such purposes).
  • Principle of data retention: financial supervisory authorities may only retain personal data for as long as is necessary for the relevant purpose.
  • Principle of data quality and proportionality: the administrative arrangement also requires financial supervisory authorities to ensure that the personal data transferred is adequate, accurate, and relevant.
  • Principle of transparency: the administrative arrangement requires that notice be provided to data subjects explaining the processing being undertaken (including the transfer), along with the rights available to them.
  • Security and confidentiality measures: each financial supervisory authority receiving personal data from the EEA must have appropriate technical and organizational measures in place to protect personal data from any accidental or unlawful access, destruction, loss, alteration, or unauthorized disclosure; the recipient authority must also inform the transferring authority as soon as possible in the event of (and must use reasonable and appropriate means to remedy) a personal data breach.
  • Safeguards relating to data subject rights: the administrative arrangement provides for data subject rights including the right of access and the right to have data rectified, erased, restricted, or blocked; such rights are exercisable against both the transferring and receiving financial supervisory authorities.
  • Restrictions on onward transfers: onward transfers to a third party that is (i) not an authority participating in the administrative arrangement and (ii) not covered by an adequacy decision from the European Commission may take place only with the prior written consent of the initial EU transferring authority along with appropriate assurances consistent with the safeguards in the administrative arrangement.
  • Redress: the administrative arrangement provides for a redress mechanism allowing the relevant data subjects to receive compensation in the event of any violation of their rights.
  • Oversight mechanism: an external oversight mechanism (ensuring the implementation of the safeguards) is included in the administrative arrangement. In the event of a negative review, a financial supervisory authority’s participation in the administrative arrangement could be suspended.

Next steps and implications

Member state data protection supervisory authorities may now authorize transfers under the administrative arrangement. Assuming that such authorizations are forthcoming, EEA financial supervisory authorities will need to enter into the administrative arrangement with their non-EEA counterparts, in order to avail themselves of this new mechanism.

Companies subject to oversight by securities regulators in multiple jurisdictions should pay close attention to the implementation of the administrative arrangement in the coming weeks and months. The administrative arrangement removes much of the uncertainty around the legality of data transfers between EU and non-EEA financial supervisory authorities under the GDPR.  This is likely to lead to more free flowing exchanges of enforcement and supervisory information and could increase the number of cross-border investigations and enforcement proceedings in the future.

The existence of an administrative arrangement, however, does not solve the complexities that regulated entities face in responding to requests for information involving personal data of EU citizens from non-EEA securities regulators, such as the US SEC. Such transfers will still require careful analysis to ensure compliance with the GDPR.

For more information, the opinion of the EDPB can be found here and the draft administrative arrangement can be found here.

[1] The EDPB is an independent body established by the EU’s General Data Protection Regulation 2016/679 (“GDPR”) composed of representatives of the national data protection authorities and the European Data Protection Supervisor, which can adopt general guidance on the GDPR and is also empowered to make binding decisions to ensure a consistent application of the GDPR.

[2] Article 46(3)(b) of the GDPR