1
Privileged and confidential
Roschier Advokatbyrå AB
Brunkebergstorg 2
P.O.Box 7358
SE-103 90 Stockholm
Sweden
Reg. office: Stockholm
Business ID 556686-5670
21 October 2021
UBS AG London Branch
5 Broadgate
London EC2M 2QS
Re: UBS SEC registration as a non-resident security based swap dealer
Dear Sir or Madam,
1.
BACKGROUND
1.1
We understand that UBS AG, a bank authorised in Switzerland, is seeking to register with
the United States ("
US
") Securities and Exchange Commission ("
SEC
") as a non-resident
security-based swap ("
SBS
") dealer ("
SBSD
").
1.2
To register as an SBSD with the SEC, a non-resident SBSD
1
opinion of counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as a
matter of law:
(a)
provide the SEC with prompt access to the relevant books and records as defined
in paragraphs
Covered Books and Records
"); and
(b)
submit to on-site inspection and examination of its Covered Books and Records by
the SEC ("
On-Site Inspection
").
1.3
Associated persons of UBS AG located in Sweden who effect SBS transactions on behalf of
UBS AG will be employed by the Swedish Branch of UBS Europe SE ("
UBS ESE SE
") which is
incorporated in Germany and authorised to provide services in Germany and Sweden
(among other jurisdictions). Accordingly, UBS ESE SE will maintain certain Covered Books
and Records in Sweden on behalf of UBS AG.
1.4
You have asked us to issue an opinion where we consider whether (a) UBS AG will be able
to provide the SEC with prompt access to its Covered Books and Records that are
maintained by UBS ESE SE in Sweden and (b) UBS ESE SE can submit to On-Site Inspection
1
in the United States (see 17 Code of Federal Regulations (
CFR
). § 240.15Fb2-4(a)(2)). As UBS AG is incorporated in Switzerland, UBS AG
fulfils this definition of a "non-resident" SBSD.
2
by the SEC of UBS AG’s Covered Books and Records it maintains on behalf of UBS AG, in
each case in accordance with paragraph
2
1.5
This opinion is structured as follows:
(a)
Section
:
;
(b)
Section
:
;
(c)
Section
:
(d)
Section
:
(e)
Annex 1: Opinion; and
(f)
Annex 2: Assumptions.
2.
SUMMARY OF OPINION
Subject to the assumptions and qualifications below it is our opinion that:
2.1
UBS ESE SE can, as a matter of applicable Swedish law, submit to On-Site Inspection by SEC.
The remainder of this opinion focuses on UBS ESE SE's ability to disclose information
contained in Covered Books and Records to the SEC in the course of On-Site Inspection in
Sweden and the ability to provide UBS AG London Branch with prompt access to Covered
Books and Records.
2.2
UBS ESE SE can, as a matter of applicable Swedish law, provide the SEC with prompt access
to Covered Books and Records held by UBS ESE SE in Sweden either by disclosure of Covered
Books and Records to UBS AG London Branch for onward disclosure to the SEC as decided
by UBS AG London Branch or to the SEC in the course of On-Site Inspections in Sweden.
3
Data Protection
4
2.3
Disclosures of personal data (particularly special categories of data or criminal data)
relating to UBS ESE SE's clients and staff are subject to certain restrictions under the GDPR,
particularly where this involves a cross -border transfer to a country or territory that the
European Commission has
not found to have an
'
adequate
'
data protection regime.
However, there are certain legal bases for making disclosures, and derogations from the
prohibition on international transfers, that would potentially be available to UBS ESE SE
were it to be required by the SEC to make available personal data either by disclosure of
Covered Books and Records to UBS AG London Branch or to the SEC in the course of On-
Site Inspections in Sweden.
2
ESE SE to the SEC as this information would instead be provided to UBS AG London Branch and sent by UBS AG London Branch to the
SEC.
3
person affected (e.g. a data subject under applicable data protection legislation or a person whose information is covered under bank
secrecy rules), validly given in accordance with the relevant standard for consent under each applicable legal obligation, would allow for
such information to be lawfully transferred to the SEC or disclosed to the SEC during On-Site Inspection.
Please note that we have
assumed at Assumption
4
3
2.4
We anticipate that valid consent (where applicable) or the legitimate interest legal basis for
the processing of personal data are likely to be the most likely applicable grounds under
the GDPR to enable disclosure of Covered Books and Records to UBS AG London Branch
and any onward transfer to the SEC
5
, and to permit On-Site Inspection.
Duties of confidentiality
2.5
UBS ESE SE is most likely subject to the banking confidentiality provisions of the Swedish
Banking and Financing Business Act 2002 (
Lag (2004:297) om bank
-
och
finansieringsrörelse
) (as amended), which provides that information about the relationship
between private subjects (including both natural persons and legal entities) and the bank
may not be disclosed without authorisation. It may reasonably be assumed that consent
that satisfies the requirements of the
GDPR
would also satisfy the requirements for
authorised disclosure under the banking confidentiality rule.
Privacy and Human Rights
2.6
Protection of personal data and protection from intrusion of rights of privacy is set out in
Articles 7 and 8 of the EU Charter of Fundamental Rights. The rules only apply to legislators
and authorities of a member state when they are interpreting or implementing union law.
Consequently, the Charter does not prevent UBS ESE SE from transferring data to the US as
long as the transfer is in accordance with applicable law, such as the GDPR.
2.7
Further, Sweden is a party to the European Convention on Human Rights. The Convention
provides for rights similar to the Charter, but is not limited to matters of union law. Article
8 of the Convention establishes the general right to “
respect for his private and family life,
his home and his correspondence
". Under the constitutional rule of Chapter 2, Section 19
of the Instrument of Government (
Regeringsformen
), Swedish legislation must conform to
the provisions of the Convention and under the European Convention on Human Rights Act
1994 (
lag (1994:1219) om den europeiska konventionen angående skydd för de mänskliga
rättigheterna och de grundläggande friheterna
) (as amended). The Convention also has the
force of Parliamentary statute.
2.8
Action for a misuse of private information under Article 8 requires a reasonable expectation
of privacy to exist – this is unlikely where valid consent to disclosure of the relevant
information has been given.
2.9
This summary opinion is not a substitute for the full expression of our views set out in
Annex 1.
3.
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
3.1
This opinion relates solely to access provided to the SEC by UBS AG, through its London
Branch, of Covered Books and Records held on its behalf by UBS ESE SE in Sweden and On-
Site Inspection of UBS ESE SE by the SEC in Sweden. This opinion applies equally to remote
access from the United States to Covered Books and Records held in Sweden. This opinion
5
to a third country. Any transfer of personal data to UBS AG London Branch for the sole purpose of transferring it onwards to the SEC
would require due consideration of the requirements under EU or Swedish law (absent which, the transfer would likely be disqualified
by the Swedish Authority for Privacy Protection as an attempt to circumvent the restrictions on third country transfers of personal data).
4
excludes books and records held in the US. This opinion relates solely to matters of Swedish
law and European Union (
EU
) law that is directly applicable in Sweden (i.e. regulations
pursuant to Art. 288(2) of the Treaty on the Functioning of the European Union).
3.2
This opinion has been prepared in accordance with UBS AG's specific instructions as to the
scope of the opinion. For this purpose, we have been provided with guidance from a third
party US law firm which we have used to inform the scope of our opinion.
3.3
This opinion only covers access to and the On-site Inspection of Covered Books and
Records. Covered Books and Records include only those books and records which:
(a)
relate to the US business
6
7
relate to an SBS that is either:
(i)
entered into, or offered to be entered into, by or on behalf of the non-
resident SBSD, with a "U.S. Person" as defined in 17 CFR § 240.3a71-3(a)(4)
8
("
US Person
") (other than an SBS conducted through a foreign branch of
such US Person
9
); or
(ii)
arranged, negotiated, or executed by personnel of the non-resident SBDS
located in a branch in the United States ("
US branch
") or office or by the
personnel of an agent of the non-resident SBSD located in a US branch or
office;
10
(b)
constitute financial records necessary for the SEC to assess the non-resident SBSD's
compliance with the SEC's margin and capital requirements, if applicable.
11
3.4
Further to Assumption 1, this opinion is limited to those types of records that are relevant
to prudentially regulated SBSDs, which excludes financial records as noted in paragraph
. For this opinion, the term “Covered Books and Records" extends to these
record types alone.
3.5
This opinion covers data relating to:
(a)
SBS transactions concluded between UBS AG (through its associated persons
employed by UBS ESE SE) and US Person counterparties, insofar as this data is held
on behalf of UBS AG
by UBS ESE SE
(e.g.
voice recordings and client
6
7
SEC Guidance
").
8
vehicle, or other legal person organized, incorporated, or established under the laws of the United States or having its principal place of
business in the United States; (iii) an account (whether discretionary or non-discretionary) of a U.S. person; or (iv) an estate of a decedent
who was a resident of the United States at the time of death." 17 CFR § 240.3a71-3(a)(4).
9
for valid business reasons; and (iii) the branch is engaged in the business of banking and is subject to substantive banking regulation in
the jurisdiction where located." (17 CFR § 240.3a71-3(a)(2)). An "SBS conducted through a foreign branch" means an SBS that is
"arranged, negotiated, and executed by a U.S. person through a foreign branch of such U.S. person if: (A) the foreign branch is the
counterparty to such security-based swap transaction; and (B) the security-based swap transaction is arranged, negotiated, and executed
on behalf of the foreign branch solely by persons located outside the United States." (17 CFR § 240.3a71-3(a)(3)(i)).
10
11
requirements as it is assumed that UBS AG has a prudential regulator – please see the Assumption
5
communications) (these transactions will be concluded by staff of UBS ESE SE acting
in the name and for the account of UBS AG London Branch and so some data
relating to such transactions will be held by UBS AG London Branch in the United
Kingdom (
UK
) – access to Covered Books and Records and On-Site Inspections by
the SEC of data that is held in the UK is not within scope of this opinion); and
(b)
the activities of the staff of UBS ESE SE pertaining to UBS AG’s SBS transactions that
are also arranged, negotiated, or executed by personnel of UBS AG located in a US
branch or office or by personnel of an agent of UBS AG located in a US branch or
office (irrespective of whether UBS AG’s counterparty is a US Person or a non-US
Person.
This opinion only covers transactions entered into by UBS AG where UBS ESE SE is acting
on behalf of UBS AG. This opinion does not cover data relating to SBS transactions
concluded between UBS ESE SE and its own counterparties (even though UBS ESE SE may
be relying on the counting exemption set out in 17 CFR § 240.3a71-3(d) for such
transactions, we are instructed that this data is not relevant for the purposes of 17 CFR §
240.15Fb2-4(c) and so this data is not within scope of this opinion).
3.6
The issues addressed in this opinion apply equally across the different document types
which constitute the Covered Books and Records based upon the information actually
contained in each of the relevant Covered Books and Records. We have not examined any
such documents or records.
3.7
In giving this opinion, we have made the further assumptions set out in Annex 2.
3.8
No opinion is expressed on matters of fact.
3.9
As a practical matter, it may be particularly difficult to establish that consent is freely given
where information relates to UBS ESE SE staff because consent is very difficult to rely on in
an employment context, due to the inherent imbalance of power between an employer
and its staff (for example, staff may believe there could be negative consequences should
they refuse to give consent).
12
genuine choice over how the data is used and will only continue to be an appropriate legal
basis if UBS ESE SE also offers its staff the opportunity to withdraw consent at any time.
Where consent is relied upon in this opinion, it is on the basis that this practical matter has
been overcome.
4.
REVISIONS TO APPLICABLE LAW
4.1
We note that the SEC rules
13
any changes in the legal or regulatory framework that would:
(a)
impact the ability of the SBSD to provide prompt access to its Covered Books and
Records;
12
main rule, be relied upon by the employer.
13
6
(b)
impact the manner in which it would provide prompt access to its Covered Books
and Records; or
(c)
impact the ability of the SEC to conduct On-Site Inspections.
4.2
Upon a change in law or regulatory framework of the sort outlined in paragraph
the SBSD is required to submit a revised opinion describing how, as a matter of law, the
SBSD will continue to meet its obligations.
4.3
This opinion relates solely to the laws of Sweden and EU law that is directly applicable in
Sweden (i.e. regulations pursuant to Art. 288(2) of the Treaty on the Functioning of the
European Union), in each case, in force as at the date of this opinion. We have no obligation
to notify any addressee of any change in any applicable law or its application after the date
of this opinion.
5.
RELIANCE AND CONFIDENTIALITY
5.1
This opinion is given for the sole benefit of the addressee. It may not be relied upon by
anyone else without our prior written consent.
5.2
This opinion is not to be disclosed to any person outside of UBS AG's group or used,
circulated, quoted or otherwise referred to for any other purpose. However, we agree that
a copy of this opinion letter may be disclosed:
(a)
where disclosure is required or requested by any governmental, banking, taxation
or other regulatory authority or similar body having jurisdiction over UBS AG
(including to the SEC as part of UBS AG's SBSD registration application) or by the
rules of any relevant stock exchange or pursuant to any applicable law or
regulation; and
(b)
to UBS AG's affiliates, and any of their officers, directors, employees, auditors,
insurers, reinsurers, insurance brokers and professional advisors (in their capacity
as such).
5.3
Any such disclosure must be made on the basis that it is for information purposes only, no
recipient may rely on this advice, no client-lawyer relationship between us and the recipient
arises following, or as a result of, any such disclosure. We assume no duty or liability to any
recipient, and any recipient under paragraph
restrictions on disclosure as set out above.
5.4
We assume no obligation to advise you or any other person or to make any investigations
as to any legal developments or factual matters arising subsequent to the date hereof that
might affect the opinions expressed herein.
5.5
The terms and conditions applicable to all our matters are available on our website,
https://www.roschier.com/general -terms-and-conditions/
.
Yours faithfully,
ROSCHIER ADVOKATBYRÅ AB
7
ANNEX 1
OPINION
1.
DATA PROTECTION
1.1
The General Data Protection Regulation 2016/679 (the "
GDPR
"), the Swedish Data
Protection Act (2018:218), and the Swedish Data Protection Ordinance (2018:219) as well
as regulations issued by the Swedish Authority for Privacy Protection will apply to UBS ESE
SE's disclosure of Covered Books and Records to UBS AG London Branch for the purpose of
providing information to the SEC and to the SEC in the course of On-Site Inspections, to the
extent that these comprise or contain personal data. Personal data is data relating to an
identified or identifiable living individual, so may extend to information on UBS ESE SE staff
as well as clients.
1.2
Under the GDPR, specific additional restrictions apply for data relating to criminal
convictions and offences. These laws also impose heightened restrictions on the processing
of 'special category data' – this is data that reveals racial or ethnic background, political
opinions, religious or philosophical beliefs, or trade union membership, genetic data,
biometric data when used for ID purposes, health information, data concerning sex life or
sexual orientation. As special category data are less likely to be relevant in the context of
UBS ESE SE's disclosures to the SEC, the laws applicable to this data have not been
considered in detail in this opinion.
1.3
Key restrictions in the GDPR relating to UBS ESE SE's ability to disclose personal data to the
SEC are set out below.
Legal basis for the disclosure
1.4
UBS ESE SE requires a legal basis under Article 6 of the EU GDPR to disclose personal data
to the SEC in the course of On-Site Inspections and to provide UBS AG London Branch with
access to its Covered Books and Records for the purpose of providing information to the
SEC.
Data cannot be disclosed if doing so would breach another legal requirement
(e.g. confidentiality – please see section 2 below). Whilst there are a number of Article 6
legal bases on which UBS ESE SE may seek to rely, none on its own is so comprehensive as
to cover all disclosures of personal data to the SEC, so UBS ESE SE will need to consider the
most appropriate legal basis to apply to any given situation.
1.5
The Article 6 legal bases most applicable to UBS ESE SE, together with their respective
limitations, are as follows:
(a)
Consent (Article 6(1)(a))
: In order for consent to be valid under the GDPR, it must
satisfy the high standard of being a freely-given, specific, informed and
unambiguous indication of wishes.
14
(b)
Legitimate interests (Article 6(1)(f))
: This is one of the most flexible legal bases for
processing that can apply to a multitude of business purposes, including with
14
8
respect to ensuring compliance with regulatory obligations. To rely on the
legitimate interests ground, UBS ESE SE must:
(i)
identify its, or a third party's legitimate interest (this can include
commercial interests, individual interests or broader societal benefits) in
complying with the SEC's disclosure request;
(ii)
show that the disclosure of documents to the SEC is necessary for achieving
these interests; and
(iii)
balance these interests against the competing interests, rights and
freedoms of the individuals concerned, and satisfy itself that those
interests do not outweigh its own. If individuals would not reasonably
expect the disclosure, or if the disclosure would cause unjustified harm to
the individuals, the interests of those individuals would likely override the
interests of UBS ESE SE or the third party.
An individual has the right to object to the disclosure of their data to the SEC under
this basis for processing, and UBS ESE SE would need to demonstrate 'compelling'
legitimate grounds to process the data that override the rights, freedoms and
interests of that individual.
The balancing of legitimate interests against the competing interests, rights and
freedoms of the individuals concerned should be made on a case-by-case basis and
should consider all available facts. In particular, Recital 47 of the GDPR states that,
when balancing their interests against those of the individuals concerned,
controllers should take into account “
the reasonable expectations of data subjects
based on their relationship with the controller
”. With this in mind, UBS ESE SE may
argue that its interests are not outweighed by those of its clients or its employees
on the basis that:
(A)
clients are aware, due to statements contained in their terms of business
with UBS AG, of the US nexus when they engage in SBS transactions and,
due to their understanding as sophisticated investors, that regulatory
oversight will be exercised by the SEC, which may entail certain information
regarding their transactions, including in some cases their personal data,
to be disclosed to the SEC; and
(B)
the employees whose personal data may be disclosed to the SEC
understand their role will involve SEC oversight due to their being classified
as ‘associated persons’ for the purposes of SBS transactions and
understand that, as a result, certain of their personal data may be disclosed
to the SEC. More specifically, each associated person is required to
complete an ‘SBS associated person questionnaire’, which provides
advance notice that their activities may involve the disclosure of their
personal data to the SEC and potentially require them to undertake
interviews with the SEC. Each employee that is an associated person is also
required to agree or acknowledge their understanding that their data may
be provided to the SEC in connection with the SEC’s oversight of SBS
transactions.
9
In addition, while focused on the relationship between the SEC and the ECB, the
existence of the Memorandum of Understanding entered into by the SEC and the
European Central Bank (
ECB
)
15
ECB MoU
)
16
that the SEC's access to information, including personal data, held by financial
institutions in the EU is compatible with EU law, even if Sweden has not acceded to
the European banking union and the ECB therefore has no jurisdiction in Sweden
for these purposes.
17
Also relevant to this balancing of interests are that the SEC will:
(1)
restrict its information requests for, and use of, any information to only the
information that it requires for the legitimate and specific purpose of
fulfilling its regulatory mandate and responsibilities and to prevent and/or
enforce against potential illegal behaviour, with the type and amount of
personal data requested being targeted based on risk and related to
specific clients and accounts, and employees;
18
(2)
information, data and documents received by the SEC are maintained in a
secure manner and only disclosed pursuant to strict US confidentiality
laws.
19
(c)
Disclosure is necessary for compliance
with a legal obligation to which UBS ESE SE
is subject (Article 6(1)(c))
: There must be a Swedish nexus in order for UBS ESE SE
to be able to rely on this legal basis. Article 6(3) requires that the legal obligation
must be laid down by Swedish or EU law, although this does not have to be an
explicit statutory obligation for the processing of data, as long as the application of
the law is foreseeable to UBS ESE SE as the person subject to it.
20
be noted that a request from the SEC in the absence of a Swedish legal requirement
would not justify the disclosure as being necessary for compliance with such an
obligation.
We further note that the ECB MoU does not create any legally binding obligations.
21
(d)
Disclosure is necessary for the performance of a task carried out in the public
interest (Article 6(1)(e))
: There must be a Swedish nexus in order for UBS ESE SE to
be able to rely on this legal basis. The relevant public interest must be recognized
in either Swedish or EU law. In this case, we have not been able to identify any
public interest that would permit the disclosure to the SEC, nor the transfer of
personal data to the UBS AG London Branch for the purpose of providing
15
Single Supervisory Mechanism Regulation
), it is, as regards prudential supervision, also subject to direct supervision by the ECB.
16
concerning consultation, cooperation and the exchange of information related to the supervision and oversight of certain cross-border
over-the-counter derivatives entities in connection with the use of substituted compliance by such entities dated 16 August 2021
(available at
https://www.bankingsupervision.europa.eu/legalframework/mous/html/ssm.mou_2021_sec~220403db9b.en.pdf
).
17
applicable data protection rules under the GDPR, including from the international transfer rules.
18
19
20
21
10
information to the SEC. For the avoidance of doubt, since Sweden has not acceded
to the European banking union, the ECB MoU is not sufficient to demonstrate the
existence of a relevant public interest.
1.6
Based upon the above, the legitimate interest as a legal basis for processing is likely to be
the most appropriate Article 6 ground on which UBS ESE SE could rely in relation to its
disclosure of Covered Books and Records to the SEC and to permit On-Site Inspection. For
UBS ESE SE to rely on the legitimate interests ground, UBS ESE SE would need to undertake
a balancing test as outlined above.
1.7
It is considered very unlikely that data included in Covered Books and Records or disclosed
to the SEC during On-Site Inspections will include special categories of data. Further, UBS
ESE SE might not hold all information described in 17 C.F.R. §§.18a-5(b)(8)(i)(A) through (H)
or 240.18a- 5(a)(10)(i)(A) through (H), as the case may be an associated person who is not
a US person.
22
UBS ESE SE, in addition to an Article 6 legal basis, UBS ESE SE will need to establish an
additional legal basis for processing under Article 9 of the EU GDPR if it discloses special
categories of data to the SEC. Other than valid consent,
23
most likely to apply to disclosure of Covered Books and Records is processing is necessary
for the establishment, exercise or defence of legal claims or whenever courts are acting in
their judicial capacity (Article 9(2)(f)).
1.8
Similarly, UBS ESE SE's processing of personal data relating to criminal convictions and
offences is highly restricted, and such data can only be disclosed, transferred or otherwise
processed where authorised by one of the conditions in (i) Chapter 3, Paragraph 8 and 9 of
the Swedish Data Protection Act, (ii) Paragraph 5 of the Swedish Data Protection Ordinance,
or (iii) Swedish Authority for Privacy Protection, Regulation 2018:2. Of these conditions, the
most likely to apply to the disclosure to the SEC, is processing of personal data in relation
to legal claims (Paragraph 5 of the Swedish Data Protection Ordinance). This condition is
met if the processing is necessary for the purpose of, or in connection with, establishing,
exercising or defending legal rights, as well as to perform an obligation under applicable
Swedish and/or EU law. In practice, this restriction on UBS ESE SE is dealt with by this
information being provided and/or transferred directly by the individual (here, staff of UBS
ESE SE) to the requesting party (here, the SEC).
Data protection principles
1.9
In addition to establishing a legal basis for the disclosure, UBS ESE SE would need to ensure
that its disclosures are compliant with the remaining requirements under the GDPR,
including the data protection principles set out in Article 5 of the EU GDPR. For example,
UBS ESE SE must:
(a)
be transparent with those whose personal data is to be disclosed to the SEC, who
must be provided with fair processing information (usually in the form of a privacy
notice or statement);
22
23
11
(b)
with respect to the data itself, ensure that it only provides personal data that is
adequate, relevant and limited to what is necessary in relation to the purposes of
its regulatory activities;
(c)
be careful to avoid participating in 'data dumps' and should consider withholding
documents, anonymising personal data (or pseudonymising data where full
anonymisation is not possible) and redacting personal data from documents as
appropriate;
(d)
ensure that the data is accurate and, where necessary, kept up to date;
(e)
keep the personal data in a form that enables identification of individuals for no
longer than is necessary for the purposes for which the personal data is processed;
and
(f)
ensure that the confidentiality and integrity of personal data is maintained, and as
such, implement appropriate security measures (e.g. encryption) to protect the
personal data.
1.10
Whilst it is possible that the SEC has taken these principles into account in its request for
access to the Covered Books and Records, responsibility remains with UBS ESE SE to verify
this and implement its own compliance measures.
International transfers
1.11
The general principle in the EU GDPR is that UBS ESE SE may not transfer personal data to
a jurisdiction outside the European Economic Area unless it can satisfy a condition for the
transfer as set out in Chapter V of the GDPR.
1.12
Article 45 of the EU GDPR allows for UBS ESE SE to transfer personal data to a recipient
outside the EU/EEA where the transfer is based on an adequacy decision by the European
Commission, identifying a specific country as a country that provides a sufficient level of
protection for personal data. For the purposes of providing Covered Books and Records to
UBS AG London Branch, the adequacy decision of the European Commission
currently in
effect in respect of the UK
24
Sweden, to the UK to be made freely. Any transfer from UBS ESE SE to UBS AG London
Branch would therefore be permitted without limitation (provided that the disclosure
otherwise complied with the EU GDPR).
1.13
It should be noted that under Article 44 sent. 1, Recital 101 of the EU GDPR any onward
transfer of UBS ESE SE’s Covered Books and Records by UBS AG London Branch to the SEC
is still subject to the transfer requirements of the EU GDPR including, in relation to UBS ESE
SE, national legislation on data protection in Sweden.
25
To the extent
Swedish law
corresponds with the EU GDPR, the rules are similar to international transfers under the UK
24
on the adequate protection of personal data by the United Kingdom. Please note that in the future the adequacy decision may be
withdrawn, not prolonged or restricted and that the current adequacy decision is limited to four years
25
Ordinance (2018:219), national legislation on data protection applies to processing of personal data in the context of the activities of an
establishment of a controller or a processor in Sweden. Considering the objectives of the GDPR, it is our interpretation that mere onward
transfer must be assessed based on the laws in the country of origin, which in this case is Sweden.
12
GDPR. As noted by the European Commission’s adequacy decision for onward transfers
from the UK, the regime on international transfers under the UK GDPR
26
Protection Act 2018 is “
in substance identical
” to the transfer regime under the EU GDPR.
27
The primary options available to UBS AG London Branch
pursuant to EU GDPR
and
restrictions under Swedish law applicable to UBS ESE SE when disclosing UBS ESE SE’s
Covered Books and Records to the SEC in the US are as follows
:
28
(a)
Derogations (Article 49)
: Where a transfer mechanism adopted by the European
Commission in respect of the US is not available (as is currently the case),
derogations from the transfer prohibition are potentially available for facilitating
UBS ESE SE's transfer of personal data contained in UBS ESE SE’s Covered Books
and Records to the SEC. These derogations include explicit consent, public interest,
handling of legal claims and legitimate interest. Of these derogations, we consider
explicit consent or legitimate interest to be the most viable solution.
(i)
Explicit consent (Article 49.1 (a))
: This is likely
to be
the
most
viable
derogation for direct transfer from Sweden to the US, or from Sweden via
UK to the US, in the current situation. For a transfer to be lawful based on
explicit consent, the consent must be freely given, specific, informed and
an unambiguous indication of the data subject's wishes.
29
the individual should be offered the genuine choice and must be able to
refuse
or withdraw a previously given consent without negative
consequences. Furthermore, for the derogation to apply, information on
all risks associated with the transfer must have been provided in advance
to the affected data subjects. It may be particularly difficult to establish
that consent is freely given where information relates to UBS ESE SE staff
because consent is very difficult to rely on in an employment context, due
to the inherent imbalance of power between an employer and its staff (for
example, staff may believe there could be negative consequences should
they refuse to give consent). The consent will only be valid if UBS ESE SE
offers its staff a genuine choice over how the data is used and will only
continue to be an appropriate legal basis if UBS ESE SE also offers its staff
the opportunity to withdraw consent at any time. Please note that we have
assumed at Assumption
such consent.
(ii)
Necessary for public interest (Article 49.1 (d))
: The relevant public interest
must be recognized in either EU law or member state law, but the mere
existence of such public interest is not sufficient. The derogation only
applies when it can also be deduced from EU law or the law of the member
state to which the controller is subject that the data transfer in question
should be allowed for important public interest purposes. We have not
identified any Swedish law allowing such transfer in the current matter.
Furthermore, the derogation only applies to occasional transfers and is
26
Act 2018 in the UK.
27
of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom.
28
29
13
subject to a necessity test, meaning that it is not applicable to general or
extensive requests for personal data. Consequently, we do not consider it
possible for UBS
ESE SE
to rely on the public interest exception for
transferring personal data to the US.
(iii)
Establishment, exercise or defense of legal claims (Article 49.1 (e))
: This
option does not apply to unspecified or
extensive data requests, nor
potential future legal proceedings, and we do not consider it applicable in
this case.
(iv)
Necessary
for the purpose of compelling legitimate interests
(Article 49.1-2):
This exception can apply to transfer personal data for a
compelling legitimate interest. For example, in order to e.g. protect the
controller's organization or systems from serious immediate harm or from
a severe penalty which would seriously affect its business.
30
must only concern a limited number of data subjects and prior notification
of the transfer must be provided to the supervisory authority. Although the
application of this derogation is very narrow, there may be a possibility that
UBS ESE SE's legitimate interest to ensure compliance with US law, e.g. to
avoid penalties, could be sufficient to demonstrate a compelling reason for
the derogation to apply, provided however, that no other derogation is
applicable, the result of the balancing test is in UBS ESE SE's favour
31
the principles of the GDPR are respected.
32
Each of the derogations above needs to be applied on a case-by-case basis.
33
(b)
The Swedish Financial Supervisory Authority route:
In certain situations, for
example where UBS ESE SE considers the transfer of data to the US to be high risk,
it may be possible to arrange for the disclosure to be made to the Swedish Financial
Supervisory Authority, which could then transfer the data to the SEC in the US.
However, such transfer would have to be approved in advance by the Swedish
Authority for Privacy Protection.
1.14
Access to Covered Books and Records granted to the SEC in the course of On-Site
Inspections would not entail UBS ESE SE effecting an international transfer and so
restrictions in Chapter V of the EU GDPR would not apply to that situation.
2.
BANK CONFIDENTIALITY
2.1
UBS ESE SE is subject to the Swedish Banking and Financing Business Act 2002 (
Lag
(2004:297) om bank- och finansieringsrörelse
) (as amended) (the “
SBFBA
”) "in applicable
parts" (Chapter 1, Section 2 of the SBFBA). There is no authoritative guidance, either in the
form of subordinate legislation, regulations of the Swedish Financial Supervisory Authority
(
Finansinspektionen
) or any other public authority in Sweden, case law or self-regulation as
to what parts of the SBFBA apply to branches of foreign banks such as UBS ESE SE. However,
30
31
32
33
Article 49(1) EU
GDPR.
14
it is widely assumed that the provisions of bank confidentiality in Chapter 1, Section 10 of
the SBFBA do apply to such branches. Pursuant to this section, information about the
relationship between private subjects (including both natural persons and legal entities)
and the bank may not be disclosed without authorisation. Although this rule has been in
force for well over a hundred and thirty years, there is no authoritative guidance, either in
the form of subordinate legislation, regulations of the Swedish Financial Supervisory
Authority or any other public authority in Sweden, case law or self-regulation as to the
concrete effects of the rule. However, it is widely considered that – under general principles
of law – consent of the private subject to whom the information pertains would count as
authorisation of disclosure. It is not clear what form such authorisation should take or
otherwise what the specific conditions for valid consent would be. However, it is reasonable
to assume that consent that conforms to the GDPR would be acceptable also for the
purposes of Chapter 1, Section 10 of the SBFBA.
3.
PRIVACY AND HUMAN RIGHTS
Misuse of private information
3.1
Aside from the GDPR (and other sector-specific data protection legislation that will not
apply to UBS ESE SE), there is no stand-alone basis to bring a claim for 'misuse of private
information' in Sweden. Although the Swedish Constitution states that the public shall
protect the private and family lives of individuals,
34
of privacy to the protection of confidentiality (which relates to the secrecy of private
information), namely the prevention of intrusion into an individual's privacy.
Right to privacy
3.2
The Charter of Fundamental Rights of the EU (the "
Charter
") provides for respect for private
and family life (Article 8) and the protection of personal data (Article 7).
35
only applicable to national authorities' interpretation and implementation of union law.
Thus, breaches of the Charter are permissible for purposes or rules recognized by the EU,
such as the GDPR.
3.3
Sweden is a party to the European Convention on Human Rights. The Convention provides
for rights similar to the Charter, but is not limited to matters of union law. Article 8 of the
Convention, confers a general right to “
respect for his private and family life, his home and
his correspondence
" ("
Article 8
"). This right is established in Swedish law implementing the
Convention (
Sw.
Lag (1994:1219) om den europeiska konventionen angående skydd för de
mänskliga rättigheterna och de grundläggande friheterna
). A court must take Article 8 into
account, even if the action is one among private parties.
3.4
Primarily, the rights under the Convention should be assured in the legislative process to
protect against arbitrary interferences and Swedish courts are obliged to interpret Swedish
law in conformity with the Convention. However, Article 8 is a qualified right, meaning that
it can be breached in accordance with Article 8(2) – that is, where doing so is in accordance
with law, necessary in a democratic society, and with a legitimate aim.
34
35
15
3.5
An action for misuse of private information requires a reasonable expectation of privacy to
exist, which is not the case when the individual itself has provided a consent that is
considered lawful and valid. Consequently, there could be no breach of the individual's right
to privacy under Article 8 for as long as the consent is obtained in accordance with the
GDPR.
16
ANNEX 2
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
UBS AG has a "prudential regulator " as defined by Section 3 of the US Securities Exchange
Act of 1934 (the "
Securities Exchange Act
"). As such, the Covered Books and Records
considered in this opinion are limited to what a prudentially regulated SBSD must be able
to share with the SEC.
2.
Additionally, in accordance with SEC Guidance at 85 FR 6297, books and records pertaining
to SBS transactions entered into prior to the date that UBS AG submits an application for
registration are not Covered Books and Records.
3.
Where transfers of personal data are made to the SEC in the absence of an adequacy
determination, such disclosure will be made in compliance with Articles 44
et seq
. of the
EU GDPR and limited to what is necessary for the purpose of the transfer (i.e. compliance
with the principle of data minimisation, e.g. by applying less intrusive processing activities
such as redaction).
4.
UBS ESE SE or, as the case may be, UBS AG has obtained any necessary prior consent of the
persons (e.g
.
, counterparties, employees) whose information is or will be included in
Covered Books and Records in order to provide the SEC with access to its Covered Books
and Records or to allow On-Site Inspections, to the extent, as considered in this opinion,
such consent would constitute valid consent and such consent has not been withdrawn.
Insofar as Covered Books and Records relate to employees of UBS ESE SE, such employees
are “associated persons" of UBS AG for purposes of 17 CFR § 240.18a-5(b)(8) who have
agreed to sharing of their personal/employment information with the SEC in the event of a
request for information from the SEC.
5.
Any data held by UBS ESE SE that is subject to a disclosure request from the SEC, either by
way of access or On-Site Inspection, will be held by UBS ESE SE in Sweden. Whilst UBS ESE
SE will be subject to direct On-Site Inspection by the SEC in Sweden, UBS ESE SE will provide
access to its Covered Books and Records (beyond On-Site Inspections) to UBS AG London
Branch, rather than providing this access directly to the SEC.
6.
The SEC will restrict its information requests for, and use of, any information pursuant to
its access to Covered Books and Records and On-Site Inspections to only the information
that it requires for the legitimate and specific purpose of fulfilling its regulatory mandate
and responsibilities by evaluating compliance with legal obligations designed to ensure the
proper legal administration of SEC
-
regulated firms
(which includes regulating,
administering, supervising, enforcing and securing compliance with the securities or
derivatives laws in its jurisdiction) and to prevent and/or enforce against potential illegal
behaviour.
7.
Similarly, UBS ESE SE will ensure that its disclosures are compliant with the data protection
principles set out in Article 5 of the EU GDPR.
36
in responding to information requests from the SEC (or other US and non-US regulators)
36
17
leads it to maintain a belief, which it considers to be reasonable, that UBS ESE SE can and
(subject to any changes in applicable law and regulation and/or the approach of relevant
regulators) will continue to be able to comply with these data protection principles in the
course of making disclosures of the sort required when providing access to Covered Books
and Records and submitting to On-Site Inspection.
37
8.
It is the SEC's practice to limit the type and amount of personal data it requests during
examinations to targeted requests based on risk and related to specific clients and
accounts, and employees. The requested information may include some limited criminal
records data and 'special category data' under the GDPR (as described in paragraph
Annex 1 to this opinion). We understand that this aligns with UBS’ general experience in
responding to information requests from the SEC, leading it to maintain a belief, which it
considers to be reasonable, that this assumption is, and will remain, accurate (subject to
any changes in applicable law and regulation and/or the approach of relevant regulators).
38
9.
Information, data and documents received by the SEC are maintained in a secure manner
and, under strict US laws of confidentiality, information about individuals cannot be onward
shared save for certain uses publicly disclosed by the SEC, including in an enforcement
proceeding, pursuant to a valid and non-exempt US Freedom of Information Act (
FOIA
)
request,
39
or to other regulators who have demonstrated a need for the information and provide
assurances of confidentiality.
10.
All terms of business entered into with clients conducting SBS transactions contain clear
statements such that clients are aware that that regulatory oversight will be exercised by
regulatory authorities and that information regarding their transactions, including their
personal data, can be disclosed to regulatory authorities (for example, clause 10, and in
particular clause 10(b) of the terms of business for professional clients and eligible
counterparties (March 2019)
40
.
11.
UBS AG does not include the information described in 17 C.F.R. §§.18a-5(b)(8)(i)(A) through
(H) or 240.18a-5(a)(10)(i)(A) through (H), as the case may be, in questionnaires or
applications for employment executed by an associated person who is not a US Person (as
defined in 17 C.F.R. §240.3a71-3(a)(4)(i)(A)), unless UBS AG is required to obtain such
information under applicable law in the jurisdiction in which the associated person is
employed or located or obtains such information in conducting a background check that is
customary for UBS AG in that jurisdiction and the creation or maintenance of records
37
38
39
to requests under the US FOIA, and that certain information is exempt from such requests, including (among others): (1) a trade secret
or privileged or confidential commercial or financial information obtained from a person; (2) a personnel, medical, or similar file the
release of which would constitute a clearly unwarranted invasion of personal privacy; (3) information compiled for law enforcement
purposes, the release of which (a) could reasonably be expected to interfere with law enforcement proceedings; (b) would deprive a
person of a right to a fair trial or an impartial adjudication; (c) could reasonably be expected to constitute an unwarranted invasion of
personal privacy; (d) could reasonably be expected to disclose the identity of a confidential source; (e) would disclose techniques,
procedures, or guidelines for investigations or prosecutions; or (f) could reasonably be expected to endanger an individual's life or
physical safety; (4) contained in or related to examination, operating, or condition reports about financial institutions that the SEC
regulates or supervises.
40
Available at:
https://www.ubs.com/global/en/investment-bank/regulatory/_jcr_content/mainpar/toplevelgrid/col1/linklist_
1815406319/link.1894740908.file/PS9jb250ZW50L2RhbS9JbnZlc3RtZW50QmFuay9kb2N1bWVudHMvaWJ0ZXJtcy90ZXJtcy1vZi1idXNpb
mVzcy5wZGY=/terms-of-business.pdf
.
18
reflecting that information would not result in a violation of applicable law in the
jurisdiction in which the associated person is employed or located.