1
UBS AG London Branch
5 Broadgate
London
EC2M 2QS
Allen & Overy LLP
One Bishops Square
London E1 6AD United Kingdom
Tel
+44 (0)20 3088 0000
Fax
+44 (0)20 3088 0088
Our ref
0036335
-
0000808
22 October 2021
Dear Sir or Madam
UBS London Branch SEC registration as a non-resident security-based swap dealer
1.
BACKGROUND
1.1
We understand that UBS AG (
UBS
), a bank authorised in Switzerland, is seeking to register with the
United States (
US
) Securities and Exchange Commission (
SEC
) as a non-resident security-based swap
(
SBS
) dealer (
SBSD
).
1.2
To register as an SBSD with the SEC, a non-resident SBSD
1
counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as a matter of law:
(a)
provide the SEC with prompt access to the relevant books and records as defined in paragraphs
Covered Books and Records
); and
(b)
submit to on-site inspection and examination of its Covered Books and Records by the SEC
(
On-Site Inspection
).
1.3
Associated persons of UBS located in the UK who effect SBS transactions on behalf of UBS will be
employed by UBS. UBS will maintain certain Covered Books and Records in its London Branch
(
UBSLB
), which is authorised in the United Kingdom (
UK
).
1.4
You have asked us to issue an opinion affirming that UBSLB will be able to provide the SEC with
prompt access to its books and records and submit to On-Site Inspection by the SEC in accordance
with paragraph
1.5
This opinion is structured as follows:
(a)
Section
:
(b)
Section
:
;
1
In the case of a corporation, an SBSD will be “non
-
resident” if it is incorporated in or has its principal place of
business in any place not in
the United States (see 17 Code of Federal Regulations (
CFR
) § 240.15Fb2-4(a)(2)). As UBS is incorporated in Switzerland, UBS fulfils this
definition of a “non-resident” SBSD.
Allen & Overy LLP is a limited liability partnership registered in England and Wales with registered number OC306763. It is authorised and regulated by the Solicitors Regulation Authority of England
and Wales. The term partner is used to refer to a member of Allen & Overy LLP or an employee or consultant with equivalent standing and qualifications. A list of the members of Allen & Overy LLP
and of the non-members who are designated as partners is open to inspection at its registered office, One Bishops Square, London E1 6AD.
Allen & Overy LLP or an affiliated undertaking has an office in each of: Abu Dhabi, Amsterdam, Antwerp, Bangkok, Beijing, Belfast, Bratislava, Brussels, Budapest, Casablanca, Dubai, Düsseldorf,
Frankfurt, Hamburg, Hanoi, Ho Chi Minh City, Hong Kong, Istanbul, Jakarta (associated office), Johannesburg, London, Los Angeles, Luxembourg, Madrid, Milan, Moscow, Munich, New York, Paris,
Perth, Prague, Rome, São Paulo, Seoul, Shanghai, Silicon Valley, Singapore, Sydney, Tokyo, Warsaw, Washington, D.C. and Yango n.
2
(c)
Section
:
(d)
Section
:
(e)
: Opinion; and
(f)
: Assumptions.
1.6
For the purposes of this opinion, the legal or natural person imparting the information subject to the
duty of confidentiality will be the
Rights Holder
and the person receiving that information, in this
case UBSLB, will be the
Recipient.
2.
SUMMARY OF OPINION
Subject to the assumptions and qualifications below it is our opinion that:
2.1
UBSLB can, as a matter of applicable UK, English and Welsh law, submit to On-Site Inspection by
the SEC. There is no restriction on UBSLB submitting to On-Site Inspection by the SEC. The
remainder of this opinion focuses on UBSLB’s ability to disclose information contained in Covered
Books and Records to the SEC in the course of On-Site Inspection in the UK and the ability to provide
the SEC with prompt access to Covered Books and Records.
2.2
UBSLB can, as a matter of applicable UK, English and Welsh law, provide the SEC with prompt
access to Covered Books and Records held by UBSLB in the UK.
2
Data Protection
3
2.3
Disclosures of personal data (particularly special categories of data or criminal data) relating to
UBSLB’s clients and staff are subject to certain restrictions under the Data Protection Laws,
particularly where this involves a cross-border transfer to a country or territory the UK has not found
to have an ‘adequate’ data protection regime. However, there are certain legal bases for making
disclosures, and derogations from the prohibition on international transfers, that would be available to
UBSLB were it to be required by the SEC to make available personal data. We note that these legal
restrictions and derogations that UBSLB would rely on when making disclosures to the SEC are the
same legal bases and derogations to which the Bank of England would be subject, and on which the
regulators have agreed to rely, in the 2021 Memorandum of Understanding between the (i) FCA and
Bank of England and (ii) the SEC
regarding consultation, cooperation and the exchange of
information
4
2021 MoU
).
2.4
We anticipate that the legitimate interests and public interest legal bases for processing are likely to
be the most applicable grounds under the UK GDPR and EU GDPR to enable disclosure of Covered
Books and Records to the SEC and to permit On-Site Inspection. To the extent that UBSLB relies on
the public interest legal basis, it will also need to satisfy one of the conditions for processing set out in
the DPA 2018.
2.5
Further, we consider that UBSLB could make transfers of personal data to the SEC in the US on the
basis of the public interest derogation: we note that UBSLB would need to assess the ability to rely on
this derogation in each case.
2
Where a restriction o
n the ability to transfer personal data or to disclose confidential information applies, consent from the Rights Holder,
validly given in accordance with the relevant standard for consent under each applicable legal obligation, would allow for such information
to be lawfully transferred to the SEC or disclosed to the SEC during On-Site Inspection. Please note that valid consent is assumed in
Assumption
3
Please
refer to section
4
Available here:
https://www.fca.org.uk/publication/mou/sec-fca-boe-mou-2021.pdf
.
0036335-0000808 UKO1: 2004471715.25
3
Common law duties of confidentiality
2.6
The general duty of confidentiality applies to non-public information held or controlled by UBSLB
that relates to any person. The banker’s duty of confidentiality arises due to the nature of the
relationship between a banker and their customer (and this duty does not apply to information held or
controlled by UBSLB that relates to any person other than its customers). Finally, every employment
relationship held by UBSLB contains an implied legal duty of mutual confidence, however, this is
very narrow in scope and is unlikely to apply where UBSLB is making disclosures to the SEC in the
normal course of its SBS business and in accordance with SEC requirements.
2.7
Disclosure with consent, or under another recognised exception, would not amount to a breach of these
legal duties.
2.8
These duties of confidentiality will not apply to any information contained in the Covered Books and
Records or to On-Site Inspection insofar as information made available to the SEC is owned by or
relates to UBSLB itself, rather than by or to UBSLB’s clients or, in the case of the general and
employer’s duties only, its staff.
Privacy and Human Rights
2.9
Protection from intrusion into rights of privacy is enshrined in the Human Rights Act 1998 (
HRA
)
which establishes the general right to “
respect for his private and family life, his home and his
correspondence
” set out in Article 8 of the European Convention on Human Rights in UK law
(
Article 8
).
2.10
Actions in respect of Article 8 require a separate cause of action, such as a misuse of private
information (or a breach of confidence – in respect of which, see above), in order to be permissible.
In certain cases, though we expect these to be limited, legal (rather than natural) persons can benefit
from a right to privacy. An action for a misuse of private information requires a reasonable expectation
of privacy to exist – this is unlikely where valid consent to disclosure of the relevant information has
been given.
2.11
It is permissible to breach Article 8 in specified situations. In summary, the intrusion must not be
arbitrary, must be proportionate in respect of a pressing social need, and must be done in pursuit of a
legitimate aim. In our view, the disclosure to the SEC of private information contained in Covered
Books and Records and that would be made available to the SEC during On-Site Inspections would
be permissible for the purposes of Article 8.
2.12
Further, it is not clear that rights of privacy provide any enhancement to the protection afforded under
the duties of confidence considered above to those persons on whom information is held by UBSLB,
given the nature of the information contained in Covered Books and Records and that would be
disclosed to the SEC during On-Site Inspections.
This summary opinion is not a substitute for the full expression of our views set out in
3.
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
3.1
This opinion relates solely to access provided to the SEC of Covered Books and Records held by
UBSLB in the UK and On-Site Inspection of UBSLB by the SEC in the UK. This opinion applies
equally to remote access from the US to Covered Books and Records held in the UK. This opinion
excludes books and records held in the US. Where matters considered in this opinion are not governed
by laws applying to the entirety of the UK, this opinion relates solely to matters of English and Welsh
law.
4
0036335-0000808 UKO1: 2004471715.25
3.2
This opinion has been prepared in accordance with UBS’s specific instructions as to the scope of the
opinion. For this purpose you have issued us with guidance from a third party US law firm which we
have used to inform the scope of our opinion.
3.3
This opinion only covers access to and the On-site Inspection of Covered Books and Records. Covered
Books and Records include only those books and records which:
(a)
relate to the US business
5
6
SBS that is either:
(i)
entered into, or offered to be entered into, by or on behalf of the non-resident SBSD,
with a “U.S. Person” as defined in 17 CFR § 240.3a71-3(a)(4)
7
US Person
) (other
than an SBS conducted through a foreign branch of such US Person
8
); or
(ii)
arranged, negotiated, or executed by personnel of the non-resident SBSD located in a
branch in the US (
US branch
) or office or by personnel of an agent of the non-resident
SBSD located in a US branch or office;
9
(b)
constitute financial records necessary for the SEC to assess the non-resident SBSD’s
compliance with the SEC’s margin and capital requirements, if applicable.
10
3.4
Further to Assumption
, this opinion is limited to those types of records that are relevant to
prudentially regulated SBSDs, which excludes financial records as noted in paragraph
.
For this opinion, the term “Covered Books and Records” extends to these record types alone.
3.5
This opinion covers data relating to:
(a)
SBS transactions concluded between UBS (through its associated persons) and US Person
counterparties, insofar as this data is held by UBS (e.g. voice recordings and client
communications); and
(b)
the activities of the staff of UBSLB pertaining to UBS’ SBS transactions that are also
arranged, negotiated, or executed by personnel of UBS located in a US branch or office or by
personnel of an agent of UBS located in a US branch or office (irrespective of whether UBS’
counterparty is a US Person or a non-US Person).
3.6
The issues addressed in this opinion apply equally across the different document types which constitute
the Covered Books and Records based upon the information actually contained in each of the relevant
Covered Books and Records. We have not examined any such documents or records.
5
As defined in 17 CFR §240.3a71
-
3(a)(8).
6
Cross
-
Border Application of Certain [SBS] Requirements, 85 Fed.
Reg. 6270, 6296 (Feb. 4, 2020) (the
SEC Guidance
).
7
A “U.S. person” means any person that is “(i) a natural person resident in the U.S.; (ii) a partnership, corporation, trust,
investment vehicle,
or other legal person organized, incorporated, or established under the laws of the United States or having its principal place of business in
the United States; (iii) an account (whether discretionary or non-discretionary) of a U.S. person; or (iv) an estate of a decedent who was a
resident of the United States at the time of death.” 17 CFR § 240.3a71-3(a)(4).
8
A “foreign branch” means “any branch of a U.S. bank if: (i) the branch is located outside of the United States; (ii) the bran
ch operates for
valid business reasons; and (iii) the branch is engaged in the business of banking and is subject to substantive banking regulation in the
jurisdiction where located.” (17 CFR § 240.3a71-3(a)(2)). An “SBS conducted through a foreign branch” means an SBS that is “arranged,
negotiated, and executed by a U.S. person through a foreign branch of such U.S. person if: (A) the foreign branch is the counterparty to such
security-based swap transaction; and (B) the security-based swap transaction is arranged, negotiated, and executed on behalf of the foreign
branch solely by persons located outside the United States.” (17 CFR § 240.3a71-3(a)(3)(i)).
9
17 CFR
§
240.3a71
-
3(a)(8)(i)(B).
10
The requirement set out in this paragraph
as it is assumed that UBS has a prudential regulator – please see Assumption
0036335-0000808 UKO1: 2004471715.25
5
3.7
In giving this opinion, we have made the further assumptions set out in
.
3.8
No opinion is expressed on matters of fact.
3.9
As a practical matter, it may be particularly difficult to establish that consent is freely given where
information relates to UBSLB staff because consent is very difficult to rely on in an employment
context, due to the inherent imbalance of power between an employer and its staff (for example, staff
may believe there could be negative consequences should they refuse to give consent). Further,
consent will only be valid if UBSLB offers its staff a genuine choice over how the data is used and
will only continue to be an appropriate legal basis if UBSLB also offers its staff the opportunity to
withdraw consent at any time. Where consent is relied upon in this opinion, it is on the basis that this
practical matter has been overcome. Where consent is not available as a legal basis for disclosure
(including where valid consent cannot be obtained), UBSLB may be able to rely on an alternative basis
for disclosure (e.g. the public interest exception).
4.
REVISIONS TO APPLICABLE LAW
4.1
We note that the SEC rules
11
changes in the legal or regulatory framework that would:
(a)
impact the ability of the SBSD to provide prompt access to its Covered Books and Records;
(b)
impact the manner in which it would provide prompt access to its Covered Books and Records;
or
(c)
impact the ability of the SEC to conduct On-Site Inspections.
4.2
Upon a change in law or regulatory framework of the sort outlined in paragraph
is required to submit a revised opinion describing how, as a matter of law, the SBSD will continue to
meet its obligations.
4.3
This opinion relates solely to the laws of England and Wales and the UK (as applicable) in force as at
the date of this opinion. We have no obligation to notify any addressee of any change in any applicable
law or its application after the date of this opinion.
5.
RELIANCE AND CONFIDENTIALITY
5.1
This opinion is given for the sole benefit of the addressee. It may not be relied upon by anyone else
without our prior written consent.
5.2
This opinion is not to be disclosed to any person outside of UBS AG’s group or used, circulated,
quoted or otherwise referred to for any other purpose. However, we agree that a copy of this opinion
letter may be disclosed:
(a)
where disclosure is required or requested by any governmental, banking, taxation or other
regulatory authority or similar body having jurisdiction over UBS AG (including to the SEC
as part of UBS AG’s SBSD registration application) or by the rules of any relevant stock
exchange or pursuant to any applicable law or regulation; and
(b)
to UBS AG’s affiliates, and any of their officers, directors, employees, auditors, insurers,
reinsurers, insurance brokers and professional advisors (in their capacity as such).
5.3
Any such disclosure must be made on the basis that it is for information purposes only, no recipient
may rely on this advice, no client-lawyer relationship between us and the recipient arises following,
11
17 CFR § 240.15Fb2
-
4(c)(2).
0036335-0000808 UKO1: 2004471715.25
6
or as a result of, any such disclosure. We assume no duty or liability to any recipient, and any recipient
under paragraph
5.4
We assume no obligation to advise you or any other person or to make any investigations as to any
legal developments or factual matters arising subsequent to the date hereof that might affect the
opinions expressed herein.
Yours faithfully,
Allen &Overy LLP
0036335-0000808 UKO1: 2004471715.25
7
ANNEX 1
OPINION
1.
DATA PROTECTION
1.1
The General Data Protection Regulation 2016/679 (
EU GDPR
),
12
the
General Data Protection
Regulation 2016/679 as it forms part of “retained EU law” as defined in the European Union
(Withdrawal) Act 2018 (
UK GDPR
) and the UK Data Protection Act 2018 (
DPA 2018
) (together, the
Data Protection Laws
) will apply to UBSLB’s disclosure of Covered Books and Records to the SEC
to the extent that these comprise or contain personal data. Personal data is data relating to an identified
or identifiable living individual, so may extend to information on UBSLB staff as well as clients.
1.2
Under the Data Protection Laws, specific additional restrictions apply for data relating to criminal
convictions and offences. These laws also impose heightened restrictions on the processing of ‘special
category data’ – this is data that reveals racial or ethnic background, political opinions, religious or
philosophical beliefs, or trade union membership, genetic data, biometric data when used for ID
purposes, health information, data concerning sex life or sexual orientation. As special category data
are less likely to be relevant in the context of UBSLB’s disclosures to the SEC, the laws applicable to
this data have not been considered in detail in this opinion.
1.3
Key restrictions in the Data Protection Laws relating to UBSLB’s ability to disclose personal data to
the SEC are set out below.
Legal basis for the disclosure
1.4
UBSLB requires a legal basis under Article 6 of the EU GDPR and the UK GDPR to disclose personal
data to the SEC. Data cannot be disclosed if doing so would breach another legal requirement
(e.g. confidentiality – please see section
). Whilst there are a number of Article 6 legal bases
on which UBSLB may seek to rely, none on its own is so comprehensive as to cover all disclosures of
personal data to the SEC, so UBSLB will need to consider the most appropriate legal basis to apply to
any given situation.
1.5
The Article 6 legal bases most applicable to UBSLB, together with their respective limitations, are as
follows:
(a)
Consent (Article 6(1)(a))
: In order for consent to be valid under the Data Protection Laws, it
must satisfy the high standard of being a freely-given, specific, informed and unambiguous
indication of wishes.
13
(b)
Legitimate interests (Article 6(1)(f))
: This is one of the most flexible legal bases for processing
that can apply to a multitude of business purposes, including with respect to ensuring
compliance with regulatory obligations. To rely on the legitimate interests ground, UBSLB
must:
12
Per Article 71 of the
EU
-
UK Withdrawal Agreement, the EU GDPR remains applicable in the UK following the end on 31 December 2020
of the transition period effecting the UK’s exit from the EU in respect of the processing of personal data of data subjects outside the UK,
provided that the personal data: (a) were processed under EU law in the UK before the end of the transition period; or (b) are processed in
the UK after the end of the transition period on the basis of the EU-UK Withdrawal Agreement. In particular, EU GDPR applies in the
absence of an adequacy decision made by the European Commission in respect of the UK. On 28 June 2021 the European Commission
adopted adequacy decisions
the adequacy decisions each include a so-called ‘sunset clause', which strictly limits their duration. This means that the decisions will
automatically expire four years after their entry into force. After that period, the adequacy findings might be renewed, but only if the UK
continues to ensure an adequate level of data protection. During these four years, the European Commission will continue to monitor the
legal situation in the UK and could intervene at any point, if the UK deviates from the level of protection currently in place. Should the
Commission decide to renew the adequacy finding, the adoption process would start again.
13
Please also refer to limitations on the applicability of consent discussed in paragraph
:
0036335-0000808 UKO1: 2004471715.25
8
(i)
identify its, or a third party’s legitimate interest (this can include commercial interests,
individual interests or broader societal benefits)
in complying with the SEC’s
disclosure request;
(ii)
show that the disclosure of documents to the SEC is necessary for achieving these
interests; and
(iii)
balance these interests against the competing interests, rights and freedoms of the
individuals concerned, and satisfy itself that those interests do not outweigh its own.
If individuals would not reasonably expect the disclosure, or if the disclosure would
cause unjustified harm to the individuals, the interests of those individuals would
likely override the interests of UBSLB or the third party.
An individual has the right to object to the disclosure of their data to the SEC under this basis
for processing, and UBSLB would need to demonstrate ‘compelling’ legitimate grounds to
process the data that override the rights, freedoms and interests of that individual.
(c)
Disclosure is necessary for compliance
with a legal obligation to which UBSLB is subject
(Article 6(1)(c))
: There must be a UK nexus in order for UBSLB to be able to rely on this legal
basis. Article 6(3) requires that the legal obligation must be laid down by UK or EU law,
although this does not have to be an explicit statutory obligation, as long as the application of
the law is foreseeable to UBSLB as the person subject to it.
14
In the context of this legal basis for processing, an SEC request in the absence of a UK legal
requirement (e.g. a lawful request from the Financial Conduct Authority (
FCA
) or the
Prudential Regulation Authority (
PRA
) in the exercise of its powers under the Financial
Services and Markets Act 2000 (
FSMA
)) would not justify the disclosure as being necessary
for compliance with such an obligation.
We further note that neither the 2021 MoU nor the ICO Letter (as defined and discussed at
paragraph
) create any legally binding obligations.
(d)
Disclosure is necessary for the performance of a task carried out in the public interest (Article
6(1)(e))
: There must be a UK nexus in order for UBSLB to be able to rely on this legal basis.
It may be possible to establish a UK nexus, as well as valid public interests, on the basis of
recent commentary on international transfers of personal data on public interest grounds
contained in a letter from the UK Information Commissioner’s Office (
ICO
) to the SEC (
ICO
Letter
).
15
Although the wording of the public interest legal basis in Article 6(1)(e) differs from that in
the public interest derogation in Article 49(1)(d) regarding international transfers of personal
data (which refers to the transfer being ‘necessary for reasons of public interest’), the ICO’s
commentary nevertheless makes it easier for UBSLB to argue that its disclosure of Covered
Books and Records satisfies the legal basis of being ‘necessary for the performance of a task
carried out in the public interest’. This is because UBSLB’s compliance with the SEC’s
request is potentially necessary for the performance of the SEC’s tasks which have a basis in
UK as well as US public interests. For example, compliance with SEC rules by SEC regulated
UK firms: (i) helps to prevent UK financial crimes from being committed; and (ii) helps to
prevent the commission in the US of conduct that would amount to a UK financial crime.
16
14
Recital 41
EU GDPR and
UK GDPR.
15
Letter
16
Letter
0036335-0000808 UKO1: 2004471715.25
9
As with the legitimate interests basis, individuals have the right to object to processing under
this public interest basis.
17
The legitimate interests and public interest legal bases for processing are likely to be the most
appropriate Article 6 grounds on which UBSLB could rely in relation to its disclosure of
Covered Books and Records to the SEC and to permit On-Site Inspection. However, it is
worth noting that the ICO’s letter potentially makes the public interest ground preferable by
setting out its view that there are valid public interests for data transfers to the SEC, whereas
if UBSLB were to rely on the legitimate interests ground it will still need to undertake a
balancing test as outlined above.
1.6
It is considered very unlikely that data included in Covered Books and Records or disclosed to the
SEC during On-Site Inspections will include special categories of data. Further, UBSLB might not
hold all information described in 17 C.F.R. §§.18a-5(b)(8)(i)(A) through (H) or 240.18a-
5(a)(10)(i)(A) through (H), as the case may be, for an associated person who is not a US Person.
18
However, to the extent that this does occur, and such information is held by UBSLB, in addition to an
Article 6 legal basis, UBSLB will need to establish an additional legal basis for processing under
Article 9 of the EU GDPR and the UK GDPR if it discloses special categories of data to the SEC, such
as where it is necessary for the establishment, exercise or defence of legal claims, or where necessary
for reasons of substantial public interest (such reasons are set out in the Data Protection Act 2018).
Other than valid consent,
19
Covered Books and Records are:
(a)
processing is necessary for the establishment, exercise or defence of legal claims or whenever
courts are acting in their judicial capacity
Article 9(2)(f))
; and
(b)
processing is necessary for reasons of substantial interest, on the basis of domestic or Member
State
law
Article 9(2)(g))
. To be able to rely on this substantial public interest condition
UBSLB would also need to meet one of 23 specific substantial public interest conditions set
out in Part 2 of Schedule 1 of the DPA 2018, and put in place an appropriate policy
document.
20
(i)
Preventing or detecting unlawful acts (paragraph 10(1), Part 2, Schedule 1)
: This
condition (A) applies where the processing is necessary for the purpose of the
prevention or detection of an unlawful act or failure to act; (B) must be carried out
without the consent of the relevant individual so as not to prejudice those purposes;
and (C) is necessary for reasons of substantial public interest.
(ii)
Protecting the public against dishonesty etc. (paragraph 11(1), Part 2, Schedule 1)
:
This condition applies where the disclosure: (A) is necessary for the exercise of a
protective function; (B) must be carried out without the consent of the relevant
individual so as not to prejudice the exercise of that function; and (C) is necessary for
reasons of substantial public interest. In this context, ‘protective function’ means a
function that is intended to protect members of the public against: (I) dishonesty,
malpractice, or other serious improper conduct; (II) unfitness or incompetence; (III)
mismanagement in the administration of a body or association; or (IV) failures in
services provided by a body or association.
(iii)
Regulatory requirements relating to unlawful acts and dishonesty etc. (paragraph
12(1), Part 2, Schedule 1)
:
This condition applies where: (A) the processing is
necessary for complying with, or assisting other persons to comply with, a regulatory
17
Article 21(1),
EU GDPR and
UK GDPR
18
As we understand is as defined in 17 C.F.R. §240.3a71
-
3(a)(4)(i)(A)
.
19
Article 9(2)(a) EU GDPR and
UK GDPR
–
please also refer to limitations on the applicability of consent discussed in paragraph
section
:
20
Section 10(3), and paragra
ph 34 of Part 4 to Schedule 1, DPA 2018
0036335-0000808 UKO1: 2004471715.25
10
requirement which involves a person taking steps to establish whether another person
has: (I) committed an unlawful act or failure to act; or (II) been involved in dishonesty,
malpractice or other seriously improper conduct; (B) in the circumstances, UBSLB
cannot reasonably be expected to obtain the consent of the relevant individual to the
processing; and (C) the processing is necessary for reasons of substantial public
interest. In this condition, a ‘regulatory requirement’ means (a) a requirement imposed
by legislation or a by a person in exercise of a function conferred by legislation; or
(b) a requirement forming part of generally accepted principles of good practice
relating to a type of body or an activity.
1.7
Similarly, UBSLB’s processing of personal data relating to criminal convictions and offences is highly
restricted, and can only be disclosed where authorised by one of the conditions in Parts 1, 2 or 3 of
Schedule 1 of the DPA 2018.
21
SEC are:
(a)
Legal claims (paragraph 33, Part 3, Schedule 1)
: This condition is met if the processing is:
(i) necessary for the purpose of, or in connection with, any legal proceedings (including
prospective legal proceedings); (ii) necessary for the purpose of obtaining legal advice; or
(iii) otherwise necessary for the purpose of establishing, exercising or defending legal rights.
(b)
Certain conditions from Part 2 of Schedule 1 (paragraph 36, Part 3, Schedule 1)
: This
condition applies where the disclosure would meet a condition in Part 2 of Schedule 1 but for
an express requirement for the processing to be necessary for reasons of substantial public
interest. As set out in paragraph
to UBSLB’s disclosure to the SEC are:
(i)
Preventing or detecting unlawful acts (paragraph 10(1), Part 2, Schedule 1)
.
(ii)
Protecting the public against dishonesty etc. (paragraph 11(1), Part 2, Schedule 1).
(iii)
Regulatory requirements relating to unlawful acts and dishonesty etc. (paragraph
12(1), Part 2, Schedule 1)
.
Data protection principles
1.8
In addition to establishing a legal basis for the disclosure, UBSLB would need to ensure that its
disclosures are compliant with the remaining requirements under the Data Protection Laws, including
the data protection principles set out in Article 5 of the EU GDPR and the UK GDPR. For example,
UBSLB must:
(a)
be transparent with those whose personal data is to be disclosed to the SEC, who must be
provided with fair processing information (usually in the form of a privacy notice or
statement);
(b)
with respect to the data itself, ensure that it only provides personal data that is adequate,
relevant and limited to what is necessary in relation to the purposes of its regulatory activities;
(c)
be careful to avoid participating in ‘data dumps’ and should consider withholding documents,
anonymising personal data (or pseudonymising data where full anonymisation is not possible)
and redacting personal data from documents as appropriate;
(d)
ensure that the data is accurate and, where necessary, kept up to date;
21
Section 10(5) DPA 2018.
0036335-0000808 UKO1: 2004471715.25
11
(e)
keep the personal data in a form that enables identification of individuals for no longer than is
necessary for the purposes for which the personal data is processed; and
(f)
ensure that the confidentiality and integrity of personal data is maintained, and as such,
implement appropriate security measures (e.g. encryption) to protect the personal data.
1.9
Whilst it is possible that the SEC has taken these principles into account in its request for access to the
Covered Books and Records, responsibility remains with UBSLB to verify this and implement its own
compliance measures.
International transfers
1.10
The general principle in the EU GDPR and the UK GDPR is that UBSLB may not transfer personal
data to a jurisdiction outside the European Economic Area, or the UK, unless it can satisfy a condition
for the transfer as set out in Chapter V of those Data Protection Laws.
1.11
Article 45 of the UK GDPR allows for UBSLB to transfer personal data to the US where the transfer
is based on adequacy regulations pursuant to section 17A of the DPA 2018. However, the UK has not
passed adequacy regulations pursuant to that section that designate the US as providing adequate
protections for personal data. Additional steps would therefore be required where personal data is to
be sent to the US, or the SEC could access documents held in the UK from the US. The two primary
options available to UBSLB are as follows:
(a)
Derogations (Article 49)
: Where a transfer mechanism adopted by the European Commission
in respect of the US
22
situations
from the transfer prohibition are pote
ntially available
under UK GDPR
for
facilitating UBSLB’s transfer of personal data contained in Covered Books and Records to
the SEC. These derogations include consent, public interest and legitimate interests.
23
The ICO Letter suggests that the most appropriate derogation may be that the transfer is strictly
necessary for important reasons of public interest. It explains that there is a UK nexus because:
(i) the SEC rules help to prevent UK financial crimes being committed; (ii) Principle 11 of the
FCA Handbook requires FCA-regulated firms to deal with regulators worldwide in an open
and cooperative way; and (iii) the SEC rules help to prevent the commission in the US of
conduct that would amount to a UK financial crime.
However, the ICO Letter should
not
data to the SEC under this basis. The ICO makes clear that derogations should not be relied
on for making transfers “
on a large scale and in a systematic manner
”, and their use must be
considered on a case-by-case basis, with UBSLB keeping records of the transfers that evidence
the careful analysis that led them to rely on the derogation. UBSLB must ensure that the
transfer is strictly necessary by establishing that there are ‘precise and particularly solid
justifications’ for the transfer. As discussed above, UBSLB must also ensure it applies the
‘necessary and proportionate’ test to ensure that only the data necessary for the SEC’s
purposes is transferred.
(b)
FCA route
: In certain situations, for example where UBSLB considers the transfer of data to
the US to be high risk, it may be possible to arrange for the disclosure to be made to the FCA,
which could then transfer the data to the SEC in the US. The FCA and SEC have an
administrative arrangement to govern the transfer of personal data between the two regulators,
which aims to comply with UK GDPR principles, and this route would avoid UBSLB being
responsible for ensuring the international transfer was fully compliant with the UK GDPR.
22
These SCCs remain valid for transfers from the UK to
non
-
adequate jurisdictions following Brexit.
23
Article 49(1) UK GDPR at paragraphs (a), (d) and (f), respectively.
0036335-0000808 UKO1: 2004471715.25
12
1.12
The 2021 MoU notes that the UK regulators are also subject to the restrictions of the UK GDPR when
transferring personal data to the SEC, or allowing the SEC to access documents held in the UK from
the US.
24
sharing of personal data between the FCA and the SEC will be carried out under the terms of the
Administrative Arrangement for the transfer of personal data
absence of such an agreement between the PRA and the SEC, it is stated in the 2021 MoU that where
personal data is being transferred to the SEC by the PRA, such transfer will be made “in reliance on
appropriate safeguards or derogations (e.g., where the transfer of personal data is necessary for
important reasons of public interest).”
25
equally to the Bank of England and to UBSLB when transferring personal data to the SEC.
2.
COMMON LAW DUTIES OF CONFIDENTIALITY
2.1
The general, banker’s and employer’s duties of confidentiality are distinct duties. However, the case
law on each duty informs the approach to the other, with the banker’s and employer’s duties existing
in acknowledgement of the specific circumstances that arise as between a bank and its customers or
employees (respectively). Given the common law position on these duties is largely aligned, these are
dealt with together here.
2.2
Where Covered Books and Records do not contain any relevant forms of information, and it is likely
that many aspects of the information required will not (e.g. transaction data such as volumes and
prices), these duties of confidentiality will not apply.
Scope of duties
2.3
The leading case on the common law duty of confidentiality is
Coco v A Clark (Engineers) Ltd
[1968]
F.S.R. 415. This case established that to be protected under the common law of confidentiality, two
requirements must be met. Firstly, the information must have the “
necessary quality of confidence
”.
26
Secondly, the information must have been given in a situation which imposed an obligation of
confidence.
(a)
The necessary quality of confidence is negatively defined as information which is not “
public
property and public knowledge
”.
27
Records is not publicly available, it will likely possess this necessary quality of confidence
insofar as that information relates to UBSLB’s clients or staff and is not information owned
by or relating to UBSLB itself.
(b)
To be protected under the common law duty of confidentiality, the information must have
been communicated in a situation where an obligation of confidence was either expressly or
impliedly imposed.
28
or ought to have known, that there was a duty of confidentiality attached to that information.
This duty of confidentiality can be imposed by contract, implied by the circumstances of the
disclosure, or implied by a special relationship of the parties.
(c)
Where, and to the extent that, the Covered Books and Records concern either customer
information or employee information, this would likely satisfy the requirement that the
Recipient, in this case being UBSLB, knew or ought to have known that the information was
to be treated confidentially.
24
Paragraph 25(a) of the 2021 MoU.
25
Paragraph 25(b) of the 2021
MoU
26
Megarry J in the
Coco v AN Clark (Engineers) Ltd
Engineering Co Ltd v Campbell Engineering Co Ltd
27
Saltman Engineering Co Ltd v Campbell Engineering Co Ltd
28
Megarry J in
Coco v AN Clark (Engineers) Ltd
0036335-0000808 UKO1: 2004471715.25
13
2.4
The common law banker’s duty of confidence, established by
Tournier v National Provincial and
Union Bank of England
[1924] 1 KB 461 (
Tournier
), is one such instance where a special relationship
exists between the parties. Under this duty of confidence, banks, such as UBSLB, must keep their
customers’ affairs private– in this respect the general duty is broader than the banker’s duty as the
general duty extends to benefit others, such as UBSLB’s staff.
(a)
The scope of the duty is wide – as Atkin LJ outlined in the judgement:
“
It
[the duty of confidentiality]
clearly goes beyond the state of the account, that is, whether
there is a debit or credit balance, and the amount of the balance. It must extend at least to all
the transactions that go through the account, and to the securities, if any, given in respect of
the account
”
29
(b)
The temporal scope of the banker’s duty is also wide. Atkin LJ judged that the banker’s duty
of confidentiality “
extend
[s]
beyond the point when the account is closed, or cease
[s]
active account
”,
30
another within the same corporate group.
31
2.5
Whilst an employer’s duty of confidence under common law does exist,
32
will only be restricted in its use of information held in relation to its employees “
where there is no
reasonable and proper cause for the employer
[’]
s conduct and only then if the conduct is calculated
to destroy or seriously damage the relationship of trust and confidence.
”
33
2.6
No distinction is drawn in the case law on either of the general or banker’s duties regarding the nature
of the person to whom the duty is owed – i.e. a natural or a legal person – and so we consider that the
duties apply equally to any person irrespective of their legal status. The employer’s duty can clearly
be owed only to a natural person.
Unauthorised disclosure
2.7
A successful claim for breach of confidentiality must demonstrate that there has been an unauthorised
use of confidential information to the detriment of the Rights Holder.
34
2.8
For those Covered Books and Records that contain customer information, which is unlikely to include
all Covered Books and Records, these duties of confidentiality will apply and so UBSLB will only be
able to disclose Covered Books and Records containing confidential information in un-redacted form
where one of the exceptions below is met.
2.9
Tournier
established four exceptions to the banker’s duty of confidentiality,
35
apply equally to the general and employer’s duties of confidentiality:
(a)
where the disclosure is made by the express or implied consent of the customer;
(b)
under compulsion of law;
(c)
where the disclosure is in the public interest; or
29
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485.
30
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485.
31
Bank of Tokyo Ltd v Karoon
[1987] 1 AC 45 at 54.
32
Prout v British Gas Plc and Another
33
Malik v Bank o
f Credit and Commerce International SA [1998] A.C 20
at 53.
34
Megarry J in
Coco v A Clark (Engineers) Ltd
[1968] F.S.R. 415at 421.
35
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485 at 473.
36
For the general duty of confidentiality: This was confirmed by Arnold J in
Primary Group (UK) Ltd v The Royal Bank of Scotland Plc
[2014]
R.P.C. 26
at 246.
0036335-0000808 UKO1: 2004471715.25
14
(d)
for the banker’s duty of confidentiality only, where it is in the interests of the bank to make
disclosure.
Consent
2.10
Disclosure of confidential information is permissible where the Rights Holder
37
to the disclosure of their confidential information
38
that can provided by an employee, as described in in paragraph
:
).
39
Compulsion of law
2.11
Information that would otherwise be confidential may be disclosed when required by a statutory
provision
40
41
2.12
To satisfy this compulsion of law exception it is likely that UBSLB would have to rely on UK statute
– a provision of US law, such as an SEC Rule, is unlikely to be sufficient for this purpose.
42
(a)
Whilst there are numerous statutory provisions that require the disclosure of information that
would otherwise be confidential,
43
(b)
UBSLB is obliged to comply with the FCA’s and PRA’s general rules, as set out in the FCA
Handbook and PRA Rulebook,
44
Fundamental Rule 7, which require UBSLB to “
deal with its regulators in an open and
cooperative way...
”. This requirement includes disclosure to overseas regulators such as the
SEC.
45
37
Where the banker’s duty of
confidentiality applies this will be the customer.
38
Due of the overlap between bank confidentiality and data protection laws (as discussed in
paragraph
), it would be advisable to clarify
when obtaining consent that another, separate, legal basis applied to the processing of the personal data under data protection laws.
39
Whilst it is possible to rely on
implied consent
, there
is likely to be a high ba
r to meet
in order to do so
.
In
Turner v Royal Bank of Scotland
Plc
[1999] 2 All E.R, regarding the banker’s duty of confidentiality, it was decided that established market practice of sharing of customer
information between banks (which practice was generally known only to the banks themselves) did not amount to implied consent of the
customer as this practice was not known by the customer. To amount to implied consent, the practice under which disclosure is made must
be “
notorious, certain and reasonable
” (
Turner v Royal Bank of Scotland Plc
[1999] 2 All E.R 664 at 670, Sir Richard Scott VC quoting
from
Chitty on Contracts
The practice of sharing information with local regulators in order to enable banking business to be conducted within the relevant local
jurisdiction is, in our experience, well established such that it might be considered “
notorious, certain and reasonable
”. In this context, it is
possible that much of the information contained in the Covered Books and Records would be information of a sort that customers (and
particularly more sophisticated customers of the kind that would normally be offered services by UBSLB in respect of SBSs) may expect
would be shared with the SEC.
In part, the ability to rely on implied consent will depend on the information provided to customers when UBSLB provides services in SBSs.
If no information about the jurisdiction or regulators involved is provided then UBSLB would rely on the customer’s own understanding of
regulatory obligations on banks, the US nexus and the SEC’s role in these services. Conversely, if customers are informed that UBSLB’s
activity in SBSs is conducted on a cross-border basis into the US and is subject to oversight by the SEC then the ability to rely on implied
consent increases. Similarly, if customers are informed that detailed information on all aspects of UBSLB’s activity in SBSs is subject to
examination by the SEC then the ability to rely on implied consent increases further still.
40
Se
e the example given by Bankes LJ in
Tournier v National Provincial & Union Bank
Evidence Act 1879.
41
For the general duty of confidentiality: E.g. a
subpoena duces tecum
Loyd v Freshfield and Kaye,
Gents. Two, &c
For the banker’s duty of confidentiality:
X AG and others v A bank
42
We are not aware of any case law dealing with whether foreign statute can satisfy the compulsion of law exception. In
A and Others v B
Bank (Governor and Company of the Bank of England intervening)
confidentiality where disclosure was ordered by a United Kingdom regulator (in this case the Bank of England) who would then pass the
information over to a foreign regulator, in this case the US Federal Reserve Board. However, the judgement emphasised it was the United
Kingdom regulator’s compelling power under the Banking Act 1987, not that of the US Federal Reserve Board, which was decisive. Whilst
this case applies to the banker’s duty of confidentiality, it is also of relevance to the general duty of confidentiality.
.
43
For example under s.175(5)(d) of the
FSMA
, by virtue of which a person owing a banker’s duty of confidentiality may be compelled to
disclose confidential information when a specific requirement is imposed on the Recipient by an investigating authority to disclose the
information. Additionally, under s.330 of the Proceeds of Crime Act 2002 it is an offence for someone in the regulated sector to disclose
knowledge or suspicion of money laundering activities. A banker who suspected or became aware of a customer’s money laundering
activities, although owing their customer a duty of confidentiality by virtue of their relationship to the customer, who be compelled by this
to disclose. Disclosure in this circumstance would be an authorised use and as such would not constitute a breach of confidence.
44
These are rules published by the FCA in the exercise of its power under section 137A (for the FCA) and 137G (for the PRA) of
FSMA and
enforceable by the FCA and PRA, respectively, pursuant to Part XIV of FSMA.
45
Principles for Business
section of the FCA Handbook at
l. l.6G
.
0036335-0000808 UKO1: 2004471715.25
15
to provide confidential information, such as the power under s175(5) FSMA. As this power
applies equally to investigations conducted by the FCA and/or PRA on its/their own behalf as
to investigations conducted in support of a foreign regulator, such as the SEC, it is not clearly
arguable that it is necessary to read Principle 11 and Fundamental Rule 7 more broadly for
the purposes of disclosures to the SEC than it is read for disclosures to the FCA and PRA.
Therefore, we do not consider that Principle 11 and Fundamental Rule 7 can be relied upon to
override legal duties of confidentiality.
2.13
Equally, a US court order is also unlikely to be sufficient for this purpose: it was held in
X AG and
others v A bank
[1983] 2 All ER at 475 that a subpoena requiring disclosure issued by a foreign court
did not qualify as compulsion by law on the basis that “[t]
he fact is that confidentiality is not rendered
illegal by a subpoena requiring disclosure, which is to be contrasted with some form of legislation to
that end
”.
46
2.14
Finally, as the 2021 MoU lacks the authority of statute, is very unlikely to meet this exception and
should not be relied upon by UBSLB (though it retains relevance in the context of the public interest
exception – please see paragraphs
).
Public interest
2.15
Determining whether the public interest exception applies requires a balance to be struck between the
rights of the Rights Holders and the public interest in the SEC obtaining that information.
47
to be applied when considering whether confidentiality should be breached in favour of freedom of
expression is whether, in all the circumstances, it is in the public interest that the duty of confidence
should be breached.
48
2.16
Disclosure in the public interest has been narrowly construed by the English courts, and the burden is
for UBSLB to justify disclosure of confidential information
49
continued confidentiality). The general position is that voluntary disclosure, including in relation to
disclosures to the police in respect of suspicions of criminal activity, would breach the duty of
confidence other than as permitted under statute,
50
arguing that a disclosure was made lawfully in pursuit of a greater public interest. Bankes LJ suggested
in
Tournier
that national security concerns would meet this criterion,
51
example of disclosure in the interest of preventing fraud or crime.
52
2.17
However, there is well established precedent for public interest in effective regulation and supervision
of banking institutions outweighing the public interest in maintaining confidentiality even in the
absence of statutory authority.
53
Tournier
regarding the prevention of fraud or crime. In such cases, the weight of the claim for disclosure is
greater when considering limited disclosure, such as to a relevant authority acting under its own duties
of confidence, as opposed to public dissemination of information.
54
46
In both
X AG and others v A Bank
[1983] All ER 464 and in
A v B Bank
case
of A and Others v B Bank v (Governor and Company of the Bank of England intervening)
duty of confidentiality cases they are of more general application. For the general duty of confidentiality: E.g. a
subpoena duces tecum
issued by an English court, as confirmed in
Loyd v Freshfield and Kaye, Gents. Two, &c
47
AG v Guardian Newspapers (No 2) and Others [1990] 1 A.C. 109
Spycatcher
) at 268.
48
Prince of Wales v Associated Newspapers Ltd (CA)
[2007] 3 WLR at 68. In the context of that case, it is relevant that the test is not simply
whether the information is a matter of public interest, as, unlike disclosure to the SEC, that case involves public dissemination of information.
49
Price Waterhouse v BCCI Holdings (Luxembourg) SA
50
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 474.
51
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485 at 473 where Bankes LJ quotes Lord Finlay’s judgement
in
Weld-Blundell v Stephens
[1920] A.C. 956
at 965 where “
danger to the state
” was given as an example where an exception could be made
to the duty of confidentiality.
52
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 486.
53
Price Waterhouse v BCCI Holdings (Luxembourg) SA
54
AG v Guardian Newspapers (No 2) and Others [1990] 1 A.C. 109
Spycatcher
) at 268.
0036335-0000808 UKO1: 2004471715.25
16
2.18
That there is a public interest in banks making adequate disclosures to foreign regulators is reflected
in the FCA’s Principle 11 and the PRA’s Fundamental Rule 7, requiring UBSLB to “
deal with its
regulators in an open and cooperative way...
” which, as noted above, cover disclosure to overseas
regulators such as the SEC.
55
2021 MoU, which relates to the sharing of information such as that contained in the Covered Books
and Records, and On-Site Inspections, in recognition of the public interest in such information
exchanges, as described at paragraph 25 thereof.
2.19
In an example of the application of this principle in the context of bank confidentiality, it has been
held that compliance with a foreign subpoena could occur without breaching the duty of confidentiality
on the basis of the public interest exception.
56
of law, as discussed above.
2.20
It is assumed that disclosure to the SEC is solely in furtherance of the SEC’s supervisory mandate. In
itself, on the basis of the points above, we consider that this would likely be sufficient to establish a
public interest in disclosure, given the public interest in enabling effective supervision of financial
services business, including SBS business. We further understand that such disclosure to the SEC is,
at least in part and/or for certain types of records, for the purposes of preventing fraud or crime
(e.g. records relating to transactions and persons involved in transactions), further supporting this
view.
2.21
Additionally, there is close alignment in the intention of this exception and the public interest
derogation established under Article 49(1)(d) of the UK GDPR as both essentially require a balancing
exercise as regards competing duties.
57
confidentiality, we anticipate that an English court would follow a similar approach when addressing
these duties of confidentiality and the protection of personal data.
2.22
Therefore, the reasons set out here and at
the UK GDPR in the context of the UK public interest in ensuring effective regulation is achieved in
other jurisdictions, we anticipate UBSLB would be able to rely on this exception to the duties of
confidence in permitting the SEC to access its Covered Books and Records and to conduct On-Site
Inspection of UBSLB.
In the interests of the bank
2.23
In limited cases, disclosure of confidential information that is subject to the banker’s duty of
confidentiality may be permissible where it is in the interests of the bank. This exception does not
apply to information that is subject to the general duty of confidentiality. However, we consider that
this exception is available to information that is subject to both such duties, leaving only information
that does not relate to customers (e.g. information relating to staff) beyond the scope of this exception.
2.24
It is clearly in the interests of UBSLB to comply with the SEC’s requests. However, the majority of
case law on this exception points to there being a high bar to meet.
2.25
In
X AG and others v A Bank
[1983] All ER 464 it was held that a bank could not comply with a
subpoena from a New York court without breaching its duty of confidentiality. However, in
considering arguments based on the banker’s own interest, Leggatt J judged that it was not clearly in
the bank’s own interests to comply with the subpoena, as the bank would not, as a matter of fact in
that particular case, face any serious detriment for its failure to comply.
58
the example in
Tournier
of a bank commencing an action against a customer where the customer’s
overdraft is in arrears, acknowledging that, in that situation, the banker would be able to disclose the
55
Principles for Business
section of the FCA Handbook at
l. l.6G
.
56
Pharaon v Bank of Credit and Commerce International SA
applicable to the general duty of confidentiality.
57
As for the balancing approach to confidentiality claims:
X AG v A Bank
58
X AG and others v A bank
0036335-0000808 UKO1: 2004471715.25
17
amount of the overdraft in its claim. These cases suggest that the bank’s own interest exception will
be construed narrowly and the court will take a view on whether the bank’s own interests are genuinely
threatened by non-disclosure. In the context of requests by the SEC, it is assumed that failure to
comply could result in enforcement action and potentially even the cessation of UBSLB’s ability to
conduct SBS business in US markets. Accordingly, it is expected that UBSLB may face serious
detriment for a failure to comply with the SEC’s demands, and so this exception may be available to
UBSLB.
2.26
However, to rely on this exception, UBSLB must balance its interests in complying with the SEC’s
disclosure request against the competing interest of its customers in the banker’s duty of confidence
being maintained, and UBSLB must satisfy itself that those interests do not outweigh its own. This
would need to be assessed on a case-by-case basis. Due to the differing circumstances of each
customer, this exception is perhaps less likely to provide a consistent basis on which to provide
information to the SEC than the public interest exception considered above.
3.
PRIVACY AND HUMAN RIGHTS
Misuse of private information
3.1
Where Covered Books and Records do not contain, and On-Site Inspection would not reveal, any
relevant forms of information, an action for misuse of private information will not be able to prevent
the sharing of information with the SEC. Considering the nature of the Covered Books and Records
(e.g. transaction data such as volumes and prices), and the focus of actions for misuse of private
information (as explained below), it is likely that many, and perhaps most, aspects of information
disclosed to the SEC required will not fall within scope of this action.
3.2
There is no stand-alone basis to bring a claim for ‘invasion of privacy’ under English law.
59
since 2004, the English courts have recognised a cause of action for ‘misuse of private information’.
60
This addresses a different component of privacy to the protection of confidentiality (which relates to
the secrecy of private information), namely the prevention of intrusion into an individual's privacy.
61
(a)
An action for misuse of private information extends the law regarding a breach of confidence
as it does not require that the information is confidential
62
information that is to some extent already in the public domain.
63
(b)
An action for misuse of private information can be brought where the information is private
(i.e. the person in question had a reasonable expectation of privacy)
64
been breached. It is not necessary that the disclosure of private information is conducted with
an intention of dishonesty, malice, or bad faith.
65
is very unlikely to exist where valid consent to disclosure of the relevant information has been
given.
66
3.3
In the context of the SEC’s ability to access Covered Books and Records and to conduct On-Site
Inspections of UBSLB, it is anticipated that most information that would be subject to such exercises
and which relates to a person other than UBSLB would properly fall to be addressed by an action in
confidence regarding secret information rather than an action in misuse of private information.
Information that is both confidential and private will be subject to the restrictions on confidential and
59
Wainwright v Home Office
60
Campbell v MGN
61
PJS v News Group Newspapers Ltd
62
As is required to establish a case in confidence
–
AG v Guardian Newspapers (No 2) and Others [1990] 1 A.C. 109
Spycatcher
)
at 282.
63
PJS v News Group Newspapers Ltd
64
Campbell v MGN
65
Duchess of Sussex v Associated Newspapers Ltd
66
Murray v Express Newspapers plc and another
0036335-0000808 UKO1: 2004471715.25
18
the restrictions on private information. Please see section
share confidential information with the SEC.
3.4
In essence, an action for misuse of private information seeks to establish a right of action that gives
effect to the right to privacy enshrined in Article 8 of the European Convention on Human Rights.
Therefore, to the extent that the ability of UBSLB to share information with the SEC would be
restricted by a right to privacy, beyond duties of confidence, please refer to the below regarding the
right to privacy.
Right to privacy
Scope
3.5
Article 8 of the European Convention on Human Rights, confers a general right to “
respect for his
private and family life, his home and his correspondence
” (
Article 8
). This right is established in UK
law pursuant to section 1(2) of the Human Rights Act 1998 (
HRA
). Sections 6(1) and (3) HRA
establish that a UK court cannot act in a way that is incompatible with Article 8 (and other rights under
the European Convention on Human Rights). The effect of this is that a court must take Article 8 into
account, even if the action is one among private parties.
67
3.6
However, Article 8 of the Convention does not in itself give rise to a free-standing cause of action
68
instead an action in misuse of private information, a breach of confidence or other legal obligation,
such as under the UK GDPR, must be brought, and the court will then be obliged to consider the
application of Article 8.
3.7
Rights of privacy clearly apply to natural persons. In certain situations, but not as yet under the HRA,
legal persons have been held to benefit from a right to privacy in certain situations.
3.8
Companies have been held to enjoy privacy rights in certain situations. For example, in
R v
Broadcasting Standards Commission ex parte British Broadcasting Corporation
which related to a complaint under the Broadcasting Act 1996 regarding infringement of privacy made
against the BBC by a company, the Court of Appeal held that companies, as well as individuals, are
entitled to protection from unwarranted infringement of their privacy under that Act. Although the
case arose prior to the implementation of the HRA, the European Convention on Human Rights was
taken into account. Furthermore, the European Court of Human Rights assumed in a September 2014
case that the reputation of a company fell under the notion of private life under Article 8.
69
3.9
However, we anticipate that the courts will be slow to apply Article 8 considerations to businesses
other than as a last resort. This is in part because businesses are more likely than natural persons to
have the means to maintain their privacy and in part because of the likelihood that actions under duties
of confidence will provide adequate protection.
Application and exceptions
3.10
Article 8 is a qualified right, meaning that it can be breached in accordance with Article 8(2) – that is,
where doing so is:
(a)
in accordance with the law;
(b)
is necessary in a democratic society; and
67
Campbell v MGN
68
Venables and another v News Group Newspapers Ltd and others
69
Firma EDV Für Sie, EFS Elecktronische Datenverarbeitung Dienstleistungs GMBH v Germany
0036335-0000808 UKO1: 2004471715.25
19
(c)
in the interests of national security, public safety or the economic well-being of the country,
for the prevention of disorder or crime, for the protection of health or morals, or for the
protection of the rights and freedoms of others (i.e. a legitimate aim).
3.11
For the reasons set out below, we consider that each criterion is likely to be met in respect of the
provision of information contained in Covered Books and Records to the SEC and in permitting the
SEC to conduct On-Site Inspections.
(a)
In accordance with the law
(i)
This criterion is intended to prevent arbitrary intrusion into private life.
(ii)
This criterion has two aspects: the measure complained about must have some basis
in domestic law, whether that is statute or common law, and secondly, that the
domestic law has to be sufficiently precise so that an individual can foresee with a
reasonable degree of certainty the consequences of their actions or the circumstances
in which the authority may take a particular course of action.
70
(iii)
As the HRA provides that Article 8 must be applied by the courts, rather than taking
direct effect against UBSLB itself, the relevant consideration is legal basis on which
the court would allow Article 8 to be breached.
(iv)
Regarding the first aspect, UBSLB is obliged to comply with the FCA’s general rules,
which are set out in the FCA Handbook.
71
which obliges UBSLB to “
deal with its regulators in an open and cooperative way...
”.
It is noted in the FCA’s related guidance that this includes overseas regulators such
as the SEC.
72
obligation on UBSLB
73
to covering private information.
74
court would be acting in support of UBSLB’s legal obligations under FCA and PRA
rules, giving the court’s actions a basis in domestic law.
(v)
The second aspect in effect requires that the domestic law cannot be so broad as to
enable arbitrary action. In determining whether to allow information to be provided
to the SEC, the court would have to balance the relevant duty of confidence with the
merits of permitting disclosure. These duties of confidence establish limits on the
court’s actions, thus preventing arbitrary action by the court.
(b)
Necessary in a democratic society
(i)
This criterion is intended to ensure the proportionality of an intrusion into private life.
(ii)
To meet this criterion, there must be a “
pressing social need
” for the interference, and
the interference must be proportionate to that need.
75
paragraphs
provide in-scope information to the SEC in the context of UBSLB’s conduct of SBS
business.
70
Malone v UK
71
These are rules published by the FCA in the exercise of its power under section 137A of FSMA and enforceable by the FCA pursu
ant to
Part XIV of FSMA.
72
Principles for Business
section of the FCA Handbook at
l. l.6G
.
73
The PRA Rulebook is established in the exercise of its power under section 137G of FSMA and enforceable by the PRA pursuant t
o Part
XIV of FSMA.
74
Unlike the application of these regulatory requirements to confidential information (per paragraph
), there are no specific powers
available to the FCA and PRA to oblige UBSLB to provide them with private (as opposed to confidential) information in furtherance of
investigations conducted by the FCA and/or PRA (including investigations conducted in support of a foreign regulator, such as the SEC)
and so no similar limit is implied into the scope of the requirements under Principle 11 and Fundamental Rule 7.
75
Dudgeon v UK
0036335-0000808 UKO1: 2004471715.25
20
(c)
In pursuit of a legitimate aim
(i)
This criterion is intended to ensure that the purpose of an intrusion into private life is
adequately serious so as to justify the intrusion.
(ii)
We are not aware of any case law regarding this criterion which is directly or
comparably applicable in this context. However, we consider that it is reasonable,
given the purpose for which the SEC seeks information from UBSLB, to conclude
that legitimate aims are established in the prevention of disorder or crime (such as
money laundering) and even, in more extreme cases (e.g. where information is used
for counter-terrorist financing purposes), for national security reasons.
76
76
It could also arguably be for the
purpose of the economic well
-
being of the UK, insofar as enabling trading activity in SBSs in US markets
has such a benefit, though this is likely too limited a benefit to be sufficient to meet this criterion.
0036335-0000808 UKO1: 2004471715.25
21
ANNEX 2
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
UBS AG, including UBSLB, has a “prudential regulator” as defined by Section 3 of the US Securities
Exchange Act of 1934 (the
Securities Exchange Act
). As such, the Covered Books and Records
considered in this opinion are limited to what a prudentially regulated SBSD must be able to share
with the SEC.
2.
Additionally, in accordance with SEC Guidance at 85 FR 6297, books and records pertaining to SBS
transactions entered into prior to the date that UBSLB submits an application for registration are not
Covered Books and Records.
3.
Where transfers of personal data are made to the SEC in the absence of an adequacy determination,
and in alignment with the view expressed in the ICO Letter, such disclosure will be necessary for
important reasons of public interest. Such disclosure will be made in compliance with Articles 44
et
seq
with the principle of data minimisation, e.g. by applying less intrusive processing activities such as
redaction).
4.
UBSLB has obtained any necessary prior consent of the persons (e.g
.
, counterparties, employees)
whose information is or will be included in Covered Books and Records in order to provide the SEC
with access to its Covered Books and Records or to allow On-Site Inspections, to the extent, as
considered in this opinion, such consent would constitute valid consent and such consent has not been
withdrawn. Insofar as Covered Books and Records relate to employees of UBSLB, such employees
are “associated persons” of UBS for purposes of 17 CFR § 240.18a-5(b)(8) who have agreed to sharing
of their personal/employment information with the SEC in the event of a request for information from
the SEC.
5.
The SEC will restrict its information requests for, and use of, any information pursuant to its access to
Covered Books and Records and On-Site Inspections to only the information that it requires for the
legitimate and specific purpose of fulfilling its regulatory mandate and responsibilities by evaluating
compliance with legal obligations designed to ensure the proper legal administration of SEC-regulated
firms (which includes regulating, administering, supervising, enforcing and securing compliance with
the securities or derivatives laws in its jurisdiction) and to prevent and/or enforce against potential
illegal behaviour.
6.
Similarly, UBSLB will ensure that its disclosures are compliant with the data protection principles set
out in Article 5 of the EU GDPR and the UK GDPR.
77
experience in responding to information requests from the SEC (or other US and non-US regulators)
leads it to maintain a belief, which it considers to be reasonable, that UBSLB can and (subject to any
changes in applicable law and regulation and/or the approach of relevant regulators, including the
ICO) will continue to be able to comply with these data protection principles in the course of making
disclosures of the sort required when providing access to Covered Books and Records and submitting
to On-Site Inspection.
78
7.
It is the SEC's practice to limit the type and amount of personal data it requests during examinations
to targeted requests based on risk and related to specific clients and accounts, and employees. The
requested information may include some limited criminal records data and ‘special category data’
under the GDPR (as described in paragraph
aligns with UBSLB’s general experience in responding to information requests from the SEC, leading
it to maintain a belief, which it considers to be reasonable, that this assumption is, and will remain,
77
These principles are set out in
78
See the
SEC
G
uidance at 85 FR 6298
.
0036335-0000808 UKO1: 2004471715.25
22
accurate (subject to any changes in applicable law and regulation and/or the approach of relevant
regulators, including the ICO).
79
8.
Information, data and documents received by the SEC are maintained in a secure manner and, under
strict US laws of confidentiality, information about individuals cannot be onward shared save for
certain uses publicly disclosed by the SEC, including in an enforcement proceeding, pursuant to a
valid and non-exempt US Freedom of Information Act (
FOIA
) request,
80
of the US Congress or a properly issued subpoena, or to other regulators who have demonstrated a
need for the information and provide assurances of confidentiality.
9.
UBS AG does not include the information described in 17 C.F.R. §§.18a-5(b)(8)(i)(A) through (H) or
240.18a-5(a)(10)(i)(A) through (H), as the case may be, in questionnaires or applications for
employment executed by an associated person who is not a US Person (as defined in 17 C.F.R.
§240.3a71-3(a)(4)(i)(A)), unless UBS AG is required to obtain such information under applicable law
in the jurisdiction in which the associated person is employed or located or obtains such information
in conducting a background check that is customary for UBS AG in that jurisdiction and the creation
or maintenance of records reflecting that information would not result in a violation of applicable law
in the jurisdiction in which the associated person is employed or located.
79
See the
SEC
G
uidance at 85 FR 6298
. This assumption also aligns with the information that we understand was provided by the SEC to the
ICO per page 2 of the ICO Letter.
80
We do not give any views in the opinion to matters of US l
aw, though we understand that information can be
made public pursuant to
requests under the US FOIA, and that certain information is exempt from such requests, including (among others): (1) a trade secret or
privileged or confidential commercial or financial information obtained from a person; (2) a personnel, medical, or similar file the release
of which would constitute a clearly unwarranted invasion of personal privacy; (3) information compiled for law enforcement purposes, the
release of which (a) could reasonably be expected to interfere with law enforcement proceedings; (b) would deprive a person of a right to a
fair trial or an impartial adjudication; (c) could reasonably be expected to constitute an unwarranted invasion of personal privacy; (d) could
reasonably be expected to disclose the identity of a confidential source; (e) would disclose techniques, procedures, or guidelines for
investigations or prosecutions; or (f) could reasonably be expected to endanger an individual's life or physical safety; (4) contained in or
related to examination, operating, or condition reports about financial institutions that the SEC regulates or supervises.
0036335-0000808 UKO1: 2004471715.25