Transfers for compliance with U.S. law can generally be done under the General Data Protection Regulation (GDPR) Article 49 derogation, said the United Kingdom's Information Commissioners Office (ICO) in a letter to the U.S. Securities and Exchange Commission (SEC), but it's better to try to implement an Article 46 transfer tool and you still need to make sure the transfers aren't large scale or systematic.
Asked to examine compliance with GDPR by UK companies that are required to make filings with the SEC, which may include personal data (including special category data) as well as criminal background information, the ICO issued a letter analyzing the legal framework.
ICO says that companies should first try to put together an Article 46 transfer mechanism, but that if one is not possible, the Article 49 derogation of "necessary for important reasons of public interest" could apply.
There are important reasons of public interest embedded in UK law:
SEC requests are strictly necessary and proportionate:
UK firms must still: