EX-99.34 OPIN COUNSL 27 loaustralia.htm loaustralia
 
loaustraliap1i0.gif
 
1
 
 
 
 
 
 
UBS AG Australia Branch
The Chifley Tower
 
2 Chifley Square
Sydney
NSW 2000
Allen & Overy
Level 25
85 Castlereagh Street
Sydney NSW 2000
Australia
PO Box A2498
Sydney South NSW 1235
 
Australia
Tel
+61 (0)2 9373 7700
Fax
+61 (0)2 9373 7710
One Bishops Square
London
 
E1 6AD
 
United Kingdom
Tel
+44 (0)20 3088 0000
Fax
+44 (0)20 3088 0088
Janna.Tay@allenovery.com
Our ref
0036335
-
0000808
20 October 2021
Dear Sir or Madam
 
UBS Australia Branch SEC registration as a non-resident security-based swap dealer
 
1.
 
BACKGROUND
1.1
 
We
 
understand that UBS AG (
UBS
), a bank authorised in Switzerland, is seeking to register with the
United States
 
(
US
) Securities
 
and Exchange
 
Commission (
SEC
) as
 
a non-resident
 
security-based swap
(
SBS
) dealer (
SBSD
).
1.2
 
To
 
register as an SBSD
 
with the SEC, a
 
non-resident SBSD
1
 
such as UBS must
 
attach an opinion of
counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as a
 
matter of law:
(a)
 
provide
 
the
 
SEC
 
with
 
prompt
 
access
 
to
 
the
 
relevant
 
books
 
and
 
records
 
as
 
defined
 
in
paragraphs 3.3 and 3.4 (
Covered Books and Records
); and
 
(b)
 
submit to on-site
 
inspection and examination
 
of its Covered
 
Books and Records by
 
the SEC
(
On-Site Inspection
).
1.3
 
UBS will
 
maintain certain
 
Covered Books
 
and Records
 
in its
 
Australia Branch
 
(
UBSAB
), which
 
is
authorised in Australia.
1.4
 
You
 
have asked
 
us to
 
issue an
 
opinion affirming
 
that UBSAB will
 
be able
 
to provide
 
the SEC
 
with
prompt access
 
to its
 
books and
 
records and
 
submit to
 
On-Site Inspection
 
by the
 
SEC in
 
accordance
with paragraph 1.2 above.
1
 
 
In the case of a corporation, an SBSD will be “non
-
resident” if it is incorporated in or has its principal place of business in any place not in
the United States (see
 
17 Code of Federal
 
Regulations (
CFR
) § 240.15Fb2-4(a)(2)). As
 
UBS is incorporated in
 
Switzerland, UBS fulfils
 
this
definition of a “non-resident” SBSD.
 
Allen & Overy is affiliated with Allen & Overy LLP,
 
a limited liability partnership registered in England and Wales with registered office
 
at One Bishops Square London E1 6AD. Allen
& Overy
 
LLP or
 
an affiliated
 
undertaking has
 
an office
 
in each
 
of: Abu
 
Dhabi, Amsterdam,
 
Antwerp, Bangkok,
 
Beijing, Belfast,
 
Bratislava, Brussels,
 
Budapest, Casablanca,
 
Dubai,
Düsseldorf, Frankfurt, Hamburg, Hanoi, Ho Chi Minh
 
City, Hong Kong, Istanbul, Jakarta (associated office), Johannesburg, London, Los Angeles,
 
Luxembourg, Madrid, Milan, Moscow,
Munich, New York, Paris, Perth,
 
Prague, Rome, São Paulo, Seoul, Shanghai, Silicon Valley,
 
Singapore, Sydney, Tokyo,
 
Warsaw, Washington,
 
D.C. and Yangon.
 
 
 
 
 
2
 
1.5
 
This opinion is structured as follows:
(a)
 
Section 2:
 
summary of opinion;
 
(b)
 
Section 3:
 
scope, assumptions and qualifications;
 
(c)
 
Section 4:
 
revisions to applicable law;
(d)
 
Section 5:
 
reliance and confidentiality;
(e)
 
Annex 1: Opinion; and
(f)
 
Annex 2: Assumptions.
1.6
 
For the purposes
 
of this opinion,
 
the legal or
 
natural person imparting the
 
information subject to
 
the
duty of
 
confidentiality will
 
be the
Rights Holder
and the
 
person receiving
 
that information,
 
in this
case UBSAB, will be the
Recipient.
 
2.
 
SUMMARY OF OPINION
Subject to the assumptions and qualifications below it is our opinion
 
that:
2.1
 
UBSAB can, as
 
a matter of
 
applicable Australian law, submit
 
to On-Site Inspection
 
by the SEC.
 
There
is
 
no
 
restriction
 
on
 
UBSAB
 
submitting
 
to
 
On-Site
 
Inspection
 
by
 
the
 
SEC.
 
The
 
remainder
 
of
 
this
opinion focuses on
 
UBSAB’s ability to disclose
 
information contained
 
in Covered Books
 
and Records
to the
 
SEC in
 
the course
 
of On-Site
 
Inspection in
 
Australia and
 
the ability
 
to provide
 
the SEC
 
with
prompt access to Covered Books and Records.
2.2
 
UBSAB can, as
 
a matter of
 
applicable Australian
 
law, provide the SEC
 
with prompt access
 
to Covered
Books and Records held by UBSAB in Australia
2
.
Disclosure of personal information
3
 
2.3
 
Disclosures of personal
 
information (particularly sensitive information)
 
relating to UBSAB’s
 
clients
and staff
 
are subject
 
to certain
 
restrictions under
 
the
Privacy Act
 
1988
 
(Cth) (
Privacy Act
) and
 
the
Australian Privacy Principles (
APPs
) (collectively, the
Australian privacy framework
), particularly
where
 
this
 
involves
 
a
 
cross-border
 
transfer
 
of
 
personal
 
information
 
to
 
a
 
jurisdiction
 
outside
 
of
Australia.
2.4
 
We
 
anticipate that UBSAB may have
 
to obtain the consent of
 
individuals to enable disclosure of
 
the
Covered Books and Records to the SEC and to permit
 
On-Site Inspection, and our view in this regard
is
 
that
 
the
 
UBSAB
 
Privacy
 
and
 
Credit
 
Reporting
 
Policy
 
 
Australia
 
dated
 
2
 
April
 
2020
4
 
(
UBS
Australian Privacy
 
Policy
)
 
already enables
 
UBSAB to
 
obtain that
 
consent in
 
accordance with
 
the
Australian
 
privacy
 
framework,
 
and
 
there
 
should
 
not
 
be
 
any
 
issues
 
in
 
disclosing
 
any
 
personal
information that may be contained in the Covered Books and Records to the SEC (also see paragraph
1.14 of
 
Annex 1).
 
Alternatively,
 
if this
 
is not
 
possible, UBSAB
 
may have
 
to fall
 
within exceptions
under
 
the
 
APPs.
 
It is
 
also likely
 
that
 
Australian law
 
will
 
require
 
an employer,
 
such
 
as
 
UBSAB,
 
to
obtain the consent of its employees to disclose any of their personal
 
information to the SEC.
2
 
 
Where a restriction on the ability
 
to transfer personal data or to
 
disclose confidential information applies, consent from th
e Rights Holder,
validly given in accordance with the relevant standard for
 
consent under each applicable legal obligation, would
 
allow for such information
to be
 
lawfully transferred
 
to the
 
SEC or
 
disclosed to
 
the
 
SEC during
 
On-Site Inspection.
 
Please note
 
that valid
 
consent is
 
assumed in
Assumption
 
3
 
 
Please refer to section
 
of
 
for definitions of the Privacy Act, the APPs,
 
personal information, and sensitive information.
4
 
 
The
UBS
 
Privacy
 
and
 
Credit
 
Reporting
 
Policy
 
Australia
 
da
ted
 
2
 
April
 
2020
 
that
 
can
 
be
 
accessed
 
at
https://www.ubs.com/global/en/legal/privacy/australia/_jcr_content/mainpar/toplevelgrid/col1/linklist/link_658648610.1183479955.file/b
Gluay9wYXRoPS9jb250ZW50L2RhbS9hc3NldHMvY2MvZ2xvYmFsL2xlZ2FsL2RvYy9wcml2YWN5LW5vdGljZS9jbGllbnQtcHJpdm
FjeS1ub3RpY2UtZW4tYXVzdHJhbGlhLnBkZg==/client-privacy-notice-en-australia.pdf
.
 
0036335-0000808 UKO1: 2005347595.6
 
3
2.5
 
As
 
disclosure
 
to
 
the
 
SEC
 
involves
 
a
 
cross-border
 
transfer,
 
UBSAB
 
will
 
also
 
have
 
to
 
satisfy
 
the
requirements for
 
overseas disclosure
 
of the
 
personal information.
 
UBSAB may
 
have to
 
take reasonable
steps to ensure that the SEC
 
does not breach the APPs in relation
 
to that information. This is typically
satisfied by way of
 
a contractual arrangement
 
entered into by
 
USBAB and the
 
SEC which requires
 
the
SEC
 
to
 
handle
 
the
 
personal
 
information
 
in
 
accordance
 
with
 
the
 
APPs.
 
However,
 
this
 
will
 
not
 
be
necessary if UBSAB can rely on independent legal advice
 
that establishes that the SEC is subject to a
law or
 
binding scheme similar
 
to the
 
APPs, or
 
if it
 
obtains the
 
consent of
 
individuals in
 
accordance
with the Australian privacy
 
framework (see our analysis
 
in paragraph 2.4
 
above and paragraph 1.14
 
of
Annex 1).
 
Common law duties of confidentiality
2.6
 
The general duty of confidentiality applies to information communicated in circumstances indicating
it
 
is
 
confidential.
 
The
 
banker’s
 
duty
 
of
 
confidentiality
 
arises
 
due
 
to
 
the
 
nature
 
of
 
the
 
relationship
between
 
a
 
banker
 
and
 
his
 
or
 
her
 
customer
 
(and
 
this
 
duty
 
does
 
not
 
apply
 
to
 
information
 
held
 
or
controlled by UBSAB that relates to any person other than its customers).
 
2.7
 
Disclosure with
 
consent, or
 
under another
 
recognised exception,
 
would not
 
amount to
 
a breach
 
of these
legal duties.
 
For example, confidential
 
information can be
 
disclosed with the
 
express consent of
 
the
person to whom such information relates.
2.8
 
We note that there are other exceptions
 
to the duty of
 
confidentiality such as
 
where disclosure is
 
in the
public interest.
 
However,
 
there must
 
be compelling
 
public interest
 
reasons for
 
the disclosure
 
as the
threshold is generally understood to be very high. It
 
may also be possible, where the information
 
held
regards clients, to rely on the bank’s own interest exception to the banker’s (but not the general) duty
of confidentiality, though this requires a case-by-case balancing of the competing factors in favour of
each of
 
the bank
 
and the
 
Rights Holder. Considering
 
the uncertainty
 
and high
 
bar to
 
meet for
 
disclosure
in the public
 
interest or bank’s own interest,
 
it is advisable
 
to seek express
 
consent to disclosure
 
as this
would establish a greater degree of certainty that the disclosure is made in accordance with the duties
of confidentiality.
2.9
 
These duties of confidentiality will not apply to any information contained in the Covered Books and
Records or
 
to On-Site
 
Inspection insofar
 
as information
 
made available
 
to the
 
SEC is
 
owned by
 
or
relates to UBSAB itself, rather than by
 
or to UBSAB’s clients or, in the case of the general duty only,
third parties or its staff.
2.10
 
There is
 
generally no
 
legal duty
 
of mutual
 
confidence implied
 
into contracts
 
of employment
 
within
Australia.
Privacy and Human Rights
2.11
 
Australia does
 
not have
 
a statutory or
 
constitutional framework of
 
human rights, and
 
most civil
 
and
political rights
 
of individuals
 
under Australian
 
law are
 
found within
 
the common
 
law as
 
well as
 
specific
pieces of legislation. In
 
this regard, the Australian
 
privacy framework, which sets
 
out a framework for
the processing of the personal information of individuals within Australia, can also be taken to be the
framework that provides individuals in Australia with a “right” to
 
privacy.
 
2.12
 
Although
 
Australia
 
has
 
signed,
 
ratified,
 
and
 
supports a
 
number
 
of
 
international
 
treaties
 
containing
rights against
 
unlawful interference to
 
privacy,
 
these have
 
no direct
 
bearing on
 
Australian domestic
law in respect of privacy.
 
This summary opinion is not a substitute for the full expression of our views
 
set out in Annex 1.
 
 
 
 
 
0036335
-
0000808 UKO1: 2005347595.6
 
 
 
 
4
 
3.
 
SCOPE, ASSUMPTIONS AND QUALIFICATIONS
3.1
 
This
 
opinion
 
relates
 
solely to
 
access
 
provided
 
to
 
the
 
SEC
 
of
 
Covered
 
Books
 
and
 
Records
 
held
 
by
UBSAB in Australia
 
and On-Site Inspection
 
of UBSAB by
 
the SEC in
 
Australia.
 
This opinion applies
equally to remote access from the
 
US to Covered Books and Records held
 
in Australia. This opinion
excludes books and records held in the US.
3.2
 
This opinion has been prepared in accordance with
 
UBS’s specific instructions as
 
to the scope of the
opinion. For this purpose you have issued us with guidance from a third party US law firm which we
have used to inform the scope of our opinion.
3.3
 
This opinion only covers access to
 
and the On-site Inspection of Covered
 
Books and Records. We are
instructed that Covered Books and Records include only those
 
books and records which:
(a)
 
relate to the
 
US business
5
 
of the non-resident
 
SBSD.
6
 
These are the
 
records that relate
 
to an
SBS that is either:
(i)
 
entered into, or offered to be entered into, by or on behalf of the
 
non-resident SBSD,
with a
 
“U.S. Person” as
 
defined in
 
17 CFR
 
§ 240.3a71-3(a)(4)
7
 
(
US Person
) (other
than an SBS conducted through a foreign branch of such US Person);
8
 
or
(ii)
 
arranged, negotiated, or executed by
 
personnel of the non-resident SBSD
 
located in a
branch in
 
the US
 
(
US branch
) or
 
office or
 
by personnel
 
of an
 
agent of
 
the non-resident
SBSD located in a US branch or office;
9
 
or
(b)
 
constitute
 
financial
 
records
 
necessary
 
for
 
the
 
SEC
 
to
 
assess
 
the
 
non-resident
 
SBSD’s
compliance with the SEC’s margin and capital requirements, if applicable.
10
 
3.4
 
Further
 
to
 
Assumption 1,
 
this
 
opinion
 
is
 
limited
 
to
 
those
 
types
 
of
 
records
 
that
 
are
 
relevant
 
to
prudentially regulated SBSDs,
 
which excludes financial
 
records as noted
 
in paragraph 3.3(b)
 
above.
For this opinion, the term “Covered Books and Records” extends to these
 
record types alone.
3.5
 
The issues
 
addressed in
 
this opinion
 
apply equally
 
across the
 
different document
 
types which
 
constitute
the Covered Books and
 
Records based upon the
 
information actually contained
 
in each of the relevant
Covered Books and Records. We have not examined any such documents or records.
3.6
 
In giving this opinion, we have made the further assumptions set out
 
in Annex 2.
 
3.7
 
No opinion is expressed on matters of fact.
 
5
 
 
As defined in 1
7 CFR §240.3a71
-
3(a)(8).
 
6
 
 
Cross
-
Border Application of Certain [SBS] Requirements,
 
85 Fed. Reg. 6270, 6296 (Feb. 4, 2020) (the
SEC Guidance
).
 
7
 
 
A “U.S. person” means any person that is “(i) a natural person resident
 
in the U.S.; (ii) a
partnership, corporation, trust, investment vehicle,
or other legal person organized, incorporated, or established under the laws of the United States or having its principal place of business in
the United States; (iii) an
 
account (whether discretionary or non-discretionary) of a
 
U.S. person; or (iv) an estate
 
of a decedent who was a
resident of the United States at the time of death.” 17 CFR
 
§ 240.3a71-3(a)(4).
8
 
 
A “foreign branch” means “any branch of
 
a U.S. bank if: (i)
 
the branch is located
outside of the United States; (ii)
 
the branch operates for
valid business
 
reasons; and
 
(iii) the
 
branch is
 
engaged in
 
the business
 
of banking
 
and is
 
subject to
 
substantive banking regulation
 
in the
jurisdiction where located” (17 CFR §
 
240.3a71-3(a)(2)). An “SBS conducted through a
 
foreign branch” means an SBS that
 
is “arranged,
negotiated, and executed by
 
a U.S. person through
 
a foreign branch of such
 
U.S. person if: (A) the
 
foreign branch is the counterparty
 
to such
security-based swap transaction; and (B) the security-based swap transaction is arranged, negotiated, and executed on behalf of the foreign
branch solely by persons located outside the United States” (17
 
CFR § 240.3a71-3(a)(3)(i)).
9
 
 
17 CFR § 240.3a71
-
3(a)(8)(i)(B).
 
10
 
 
The
 
requirement set
 
out
in this
 
paragraph
 
does
 
not
 
apply
 
to
 
UBSAB because
 
it is
 
not
 
subject to
 
the
 
SEC’s
 
margin
 
and
 
capital
requirements as it is assumed that UBSAB has a prudential regulator
 
– please see the assumptions set out in
 
 
0036335-0000808 UKO1: 2005347595.6
 
loaustraliap5i0.gif
 
5
 
4.
 
REVISIONS TO APPLICABLE LAW
 
4.1
 
We
 
are instructed that the SEC rules
11
 
require a non-resident SBSD to re-certify within 90
 
days after
any changes in the legal or regulatory framework that would:
(a)
 
impact the ability of the SBSD to provide prompt access to its Covered
 
Books and Records;
 
(b)
 
impact the
 
manner in
 
which it
 
would provide
 
prompt access
 
to its
 
Covered Books
 
and Records;
or
(c)
 
impact the ability of the SEC to conduct On-Site Inspections.
4.2
 
Upon a
 
change in
 
law or
 
regulatory framework
 
of the
 
sort outlined
 
in paragraph
 
4.1 above,
 
we are
instructed that the
 
SBSD is required
 
to submit a
 
revised opinion describing how,
 
as a matter
 
of law,
the SBSD will continue to meet its obligations.
 
4.3
 
This opinion relates solely to the laws of Australia in force as at the date of
 
this opinion. We
 
have no
obligation to notify any addressee of any change
 
in any applicable law or its application
 
after the date
of this opinion.
5.
 
RELIANCE AND CONFIDENTIALITY
5.1
 
This opinion is
 
given for the
 
sole benefit of
 
the addressee. It
 
may not be
 
relied upon by
 
anyone else
without our prior written consent.
5.2
 
This
 
opinion
 
is
 
not
 
to
 
be
 
disclosed
 
to
 
any
 
person
 
outside
 
of
 
UBS
 
AG’s
 
group
 
or
 
used,
 
circulated,
quoted or otherwise referred to for any
 
other purpose. However, we agree that
 
a copy of this opinion
letter may be disclosed:
 
(a)
 
where
 
disclosure is
 
required
 
or
 
requested
 
by
 
any
 
governmental, banking,
 
taxation
 
or
 
other
regulatory authority or similar body having jurisdiction over
 
UBS AG (including to the SEC
as
 
part
 
of
 
UBS
 
AG’s
 
SBSD
 
registration
 
application) or
 
by
 
the
 
rules
 
of
 
any
 
relevant
 
stock
exchange or pursuant to any applicable law or regulation; and
 
(b)
 
to
 
UBS
 
AG’s
 
affiliates,
 
and
 
any
 
of
 
their
 
officers,
 
directors,
 
employees,
 
auditors,
 
insurers,
reinsurers, insurance brokers and professional advisers (in their capacity as
 
such).
5.3
 
Any such disclosure
 
must be made
 
on the basis
 
that it is
 
for information purposes only,
 
no recipient
may rely
 
on this advice,
 
no client-lawyer relationship between
 
us and the
 
recipient arises following,
or as a
 
result of, any
 
such disclosure. We assume no
 
duty or liability
 
to any recipient,
 
and any recipient
under paragraph 5.2(b) above will be subject to the same restrictions on disclosure
 
as set out above.
5.4
 
We
 
assume no obligation
 
to advise
 
you or
 
any other person
 
or to
 
make any
 
investigations as to
 
any
legal
 
developments
 
or
 
factual
 
matters
 
arising
 
subsequent
 
to
 
the
 
date
 
hereof
 
that
 
might
 
affect
 
the
opinions expressed herein.
 
Yours
 
faithfully,
 
 
 
Allen & Overy
 
11
 
 
17 CFR § 240.15Fb2
-
4(c)(2).
 
 
0036335-0000808 UKO1: 2005347595.6
 
 
6
 
ANNEX 1
 
OPINION
1.
 
DATA
 
PROTECTION
1.1
 
The Australian privacy framework will
 
apply to UBSAB’s proposed disclosure of the Covered
 
Books
and
 
Records to
 
the
 
SEC to
 
the
 
extent that
 
these
 
comprise or
 
contain personal
 
information, and
 
the
APPs will apply to the extent that UBSAB is an “APP entity”.
12
 
1.2
 
Personal information is information or an
 
opinion relating to an identified or
 
a reasonably identifiable
individual, whether the information
 
or opinion is true
 
or not and whether
 
the information or opinion
 
is
recorded in a material form
 
or not.
13
 
As such, it may extend
 
to information on UBSAB
 
staff as well as
clients. The Privacy Act
 
explicitly recognises a number
 
of different types
 
of information as personal
information, but information
 
does not require
 
explicit recognition to
 
constitute personal information
under the Privacy Act.
 
1.3
 
Under the Privacy
 
Act, a higher
 
level of protection
 
applies for personal
 
information that is
 
sensitive
information
 
 
s
ensitive
 
information
 
is
 
personal
 
information
that
 
reveals
the
racial
 
or
 
ethnic
background,
 
political
 
opinions
 
or
 
associations
,
 
religiou
s
 
or
 
philosophical
 
beliefs,
 
trade
 
union
membership,
 
genetic
 
data,
 
biometric
 
data
 
when
 
used
 
for
 
ID
 
purposes,
 
health
 
information,
 
data
concerning sex life
 
or sexual orientation,
 
and criminal records
 
of individuals.
 
As sensitive information
is less likely to be relevant in
 
the context of UBSAB’s
 
disclosures to the SEC, the laws applicable to
this data have not been considered in any material detail in this opinion.
1.4
 
Key restrictions in the Australian
 
privacy framework relating to
 
UBSAB’s ability to disclose personal
data to the
 
SEC are set out below.
 
We
 
further note that data
 
(including personal information) cannot
be disclosed if doing so would breach another
 
legal requirement (e.g. confidentiality –
 
please also see
section 2 below).
 
Collection, use and disclosure of personal information under the Australian privacy
 
framework
1.5
 
UBSAB must
 
comply with
 
the Privacy
 
Act generally, as
 
well as
 
APP 3,
 
APP 6
 
and APP
 
8 in
 
particular,
in respect of
 
any proposed disclosure
 
of personal information
 
by UBSAB to
 
the SEC.
 
It should also
be
 
noted
 
that
 
while
 
compliance
 
with
 
APP
 
3,
 
APP
 
6
 
and
 
APP
 
8
 
(as
 
well
 
as
 
the
 
Australian
 
privacy
framework generally)
 
is required
 
by UBS
 
if it
 
wishes to
 
disclose personal
 
information to
 
the
 
SEC,
none of
 
the individual
 
APPs on
 
its own
 
is so
 
comprehensive as
 
to cover
 
all disclosures
 
of personal
information (including the disclosure
 
of personal information
 
to the SEC),
 
and UBSAB will need
 
to
consider the most appropriate legal basis to apply to any given situation.
1.6
 
The
 
APPs
 
are
 
set
 
out
 
in
 
Schedule 1
 
to
 
the
 
Privacy Act,
 
and they
 
constitute a
 
crucial
 
aspect of
 
the
Australian privacy framework’s data
 
protection principles.
 
The APPs govern
 
the standards, rights,
 
and
obligations regarding: the collection, use, and disclosure of personal
 
information; the governance and
accountability of APP entities;
 
the integrity and correction
 
of personal information; and
 
the rights that
individuals have to access their information.
 
1.7
 
The legal bases of APP 3, APP 6 and APP 8 are as follows:
(a)
 
APP 3 –
 
an APP entity can
 
only solicit and
 
collect personal information
 
where it is
 
reasonably
necessary for the APP’s
 
functions or activities, and the APP entity must collect that
 
personal
information directly from the individual (subject to exceptions) by
 
lawful and fair means;
 
 
12
 
 
An APP entity is
 
defined under the Privacy
 
Act to be an
 
agency organisation, including a
 
body corporate, that has
 
an annual t
urnover of over
AUD3,000,000 in a financial year. We have assumed at Assumption
 
that UBSAB is an APP entity.
13
 
 
Section 6 of the Privacy Act.
 
 
0036335-0000808 UKO1: 2005347595.6
 
 
7
 
(b)
 
APP 6
 
– an
 
APP entity
 
may use
 
or
 
disclose personal
 
information that
 
it holds
 
only for
 
the
purpose that it was collected, as detailed below, unless an exception applies; and
(c)
 
APP 8
 
 
an
 
APP entity
 
must
 
take
 
certain steps
 
to
 
protect
 
personal information
 
before
 
it
 
is
disclosed
 
overseas,
 
the
 
intent
 
being
 
that
 
the
 
APP
 
entity
 
must
 
endeavour
 
to
 
ensure
 
that
 
the
personal information will
 
receive a
 
level of
 
protection equivalent to
 
that provided under
 
the
Australian privacy framework.
 
1.8
 
An APP entity like UBSAB
 
can only collect personal information
 
directly from individuals which is
reasonably
 
necessary for
 
one
 
or
 
more
 
of
 
the
 
APP
 
entity’s
 
functions
 
or
 
activities
14
 
 
in
 
the
 
case
 
of
UBSAB,
 
it is arguable
 
that the compliance
 
with its contractual and
 
regulatory obligations under law
is
 
part
 
of
 
UBSAB’s
 
functions
 
or
 
activities.
 
As
 
such,
 
subject
 
to
 
UBSAB’s
 
compliance
 
with
 
the
Australian
 
privacy framework
 
(including in
 
particular APP
 
6
 
and
 
APP 8,
 
as
 
set
 
out
 
in
 
more
 
detail
below),
 
there
 
does
 
not
 
appear
 
to
 
be
 
any
 
issue
 
if
 
UBSAB
 
is
 
collecting
 
personal
 
information
 
from
individuals if it is for regulatory compliance.
1.9
 
Pursuant to APP 6,
 
an APP entity like UBSAB
 
can only use or disclose
 
personal information about
 
an
individual for the purpose that it
 
was collected (this is also referred to
 
as the
primary purpose
), and
generally,
 
for no
 
other purpose,
 
unless an
 
exception applies
 
– the
 
purpose of
 
APP 6
 
is
 
intended to
ensure that APP
 
entities will only
 
use and disclose
 
an individual’s
 
personal information for
 
only the
purposes for which
 
an individual would
 
expect his or
 
her personal information
 
to be used
 
or disclosed.
In
 
UBSAB’s
 
case,
 
assuming
 
that
 
UBSAB
 
has
 
a
 
comprehensive
 
privacy
 
policy
 
that
 
sets
 
out
 
that
UBSAB’s regulatory obligations are for
 
a purpose for
 
which an individual’s personal information
 
will
be used and/or disclosed, there does not appear
 
to be any issue with UBSAB’s proposed disclosure of
information in the Covered Books and Records (including personal information)
 
to the SEC.
 
1.10
 
It should also
 
be noted that
 
even if the
 
disclosure of information in
 
the Covered Books
 
and Records
(including personal information) to the SEC is not
 
considered a primary purpose, UBSAB could still
disclose such information
 
to the SEC
 
if an individual
 
consents to such
 
a disclosure –
 
in this regard,
 
the
main elements of establishing valid consent under the Australian privacy
 
framework are that the:
 
(a)
 
individual is adequately informed before giving consent;
 
(b)
 
individual gives consent voluntarily;
 
(c)
 
consent is current and specific; and
 
(d)
 
individual has the capacity to understand and communicate his or her consent.
 
Specifically,
 
UBSAB
 
must
 
ensure
 
that
 
the
 
consent
 
given
 
is
 
specific
 
to
 
the
 
disclosure
 
of
 
personal
information to a foreign regulator for the purposes of assessing UBSAB
 
for compliance.
 
Cross-border transfer of personal information
 
1.11
 
APP 8 requires APP entities such as UBSAB to, prior to disclosure of any personal information to an
overseas recipient, take
 
“reasonable steps” to
 
ensure that the
 
overseas recipient handles the
 
personal
information in accordance with the Australian
 
privacy framework, and does not
 
breach the Australian
privacy framework.
 
It should
 
also be
 
noted that,
 
under the
 
Australian privacy
 
framework, the
 
APP
entity remains accountable for an act or practice of the overseas
 
recipient.
 
1.12
 
The requirement
 
of taking
 
“reasonable steps”
 
under APP
 
8 typically
 
entails
 
an APP
 
entity entering
into
 
an
 
enforceable
 
contractual
 
arrangement
 
with
 
the
 
overseas
 
recipient
 
that
 
requires
 
the
 
overseas
recipient to handle personal information in accordance with the Australian
 
privacy framework.
 
 
 
14
 
 
APP
 
3.1.
 
 
0036335-0000808 UKO1: 2005347595.6
 
 
8
 
1.13
 
However, APP 8 also
 
allows for the
 
fact that it
 
may be difficult
 
for an APP
 
entity like UBSAB
 
to enter
into an enforceable contractual arrangement with an entity such as the SEC (especially given that the
SEC is a
 
public regulatory authority in
 
the US) and,
 
as such, APP
 
8 also provides
 
that if individuals
consent to an
 
APP entity like
 
UBSAB disclosing their
 
personal information to
 
an overseas recipient
like the SEC, then
 
UBSAB will be able to
 
do so without contravening APP 8,
 
noting that in order to
ensure that the consent provided by individuals under APP 8 is valid,
15
 
UBSAB will have to:
 
(a)
 
expressly and clearly inform
 
the individual, by providing either
 
an oral or written
 
statement,
that if
 
he or
 
she consents
 
to UBSAB
 
disclosing his
 
or her
 
personal information to
 
the SEC,
UBSAB will not
 
be accountable
 
under the Privacy
 
Act, and that
 
the individual will
 
not be able
to seek redress under the Australian privacy framework; and
(b)
 
ensure that any such statement:
 
(i)
 
be made
 
at the
 
time consent
 
is sought
 
(and that
 
UBSAB is
 
not relying
 
on assumed
prior knowledge of the individual); and
(ii)
 
also
 
explains
 
that
 
the
 
practical
 
effect
 
and
 
risks
 
associated
 
with
 
the
 
disclosure
 
of
information to the SEC, including (without limitation) that the:
(A)
 
SEC
 
is
 
subject
 
to
 
US
 
law
 
that
 
could
 
compel
 
the
 
disclosure
 
of
 
personal
information to a third party, such as an overseas authority;
(B)
 
SEC may
 
not be
 
subject to
 
any privacy
 
obligations or
 
to any
 
principles similar
to those set out in the Australian privacy framework; and
(C)
 
individual may not be able to seek redress in the US.
 
Consent under the Australian privacy framework
1.14
 
In
 
respect
 
of
 
the
 
consent
 
outlined
 
in
 
paragraphs
 
1.10
 
and
 
1.13
 
(and
 
under
 
the
 
Australian
 
privacy
framework generally),
 
we have
 
assumed at
 
Assumption 12
 
that at
 
the point
 
in time
 
that UBSAB
 
is
engaged by its customers who are
 
individuals, such individuals would have been required
 
to execute
comprehensive UBSAB data protection
 
and privacy documents (including
 
accepting all the
 
terms of
the UBS Australian Privacy Policy):
 
(a)
 
within
 
which
 
s
uch
 
individuals
declare
 
that
,
 
in
 
accordance
 
with
 
the
 
Australian
 
privacy
framework, they consent to UBS, amongst other things, disclosing their
 
personal information
to
 
a
 
foreign
 
regulator
 
like
 
the
 
SEC (as
 
set
 
out
 
in
 
section
 
7
 
of
 
the
 
UBS
 
Australian
 
Privacy
Policy); and
(b)
 
that
 
also
 
broadly
 
ensure
 
that
 
the
 
requirements
 
of
 
the
 
Australian
 
privacy
 
framework
 
are
satisfied
 
by UBSAB
.
 
 
15
 
 
Generally, consent must
 
be informed,
 
voluntary, current and
 
specific, and
 
given by
 
an individual
 
with the
 
capacity to
 
give co
nsent. In
 
ad
dition
to express consent as set out in the body of the Opinion, the Australian privacy framework recognises
 
implied consent. An APP entity does
not need express consent from
 
an individual to handle his
 
or her non-sensitive personal information,
 
but it must reasonably believe
 
that it
has his or
 
her implied consent. This
 
is where consent may
 
reasonably be inferred in
 
the circumstances from the
 
conduct of the individual
and the APP entity.
 
This is typically achieved by way of presenting the
 
individual with an opt-out option to the APP
 
entity’s disclosure of
his or her personal information for another purpose,
 
and allowing a period of time for the
 
exercise of that option. The design and conditions
of the option must still ensure that consent given is informed.
 
 
0036335-0000808 UKO1: 2005347595.6
 
 
9
 
Data protection principles
1.15
 
In
 
addition
 
to
 
establishing
 
a
 
legal
 
basis
 
for
 
the
 
disclosure,
 
UBSAB
 
would
 
need
 
to
 
ensure
 
that
 
its
disclosures
 
are
 
compliant
 
with
 
the
 
other
 
requirements
 
of
 
the
 
Australian
 
privacy
 
framework
 
 
for
example, UBSAB should:
(a)
 
ensure that
 
it only discloses
 
personal information
 
that is
 
adequate, relevant
 
and limited
 
to what
is necessary in relation to the purposes of its regulatory activities;
 
(b)
 
take reasonable steps
 
to ensure
 
that the personal
 
information is accurate,
 
up-to-date, complete,
and relevant;
16
 
(c)
 
keep the personal data
 
in a form that enables
 
identification of individuals for
 
no longer than is
necessary for the purposes for which the personal data is processed;
 
and
(d)
 
take active measures to
 
ensure that the security
 
of the personal information
 
is maintained, and
as
 
such, implement
 
appropriate security
 
measures to
 
protect
 
the
 
personal information
 
from
misuse, interference, loss, unauthorised access, modification, or disclosure.
17
 
2.
 
COMMON LAW
 
DUTIES OF CONFIDENTIALITY
2.1
 
The general and banker’s
 
duties of confidentiality are distinct duties.
 
However, the case law
 
on each
duty informs
 
the approach
 
to the
 
other,
 
with the
 
banker’s duty
 
existing in
 
acknowledgement of
 
the
specific circumstances that
 
arise as between
 
a bank and
 
its customers. Given
 
the common law
 
position
on these duties is
 
largely aligned and noting
 
further that Australian courts
 
may also consider decisions
made in other common law jurisdictions (including
 
England and Wales) in arriving in their decisions,
these are dealt with together here.
2.2
 
Where the Covered
 
Books and Records
 
do not contain
 
any relevant forms
 
of information which
 
attract
a
 
duty
 
of
 
confidentiality,
 
and
 
it
 
is
 
likely
 
that
 
many
 
aspects
 
of
 
the
 
information
 
required
 
will
 
not
(e.g. transaction data such as volumes and prices), these duties of
 
confidentiality will not apply.
Scope of duties
2.3
 
The
 
general
 
duty
 
of
 
confidentiality
 
imposes
 
obligations
 
of
 
confidence
 
upon
 
the
 
recipient
 
of
information if the following conditions are satisfied:
18
 
(a)
 
the
 
information
 
in
 
question
 
must
 
be
 
identified
 
with
 
specificity
 
and
 
generally,
 
non-specific
ideas are not protected under the general duty of confidentiality;
19
 
(b)
 
the information
 
must have
 
the ‘
necessary quality
 
of confidence
’; information
 
that is
 
public
property and public knowledge
’ cannot be protected;
20
 
(c)
 
it
 
must
 
have
 
been
 
received
 
by
 
the
 
recipient
 
in
 
circumstances
 
importing
 
an
 
obligation
 
of
confidence (i.e. the recipient
 
of the information knows or
 
ought to know that
 
the restrictions
have been placed upon the use of the information);
21
 
and
 
 
16
 
 
APP 10.2.
 
17
 
 
APP 11.1.
 
18
 
Optus Networks Pty Ltd v Telstra Corporation Ltd
 
(2010) 265 ALR 281 at 290.
19
 
O’Brien v Komesaroff
(1982) 150 CLR 310.
20
 
Saltman Engineering Co Ltd v Campbell Engineering Co Ltd
(1948) RPC 230 at 215.
21
 
Smith Kline & French Laboratories (Aust) Ltd v Secretary, Dept of Community Services and Health
 
(1990) 22 FCR 73 at 87.
 
0036335-0000808 UKO1: 2005347595.6
 
 
10
 
(d)
 
there must be
 
an actual or
 
threatened misuse of
 
the information without
 
the confider’s consent
and
 
the
 
receiver
 
of
 
information
 
will
 
still
 
be
 
liable
 
even
 
if
 
the
 
unauthorised
 
use
 
was
 
unintentional.
22
 
2.4
 
As the information contained in the
 
Covered Books and Records is not publicly available, it
 
is likely
to possess
 
this necessary
 
quality of
 
confidence insofar
 
as that
 
information relates
 
to a
 
third party
 
or
UBSAB’s clients or staff and is not information owned by or
 
relating to UBSAB itself. Where,
 
and to
the
 
extent
 
that,
 
the
 
Covered
 
Books
 
and
 
Records
 
concern
 
information
 
of
 
a
 
third
 
party
 
or
 
customer
information, this would likely
 
satisfy the requirement that
 
the Recipient knew or
 
ought to have known
that the information was to be treated confidentially.
 
2.5
 
The
 
common
 
law
 
banker’s
 
duty
 
of
 
banker-customer
 
confidentiality
 
is
 
established
 
by
Tournier
 
v
National Provincial and Union Bank of England
[1924] 1 KB 461 (
Tournier
) which has been widely
referred to
 
in Australia.
 
Under the
 
bank-customer duty
 
of confidentiality, banks,
 
such as
 
UBSAB, must
keep their customers’
 
affairs private
23
 
– in this
 
respect, the general
 
duty is broader than
 
the banker’s
duty as the general duty extends to benefit others, such as UBSAB’s staff.
 
(a)
 
The scope of the duty is wide – as Atkin LJ outlined in the judgment:
It
[the duty of confidentiality]
clearly goes beyond the state
 
of the account, that is,
 
whether
there is a debit or credit balance, and the amount of the balance. It must extend
 
at least to all
the transactions that go through the
 
account, and to the securities, if any,
 
given in respect of
the account
”.
24
 
(b)
 
The temporal scope of the banker’s duty is also wide. Atkin LJ judged that the banker’s
 
duty
of confidentiality “
extend
[s]
beyond the point when
 
the account is closed,
 
or cease
[s]
 
to be an
active account
”,
25
 
and this duty
 
also extends to cover
 
disclosures from one banking entity
 
to
another within the same corporate group.
26
 
2.6
 
No distinction is drawn in
 
the case law on either of
 
the general or banker’s duties regarding
 
the nature
of the person to whom the duty is owed – i.e. a natural or a legal person – and so
 
we consider that the
duties apply equally to any person irrespective of its legal status.
 
Unauthorised disclosure
2.7
 
A successful claim for breach
 
of confidentiality must demonstrate
 
that there has been an unauthorised
use of confidential information to the Rights Holder.
27
 
2.8
 
For those Covered Books
 
and Records that contain
 
customer, which is unlikely to include
 
all Covered
Books
 
and
 
Records,
 
these
 
duties
 
of
 
confidentiality
 
will apply
 
and
 
so
 
UBSAB
 
will
 
only
 
be
 
able
 
to
disclose Covered Books and Records
 
containing confidential information in un-redacted form where
one of the exceptions below is met.
2.9
 
Tournier
established four exceptions to the banker’s duty of confidentiality,
28
 
the first three of which
apply equally to the general duty of confidentiality:
 
(a)
 
where the disclosure is made by the express or implied consent of
 
the customer;
 
29
 
 
22
 
Talbot v General Television Corpot Pty Ltd
 
[1980] VR 224 at 239.
23
 
Tournier v National Provincial and Union Bank of England
 
[1924] 1 KB 461 at 473;
Smorgon v FCT
 
(1976) 134 CLR 475 at 487;
Brighton
v Australia and New Zealand Banking Group Ltd
[2011] NSWCA 152.
24
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485.
25
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485.
26
 
Bank of Tokyo Ltd v Karoon
[1987] 1 AC 45 at 54.
27
 
 
Megarry J in
Coco v A Clark (Engineers) Ltd
[1968] F.S.R. 415 at 421;
Optus Networks Pty Ltd v Telstra Corporation Ltd
 
(2010) 265 ALR
281 at 290.
28
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 485 at 473.
29
 
 
For the general duty of confidentiality:
t
his
 
was confirmed in
B v Brisbane North Regional Health Authority
 
(1994) 1 QAR 279 at 105.
 
0036335-0000808 UKO1: 2005347595.6
 
 
11
 
(b)
 
under compulsion of law;
(c)
 
where the disclosure is in the public interest; or
(d)
 
for the banker’s
 
duty of confidentiality
 
only,
 
where it is
 
in the interests
 
of the bank
 
to make
disclosure.
Consent
2.10
 
Disclosure of confidential information is permissible where the Rights Holder
30
 
has given its consent
to the disclosure
31
 
of its confidential information.
32
 
Compulsion of law
2.11
 
Information
 
that
 
would
 
otherwise
 
be
 
confidential
 
may
 
be
 
disclosed
 
when
 
required
 
by
 
a
 
statutory
provision
33
 
or court order.
34
 
2.12
 
To satisfy this
 
compulsion of
 
law exception
 
it is
 
likely that
 
UBSAB would
 
have to
 
rely on
 
an Australian
statute or court order
35
 
– a provision of
 
US law,
 
such as an SEC
 
Rule, is unlikely to be
 
sufficient for
this purpose.
(a)
 
While there are numerous statutory
 
provisions that require the disclosure of
 
information that
would otherwise be confidential,
36
 
none applies directly to this situation.
(b)
 
We
 
are
 
not
 
aware
 
of
 
any Australian
 
statute or
 
case
 
law which
 
would require
 
disclosure of
information to a foreign regulatory authority.
37
 
30
 
 
Where the banker’s duty of confidentiality applies this will be the
 
customer.
 
31
 
 
Due
to
 
the over
lap between bank confidentiality,
the Privacy Act,
 
and other data protection laws
 
(as discussed in paragraph
), it would
be advisable to clarify when obtaining
 
consent that another, separate, legal basis applied
 
to the processing of the personal information
 
under
data protection laws.
 
32
 
 
While
 
it is possible to rely on implied consent, there is likely to be a high bar to meet in order to d
o so. In
Turner v Royal Bank of Scotland
Plc
[1999] 2 All E.R, regarding the banker’s duty of confidentiality, it
 
was decided that established market practice of sharing of customer
information between banks (which
 
practice was generally known
 
only to the
 
banks themselves) did not
 
amount to implied consent
 
of the
customer as this practice was not known by the customer. To amount to implied consent, the practice under which disclosure is made must
be “
notorious, certain and reasonable
” (
Turner v Royal
 
Bank of Scotland Plc
[1999] 2 All E.R
 
664 at 670, Sir
 
Richard Scott VC quoting
from
Chitty on Contracts
 
(27th edn, 1994), vol I,
 
para 13-014).
 
It remains unclear how Australian
 
courts will decide on the
 
implied consent
but it is normal practice to reply on the express consent.
The practice
 
of sharing
 
information with
 
local regulators
 
in order
 
to enable
 
banking business
 
to be
 
conducted within
 
the relevant
 
local
jurisdiction is, in our experience, well established such
 
that it might be considered “
notorious, certain and reasonable
”. In this context, it is
possible that
 
much of
 
the information
 
contained in
 
the Covered
 
Books and
 
Records would
 
be information
 
of a
 
sort that
 
customers (and
particularly more sophisticated customers of the kind
 
that would normally be offered
 
services by UBSAB in respect of
 
SBSs) may expect
would be shared with the SEC.
 
In part, the ability
 
to rely on
 
implied consent will
 
depend on the
 
information provided to
 
customers when UBSAB
 
provides services in
 
SBSs.
If no information about the jurisdiction or
 
regulators involved is provided then UBSAB
 
would rely on the customer’s own understanding
 
of
regulatory obligations on banks, the US
 
nexus and the SEC’s
 
role in these services. Conversely,
 
if customers are informed that
 
UBSAB’s
activity in SBSs is conducted on a cross-border basis
 
into the US and is subject to oversight by
 
the SEC then the ability to rely on
 
implied
consent increases. Similarly,
 
if customers are informed that
 
detailed information on all
 
aspects of UBSAB’s
 
activity in SBSs is
 
subject to
examination by the SEC then the ability to rely on implied consent
 
increases further still.
33
 
 
See the
 
example given
 
by Bankes
 
LJ in
Tournier
 
v National
 
Provincial &
 
Union Bank
 
[1924] 1
 
K.B 461
 
at 473
 
of the
 
Bankers’ Books
Evidence Act 1879.
 
34
 
 
F
or the general duty of confidentiality:
eg
 
courts may order that confidential documents be provided in the
 
discovery process
, as confirmed
in
Campbell v Tameside Metropolitan Borough Council
[1982] QB 1065.
 
For the banker’s duty of confidentiality:
X AG and others v A bank
 
[1983] 2 All ER at 475.
35
 
 
We
 
think the greater weight of
 
judicial authority supports this view.
 
See for example
FDC Co Ltd v
 
Chase Manhattan Bank NA
 
[1990] 1
HKLR 277,
 
283 (Sir
 
Alan Huggins
 
VP), 292
 
(Silke JA).
 
See also
 
Sir Lawrence
 
Collins, ‘Choice
 
of Law
 
and Choice
 
of Jurisdiction
 
in
International Securities
 
Transactions’ (2001)
 
5 Singapore
 
Journal of
 
International and
 
Comparative Law
 
618. According
 
to the
 
leading
decision in
Joachimson v Swiss Bank Corporation
 
[1921] 3 KB 110, a bank account is located at the
 
place where the records of the account
are kept.
36
 
 
For
 
example
,
 
banks
 
as
 
reporting entities
 
under
 
the
Anti-Money Laundering
 
and
 
Counter-Terrorism
 
Financing Act
 
2006
 
(Cth)
 
may be
compelled to
 
disclose information
 
about their
 
customers to
 
the
 
Australian Transaction
 
Reports and
 
Analysis Centre.
 
Disclosure in
 
this
circumstance would be an authorised use and as such would
 
not constitute a breach of confidence.
37
 
 
While
various Australian statutes require disclosures
 
and specifical
ly provide for the obligation under these
 
statutes to take priority over the
duty of confidentiality, there is no basis for disclosure of confidential information to be based on
 
compulsion of foreign law. However, the
 
Australian Securities & Investments Commission (
ASIC
) works closely with a range of international organisations,
 
foreign regulators and
law enforcement agencies
 
(including the SEC). ASIC
 
makes and receives
 
international requests in
 
relation to investigations,
 
compliance and
surveillance, delegations and
 
licensing/due diligence and
 
general referrals. Many
 
international organisations and
 
foreign regulators make
requests for assistance under
 
international cooperation agreements including the
 
IOSCO Multilateral Memorandum of Understanding
 
and
other
 
bilateral Memoranda
 
of
 
Understanding;
 
where authorised,
 
ASIC uses
 
the
Mutual Assistance
 
In
 
Business Regulation
 
Act 1992
 
to
exercise compulsory powers to obtain documents, information
 
or testimony on behalf of foreign regulators.
 
0036335-0000808 UKO1: 2005347595.6
 
 
12
 
(c)
 
Equally, a US court order is
 
also unlikely to be
 
sufficient for this purpose:
 
it was held in
X AG
and others v A bank
[1983] 2 All ER at
 
475 that a subpoena requiring disclosure issued
 
by a
foreign
 
court
 
did
 
not
 
qualify
 
as
 
compulsion
 
by
 
law
 
on
 
the
 
basis
 
that
 
“[t]
he
 
fact
 
is
 
that
confidentiality
 
is
 
not
 
rendered
 
illegal
 
by
 
a
 
subpoena
 
requiring
 
disclosure,
 
which
 
is
 
to
 
be
contrasted with some form of legislation to that end
”.
38
 
Public interest
2.13
 
Determining whether the public interest exception applies
 
requires a balance to be struck between the
rights of the
 
Rights Holders and
 
the public interest
 
in the SEC
 
obtaining that information.
39
 
The test
to be
 
applied when
 
considering whether
 
confidentiality should
 
be breached
 
in favour
 
of freedom
 
of
expression is whether,
 
in all the circumstances,
 
it is in the
 
public interest that the
 
duty of confidence
should be breached.
40
 
2.14
 
Disclosure in the public interest has
 
been narrowly construed by
 
the Australian courts, and the burden
is
 
for UBSAB
 
to
 
justify
 
disclosure of
 
confidential information
41
 
(rather than
 
for e.g.
 
a customer
 
to
justify
 
continued
 
confidentiality).
 
The
 
general
 
position
 
is
 
that
 
voluntary
 
disclosure,
 
including
 
in
relation to disclosures
 
to the police
 
in respect of suspicions
 
of criminal activity, would breach
 
the duty
of confidence other
 
than as permitted
 
under statute,
42
 
indicating that there
 
is a high bar
 
to be met when
arguing that a
 
disclosure was
 
made lawfully
 
in pursuit
 
of a
 
greater public
 
interest. Bankes
 
LJ suggested
in
Tournier
that
 
national
 
security
 
concerns
 
would
 
meet
 
this
 
criterion,
43
 
while
 
Atkin
 
LJ
 
gave
 
the
example of disclosure in the interest of preventing fraud or crime.
44
 
2.15
 
There are
 
also cases
 
which draw
 
a distinction
 
between disclosing
 
information to
 
prevent “frauds
 
or
crimes” versus disclosure of past criminal
 
conduct. The courts in Australia have
 
held that the former
case does authorise the
 
disclosure of confidential information,
 
but the latter case does
 
not.
45
 
However,
there
 
is
 
some
 
precedent
 
for
 
public
 
interest
 
in
 
effective
 
regulation
 
and
 
supervision
 
of
 
banking
institutions outweighing the public interest in maintaining confidentiality.
46
 
 
2.16
 
We
 
think
 
there
 
is
 
significant
 
uncertainty
 
about
 
the
 
scope
 
of
 
the
 
public
 
interest
 
exception
 
to
confidentiality. While disclosing information to
 
prevent a crime or a fraud does seem
 
to be generally
accepted as overriding
 
the public interest
 
in confidentiality, it is unclear
 
how far the
 
exception extends
beyond this principle. Therefore
 
we think any decision
 
to disclose confidential
 
information in reliance
on
 
the
 
public
 
interest
 
exception
 
is
 
likely
 
to
 
require
 
a
 
specific
 
examination
 
of
 
the
 
facts
 
and
circumstances of each case. Given the
 
narrow and uncertain scope of this exception,
 
we do not think
this exception is
 
likely to provide
 
a consistent basis
 
on which UBSAB
 
may rely in
 
order to disclose
information to the SEC.
 
38
 
 
While
both
X AG and
 
others v A
 
Bank
[1983] All ER
 
464 and in
A v B
 
Bank
 
Unreported, 13 August 1990
 
(see Hirst J’s
 
judgment in the
subsequent case
of A and Others v B Bank v (Governor
 
and Company of the Bank of England
 
intervening)
 
[1992] 3 WLR 705). While these
are banker’s
 
duty of
 
confidentiality cases,
 
a more
 
general application
 
of the
 
principles can
 
still likely
 
be used.
 
For the
 
general duty
 
of
confidentiality: eg courts may
 
order that confidential documents
 
be provided in the
 
discovery process, as confirmed
 
in
Campbell v Tameside
Metropolitan Borough Council
[1982] QB 1065.
39
 
Spelman v Express Newspapers
[2012] EWHC 355 (QB) at [44]-[52].
40
 
Prince of Wales v Associated Newspapers Ltd (CA)
[2007] 3 WLR at 68.
 
In the context of that case, it is relevant that
 
the test is not simply
whether the information
 
is a matter
 
of public
 
interest, as, unlike
 
disclosure to the
 
SEC, that
 
case involves
 
public dissemination
 
of information.
There is
 
High Court dictum
 
supporting that a
 
public interest exception
 
would be available
 
in an
 
action for
 
breach of the
 
general duty
 
of
confidence:
Australian Broadcasting
 
Corporation v
 
Lenah Game
 
Meats Pty
 
Ltd
 
(2001) 208
 
CLR 199,
 
244 per
 
Gleeson CJ
 
citing with
approval
Hellewell v Chief Constable of
 
Derbyshire
 
[1995] 4 AII ER 473,
 
476 per law J.
 
Furthermore, information concerning matters of
‘iniquity in the sense of a crime, civil wrong or
 
serious misdeed of public importance’ will be treated in Australia as lacking
 
the necessary
quality of confidence required
 
for protection, so that
 
the need for a exception
 
of public interests will
 
not arise:
Corrs Pavey Whiting &
 
Byrne
v Collector of Customs
 
(1987) 74 ALR 428, 250 per Gunmmow J).
41
 
Price Waterhouse v BCCI Holdings (Luxembourg) SA
 
[1992] BCLC 583 at 597.
42
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 474.
43
 
Tournier v National Provincial and Union Bank of
 
England
[1924] 1 KB 461
 
at 485 at 473 where
 
Bankes LJ quotes Lord Finlay’s judgment
in
Weld-Blundell v Stephens
[1920] A.C. 956
 
at 965 where “
danger to the state
” was given as
 
an example where an
 
exception could be made
to the duty of confidentiality.
44
 
Tournier v National Provincial and Union Bank of England
[1924] 1 KB 461 at 486.
45
 
Bodnar v Townsend
 
(2003) 12 Tas R
 
232;
Kelly v Hawkesbury
 
Two Pty Ltd (No
 
3)
 
(Unreported, Supreme
 
Court of New South
 
Wales, Young
J, 26 November 1987); see also Brown’s
Trustees v Hay
 
(1898) 35 SLR 877, 880.
46
 
Price Waterhouse v BCCI Holdings (Luxembourg) SA
 
[1992] BCLC 583 at 596 and 601.
 
0036335-0000808 UKO1: 2005347595.6
 
 
13
 
In the interests of the bank
2.17
 
In
 
limited
 
cases,
 
disclosure
 
of
 
confidential
 
information
 
that
 
is
 
subject
 
to
 
the
 
banker’s
 
duty
 
of
confidentiality may
 
be permissible
 
where it
 
is in
 
the interests
 
of the
 
bank. This
 
exception does
 
not
apply to information that
 
is subject to the
 
general duty of confidentiality.
 
However, we consider
 
that
this exception is available to information that is subject to both such duties, leaving only
 
information
that does not relate to customers (eg information relating to staff) beyond the scope of
 
this exception.
 
2.18
 
It is clearly in
 
the interests of UBSAB
 
to comply with the
 
SEC’s requests.
 
However, the majority
 
of
case law on this exception points to there being a high bar to meet.
 
2.19
 
In
X AG
 
and others
 
v A
 
Bank
[1983] All
 
ER 464
 
it was
 
held that
 
a bank
 
could not
 
comply with
 
a
subpoena
 
from
 
a
 
New
 
York
 
court
 
without
 
breaching
 
its
 
duty
 
of
 
confidentiality.
 
However,
 
in
considering arguments based on the banker’s own
 
interest, Leggatt J judged that it was not clearly in
the bank’s
 
own interests
 
to comply
 
with the
 
subpoena, as
 
the bank
 
would not,
 
as a
 
matter of
 
fact in
that particular case, face any serious detriment for its failure to
 
comply.
47
 
In contrast, Bankes LJ gave
the example
 
in
Tournier
of a
 
bank commencing
 
an action
 
against a
 
customer where
 
the customer’s
overdraft is in arrears, acknowledging that, in
 
that situation, the banker would be able
 
to disclose the
amount of the
 
overdraft in its
 
claim. These cases suggest
 
that the bank’s
 
own interest exception will
be construed
 
narrowly and
 
the court
 
will take
 
a view
 
on whether
 
the bank’s own
 
interests are
 
genuinely
threatened by
 
non-disclosure. In
 
the context
 
of requests
 
by the
 
SEC, it
 
is assumed
 
that failure
 
to comply
could result in
 
enforcement action and potentially even
 
the cessation of
 
UBSAB’s ability
 
to conduct
SBS business in US markets. Accordingly, it is expected that UBSAB may face serious detriment for
a failure to comply with the SEC’s demands, and so this exception may be available to UBSAB.
2.20
 
However, to
 
rely on this
 
exception, UBSAB must
 
balance its interests
 
in complying with
 
the SEC’s
disclosure request against
 
the competing interest
 
of its customers
 
in the banker’s
 
duty of confidence
being maintained,
 
and UBSAB
 
must satisfy
 
itself that
 
those interests
 
do not
 
outweigh its
 
own. This
would need
 
to be
 
assessed on
 
a case-by-case
 
basis and
 
we think
 
the only
 
clear situation
 
in which
 
a
bank may
 
disclose customer information
 
based on
 
its own
 
interests is
 
to take
 
enforcement action or
participate in
 
litigation where
 
this information is
 
required. Given
 
the narrow
 
and uncertain
 
scope of
this exception, we do not think this
 
exception is likely to provide a consistent
 
basis on which UBSAB
may rely in order to disclose information to the SEC.
Employment law and confidentiality in Australia
2.21
 
In Australia, there is no legal duty of
 
mutual confidence implied into contracts of
 
employment. While
UK
 
cases
 
such
 
as
Malik
 
v
 
Bank
 
of
 
Credit
 
and
 
Commercial
 
International
 
SA
 
(In
 
Compulsory
Liquidation)
 
held there
 
is such
 
a duty
 
(albeit limited
 
to conduct
 
that is
 
calculated to
 
destroy or
 
seriously
damage the
 
relationship of trust
 
and confidence), in
 
2014 the
 
High Court of
 
Australia reviewed that
decision (among others) and determined
 
that no such duty
 
is exists in
 
Australia. See
Commonwealth
Bank of Australia v Barker
 
[2014] HCA 32.
2.22
 
Employers are, however,
 
required to deal
 
with the personal
 
information of employees in
 
accordance
with the
 
Privacy Act
 
– legislation
 
will not
 
apply if
 
the information
 
is of
 
a certain
 
type and
 
is being
used for
 
a purpose
 
directly related
 
to the
 
employment relationship.
 
This is
 
known as
 
the ‘employee
records exemption’.
 
This exemption
 
is
 
unlikely to
 
apply to
 
employees’ personal
 
information being
provided to a foreign government regulator.
 
Accordingly, it is
 
likely that employees’ consent will be
required. Employers
 
which employ
 
staff in
 
Australia which
 
are also
 
operating in
 
the US
 
will often
obtain that consent by way of an express clause in each employee’s employment contract.
 
47
 
X AG and others v A bank
 
[1983] 2 All ER at 475.
 
0036335-0000808 UKO1: 2005347595.6
 
14
3.
 
PRIVACY
 
AND HUMAN RIGHTS
Right to privacy
3.1
 
Australia does
 
not have
 
a statutory or
 
constitutional framework of
 
human rights, and
 
most civil
 
and
political rights
 
of individuals
 
under Australian
 
law are
 
found within
 
the common
 
law as
 
well as
 
specific
pieces of legislation.
 
The right to privacy in Australia is set out in the Australian privacy
 
framework.
International law
 
3.2
 
Australia is
 
a signatory
 
to, has
 
ratified, and supports
 
a number of
 
international treaties that
 
enshrine
human rights and civil and political
 
rights, including the International Covenant
 
on Civil and Political
Rights
 
(
ICCPR
)
and
 
the
 
Univ
ersal
 
Declaration
 
of
 
Human
 
Rights
 
(
UDHR
),
 
and
 
while
 
these
international treaties
 
do recognise
 
that individuals
 
have a
 
right against
 
unlawful interference
 
with one’s
privacy, it should be noted that:
(a)
 
the UDHR
 
is not
 
a binding
 
international treaty, and
 
does not
 
have the
 
force of
 
law in
 
Australia;
and
(b)
 
Australia never
 
formally ratified
 
and adopted
 
the provisions
 
of the
 
ICCPR into
 
the body
 
of
Australian law.
 
3.3
 
In
 
order
 
for
 
the
 
obligations set
 
out
 
in
 
any
 
international
 
treaty
 
to
 
apply
 
in
 
Australia, the
 
Australian
Parliament has to pass legislation that adopts such obligations and give such international obligations
the force of law in Australia, and Australia has not passed any legislation that seeks to give the rights
outlined in international treaties such as the UDHR and the ICCPR
 
the force of law in Australia.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
0036335-0000808 UKO1: 2005347595.6
 
 
15
 
ANNEX 2
 
ASSUMPTIONS
This opinion relies on the following assumptions:
1.
 
We are instructed that UBS
 
AG, including UBSAB,
 
has a “prudential
 
regulator” as defined
 
by Section
3 of
 
the US Securities
 
Exchange Act of
 
1934 (the
Securities Exchange Act
). As such,
 
the Covered
Books and Records considered
 
in this opinion are
 
limited to what a
 
prudentially regulated SBSD
 
must
be able to share with the SEC.
2.
 
Additionally,
 
we
 
are
 
instructed
 
that
 
in
 
accordance
 
with
 
SEC
 
Guidance
 
at
 
85
 
FR
 
6297,
 
books
 
and
records
 
pertaining
 
to
 
SBS
 
transactions
 
entered
 
into
 
prior
 
to
the
 
date
 
that
UBSAB
 
submits
 
an
application for registration are not Covered Books and Records.
 
3.
 
UBSAB
 
has
 
obtained
 
any
 
necessary
 
prior
 
consent
 
of
 
the
 
persons
 
(e.g.
 
counterparties,
 
employees)
whose information is or will be included
 
in Covered Books and Records in order to
 
provide the SEC
with
 
access
 
to
 
its
 
Covered
 
Books
 
and
 
Records
 
or
 
to
 
allow
 
On-Site
 
Inspections,
 
to
 
the
 
extent,
 
as
considered in this opinion,
 
such consent would constitute
 
valid consent and such
 
consent has not been
withdrawn. Insofar as
 
Covered Books and
 
Records relate to
 
employees of UBSAB,
 
such employees
are “associated
 
persons” of
 
UBS for
 
purposes of
 
17 CFR
 
§ 240.18a-5(b)(8)
 
who have
 
agreed to
 
sharing
of their personal/employment
 
information with the SEC
 
in the event of a
 
request for information from
the SEC.
4.
 
The SEC will restrict
 
its information requests
 
for, and use of, any information
 
pursuant to its access
 
to
Covered Books
 
and Records and
 
On-Site Inspections to
 
only the
 
information that
 
it requires
 
for the
legitimate and specific purpose of fulfilling
 
its regulatory mandate and responsibilities by
 
evaluating
compliance with
 
legal obligations
 
designed to
 
ensure the proper
 
legal administration
 
of SEC-regulated
firms (which includes regulating,
 
administering, supervising, enforcing
 
and securing compliance with
the
 
securities or
 
derivatives laws
 
in its
 
jurisdiction) and
 
to
 
prevent and/or
 
enforce against
 
potential
illegal behaviour.
 
5.
 
Similarly, UBSAB will ensure that its disclosures are compliant with the data protection
 
principles as
set out
 
in the
 
Australian privacy
 
framework.
48
 
We
 
understand that
 
UBSAB’s
 
general experience
 
in
responding
 
to
 
information
 
requests
 
from
 
the
 
SEC
 
(or
 
other
 
US
 
and
 
non-US
 
regulators)
 
leads
 
it
 
to
maintain a belief, which it
 
considers to be reasonable,
 
that UBSAB can and (subject
 
to any changes in
applicable law and
 
regulation and/or the
 
approach of relevant
 
regulators) will continue
 
to be
 
able to
comply with these data
 
protection principles in the
 
course of making disclosures
 
of the sort
 
required
when providing access to Covered Books and Records and submitting
 
to On-Site Inspection.
49
 
6.
 
It is the SEC’s
 
practice to limit the type and amount of
 
personal data it requests during examinations
to
 
targeted
 
requests based
 
on risk
 
and related
 
to
 
specific clients
 
and accounts,
 
and employees.
 
The
requested information may include some sensitive information under
 
the Privacy Act (as described in
paragraph
 
1.3
 
of
 
Annex
 
1
 
to
 
this
 
opinion).
 
We
 
understand
 
that
 
this
 
aligns
 
with
 
UBSAB’s
 
general
experience in responding to information requests from the SEC, leading it to maintain
 
a belief, which
it considers to be
 
reasonable, that this
 
assumption is, and
 
will remain, accurate
 
(subject to any changes
in applicable law and regulation and/or the approach of relevant regulators).
50
 
 
 
48
 
 
These principles are set out in
 
at section
 
49
 
 
See the SEC Guidance at 85 FR 6298.
 
50
 
 
See the SEC Guidance at 85 FR 6298.
 
 
0036335-0000808 UKO1: 2005347595.6
 
 
16
 
7.
 
Information, data and documents received
 
by the SEC are
 
maintained in a secure manner
 
and, under
strict
 
US
 
laws
 
of
 
confidentiality,
 
information
 
about
 
individuals
 
cannot
 
be
 
onward-shared
 
save
 
for
certain
 
uses
 
publicly disclosed
 
by
 
the
 
SEC, including
 
in
 
an
 
enforcement proceeding,
 
pursuant to
 
a
valid and non-exempt US Freedom of
 
Information Act (
FOIA
) request,
51
 
pursuant to a lawful request
of the
 
US Congress
 
or a
 
properly issued
 
subpoena, or
 
to other
 
regulators who
 
have demonstrated
 
a
need for the information and provide assurances of confidentiality.
8.
 
UBSAB is an APP entity as defined under the Privacy Act.
9.
 
UBSAB has a
 
comprehensive privacy policy
 
that sets out
 
that UBSAB’s regulatory obligations
 
are for
a purpose for which an individual’s personal information will be used and/or disclosed.
10.
 
At
 
each
 
point
 
in
 
time
 
that
 
UBSAB
 
is
 
engaged
 
(i.e. at
 
on-boarding)
 
by
 
its
 
customers
 
who
 
are
individuals,
 
such
 
individuals
 
would
 
have
 
been
 
required
 
to
 
execute
 
comprehensive
 
UBSAB
 
data
protection and
 
privacy documents
 
(including accepting
 
all the
 
terms of
 
the UBS
 
Australian Privacy
Policy):
 
(a)
 
within
 
which
 
such
 
individuals
 
declare
 
that,
 
in
 
accordance
 
with
 
the
 
Australian
 
privacy
framework, they consent to UBS, amongst other things, disclosing
 
their personal information
to
 
a
 
foreign
 
regulator
 
like
 
the
 
SEC (as
 
set
 
out
 
in
 
section
 
7
 
of
 
the
 
UBS
 
Australian
 
Privacy
Policy); and
(b)
 
that also
 
ensure that
 
the requirements
 
of
 
the Australian
 
privacy framework
 
are satisfied
 
by
UBSAB.
51
 
 
We
 
do not
 
give any
 
views in
 
the opinion
 
to matters
 
of US
 
law,
 
though we
 
understand that
 
information can
 
be made
 
public pursua
nt to
requests under
 
the US
 
FOIA, and
 
that certain
 
information is
 
exempt from
 
such requests,
 
including (among
 
others): (a)
 
a trade
 
secret or
privileged or confidential commercial or financial information
 
obtained from a person; (b)
 
a personnel, medical, or similar
 
file the release
of which would constitute a clearly unwarranted invasion of personal privacy; (c) information compiled for law enforcement purposes, the
release of which:
 
(i) could reasonably be expected to interfere with
 
law enforcement proceedings; (ii) would deprive a person
 
of a right to a
fair trial or an
 
impartial adjudication; (iii)
 
could reasonably be
 
expected to constitute an
 
unwarranted invasion of
 
personal privacy; (iv) could
reasonably
 
be
 
expected
 
to
 
disclose
 
the
 
identity
 
of
 
a
 
confidential
 
source;
 
(v)
 
would
 
disclose
 
techniques,
 
procedures,
 
or
 
guidelines
 
for
investigations or prosecutions; or (vi)
 
could reasonably be expected to endanger an individual’s life or physical safety; and (d) contained in
or related to examination, operating, or condition reports about
 
financial institutions that the SEC regulates or supervises.
 
0036335-0000808 UKO1: 2005347595.6