Alert Logic: Frequently Asked Questions on International Transfers of Personal Data
1. Background
International transfers of personal data made from the European Economic Area (“EEA“) are regulated under the General Data Protection Regulation (“GDPR“).
Following the United Kingdom’s (“UK“) exit from the European Union (“EU“), international transfers of personal data made from the UK are regulated by the UK’s own version of the GDPR (“UK GDPR“).
Both the GDPR and the UK GDPR require a specific mechanism to be put in place by the exporting organisation to ensure an equivalent level of protection for the personal data being transferred (from the European Economic Area (“EEA”), or from the UK, respectively).
Following recent decisions by the European Commission (“Commission“), the specific mechanisms under the GDPR and UK GDPR, whilst similar in nature, are no longer the same.
2. Why is this relevant to Alert Logic?
As a company based in the United States (“US“), where our EEA and UK customers use Alert Logic (“we“, “us“, “our“) services this will involve an international transfer of personal data from our customers (either from the EEA, or from the UK), to Alert Logic in the US.
The US, under both the GDPR and UK GDPR regimes, is a jurisdiction which currently is not deemed to provide essential an essentially equivalent level of protection to that guaranteed under EEA or UK law and it is considered a third country.
3. What mechanisms can be used to make an international transfer?
The “standard contractual clauses” for international transfers of personal data outside the EEA, approved by the Commission under the previous EU data protection directive (Directive 95/46/EC) (“Old International Transfer SCCs“) have, over the years, been the most commonly used mechanism to transfer personal data outside the EEA; especially in recent months following the European Court of Justice (“CJEU“) decision in Schrems II (which invalidated another such mechanism, the EU-US Privacy Shield).
On 4 June 2021, the Commission published a new set of “standard contractual clauses” for international transfers of personal data outside the EEA (see here) (“New International Transfer SCCs“). The Old International Transfer SCCs needed updating to reflect the new data protection regime in the EEA (i.e. the GDPR). For example, the Old International Transfer SCCs refer to the previous EU data protection directive (Directive 95/46/EC). The New International Transfer SCCs also provide extra contractual commitments in relation to the personal data subject to the transfer, following the CJEU decision in Schrems II, discussed further below. The New International Transfer SCCs will eventually replace the Old International Transfer SCCs as a mechanism to make an international transfer outside the EEA.
4. What did the CJEU rule in the Schrems II judgment?
In July 2020, the CJEU considered whether privacy protections in US law, concerning the ability of US intelligence agencies to access personal data, were compatible with EEA legal standards.
The CJEU determined that the EU-US Privacy Shield, as an international transfer mechanism, did not meet EEA legal standards and was declared invalid. This means that organisations can no longer rely upon the EU-US Privacy Shield to transfer personal data to the US, from the EEA.
The CJEU also determined that the Old International Transfer SCCs remain a valid mechanism for transferring personal data from the EEA, but additional safeguards may need to be put in place (whether technical, contractual or organisational) to ensure a level of protection for the personal data subject to the transfer, that is essentially equivalent to that guaranteed within the EEA.
To identify whether additional safeguards are required a risk assessment, specific to the transfer, needs to be conducted by the exporting organisation. The European Data Protection Board (“EDPB“) (an EU body in charge of the application of the GDPR) recently released some recommendations which exporting organisations are expected to consider when conducting this risk assessment (see here).
5. What are the US laws that are causing concern?
The CJEU flagged the following US laws as causing particular concern:
- – Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702“); and
- – Executive Order 12333.
FISA 702 applies to remote computing service providers and electronic communication service providers. Under FISA 702, such organisations may receive requests from the US government that compel them to assist the US government with surveillance activities. However, EO 12333 does not rely on the compelled assistance of such organisations. Instead, EO 12333 involves the collection of foreign “signals intelligence” information by identifying vulnerabilities in telecommunications infrastructure used to transmit communications.
6. How those US laws apply to Alert Logic
As a US company, Alert Logic is required to comply with applicable laws in the US. Alert Logic may be deemed to be a remote computing service provider or an electronic communication service within the meaning of FISA 702.
To address the CJEU’s concerns and to help our EEA and UK customers conduct a risk assessment to verify the adequacy of protection for their personal data in the US, Alert Logic has enhanced its data processing agreement to provide additional global safeguards to the guarantees already contained in the Old International Transfer SCCs. In particular, if Alert Logic receives a request from a public authority to disclose personal data, we commit to notify our customers unless we are prohibited from doing so under applicable law. In any event, Alert Logic commits to ensuring that any such request is lawfully made, and to minimise the information disclosed in response to a disclosure request to that which is necessary for us to meet our obligations under applicable law.
In addition to complying with our US legal obligations, we have also implemented technical and organisational measures to mitigate the risk of US intelligence agencies accessing the personal data that our customers share with Alert Logic. These measures can be located, in detail, in our data processing agreement with our customers.
7. Can Alert Logic still use the Old International Transfer SCCs?
The Old International Transfer SCCs cannot be implemented into contracts. If the Old International Transfer SCCs are put in place before 27 September 2021, they will be valid until 27 December 2022 (at which point, the New International Transfer SCCs must be used).
8. Is Alert Logic planning to implement the New International Transfer SCCs?
The New International Transfer SCCs is currently utilized by Alert Logic. We have updated our agreements to implement the New International Transfer SCCs for our customers transferring personal data to Alert Logic from the EEA.
9. Can the New International Transfer SCCs be used to transfer personal data from the UK, as well as the EEA?
No. As the UK is no longer part of the EU, the New International Transfer SCCs cannot be used to transfer personal data from the UK to Alert Logic in the US.
The Information Commissioner’s Office (“ICO“) (the UK data protection regulator) has announced that the UK is in the process of developing its own set of New International Transfer SCCs, which will apply specifically to transfers of personal data from the UK.
We understand that the ICO intends to release a draft of the UK-version of the New International Transfer SCCs in July 2021 and they will go out to consultation before they are finalised.
As such, we do not have a confirmed date of when the finalised UK-version New International Transfer SCCs will be available.
10. What should Alert Logic’s UK customers do in the meantime?
Until a UK-version of New International Transfer SCCs is approved for use, customers transferring personal data to Alert Logic from the UK must continue to use the Old International Transfer SCCs.
The ICO has created a UK version of the Old International Transfer SCCs, with suggested changes which make sense in a UK context (e.g. changing references from “Directive 95/46/EC” to the “UK GDPR”). We have incorporated the controller to processor version of the Old International Transfer SCCs, with the ICO’s suggested UK changes, into the Alert Logic template data processing agreement.
11. Do UK customers still need to carry out a risk assessment when using the Old International Transfer SCCs?
Yes. Although a decision of the CJEU, the Schrems II decision will continue to apply to international transfers made from the UK, using the Old International Transfer SCCs.
The ICO has said that the although the EDPB recommendations apply to the GDPR transfer regime, they provide a “useful reference” for the risk assessment and additional measures. We understand that the ICO will be producing its own guidance on this topic in due course.
12. Questions?
This is an ongoing and complex legal issue. Alert Logic will continue to monitor EEA, UK and US guidance on international data transfers and will continue to adapt our business practices if necessary and appropriate.
If you have any other questions that we have not addressed in these FAQs, please do not hesitate to contact [email protected].