The exchange of personal data with service providers, business partners or affiliates in a country outside the European Economic Area (EEA) is now part of the practice in many companies. On July 16th, 2020, the European Court of Justice declared the EU-US Privacy Shield (which previously served as the basis for data transfers to the US) invalid with immediate effect (ECJ C-311/18 – “Schrems II”). Since then, the focus has once again been on the so-called EU standard contractual clauses (Art. 46(2)(c) DS-GVO) (“SCC”) as an instrument for the international data transfer.
Against the background of the “Schrems II” procedure and increasingly complex international processing chains, the EU Commission published new SCC on 04 June 2021. They will come into force on 27 June 2021. With a transition period of three months, the previous SCC can continue to be agreed. By 27 December 2022, all old SCC must be replaced, otherwise the basis for the international data transfer will cease to apply.
The clauses provide for a modular approach. They allow different constellations with multiple contracting parties to be mapped and always apply when personal data is transferred to a recipient in a third country (data importer) to which the GDPR does not apply directly. This also includes transfers by companies in a third country to which the GDPR applies due to their activities. The various modules of the clauses provide for the following constellations of data transfer:
- Controller to which the GDPR applies (data exporter) – other controller in the third country (data importer).
- Controller to which the GDPR applies (data exporter) – processor in the third country (data importer)
- Processor in the EU (data exporter) – sub-processor in the third country (data importer)
- Processor in the EU (data exporter) – principal (controller) in the third country (data importer).
In addition, the SCC allow additional parties to join the agreement as a data exporter or data importer with effect for the future.
Depending on its role, the SCC contractually subject the data importer to the essential principles and obligations of the GDPR. These include, in particular, the
- Binding to the principles of accuracy and data minimization and storage limitation,
- Ensuring the security of data processing,
- Compliance with information and notification obligations as well as data subject rights.
The accountability obligations of the parties also explicitly refer to compliance with the agreed SCC.
Finally, the standard contractual clauses for the first time contain provisions with which the requirements for order processing pursuant to Art. 28. paras. 3 and 4 GDPR can be effectively agreed. This is not only relevant for order processing in an international context.
The EU Commission is also responding to risks to the protection of personal data resulting from regulations and authority practices in the recipient country. The extensive access to data by U.S. security authorities had prompted the ECJ in the Schrems II proceedings to deny the U.S. an “essentially equivalent level of protection” in data protection. Under the new SCC, the parties must therefore assure each other prior to data transfer that they have no reason to believe that such circumstances will prevent the data importer from fulfilling its obligations. With regard to access by authorities to data at the data importer, the data importer is subject to comprehensive notification and action obligations (in particular to defend against the measures).
This means that it is still not possible to transfer data to a third country if the data there is not safe from extensive access by the authorities. The new SCCs are also unable to solve this dilemma.
- This document
This document provides information to help Octopus’s customers conduct Data Transfer Impact Assessments in connection with their use of the Octopus’s products, in light of the “Schrems II” ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board.
This document describes the legal regimes applicable to Octopus’s in the US, the safeguards Octopus puts in place in connection with transfers of customer personal data from the European Economic Area, United Kingdom or Switzerland (“Europe”), and Octopus’s ability to comply with its obligations as “data importer” and “data exporter” under the Standard Contractual Clauses (“SCCs”).
- GDPR compliance to International Data Transfers
As a company with a global customer, Octopus must be able to transfer and access data around the world. We understand and respect the rules for onward transfers of personal data outside of the European Economic Area (EEA) and offer customers a robust international data transfer framework as a part of our Data Processing Addendum. This addendum ensures that our customers can lawfully transfer personal data to Octopus Cloud-based products outside of the EEA, even with the recent updates of the “Schrems II” ruling, by relying on the Standard Contractual Clauses. In addition to the addendum, Octopus is committed to protecting customer data privacy, rights, and freedom by only responding to governments agencies requests after a comprehensive legal review.
- Know your transfer
- Data Processing Addendum:
Where Octopus processes personal data governed by European data protection laws as a data processor (According to Octopus’s EULA), Octopus complies with its obligations under its Data Processing Addendum (“DPA“). The Octopus’s DPA incorporates the SCCs.
Please refer to our privacy statement for information on the nature of octopus’s processing activities in connection with the provision of the services, the types of customer personal data we may process and transfer, and the categories of data subjects.
We may transfer customer personal data wherever we or our third-party service providers operate for the purpose of providing you the Services. The locations are outlined in the chart below.
|Product(s) and Services||In what countries does Octopus store Customer Personal Data?||In what countries does Octopus process (e.g., access, transfer, or otherwise handle) Customer Personal Data?|
|The Octopus platform (All modules)||· Illinois (North Central US)
· Netherlands (West Europe)
|· Illinois (North Central US)
· Netherlands (West Europe)
|Integration modules||Illinois (North Central US)||· Illinois (North Central US)
- Identify the transfer tool relied upon:
Where personal data originating from Europe is transferred to Octopus. Octopus relies upon the European Commission’s SCCs to provide an appropriate safeguard for the transfer. Octopus’s DPA incorporating the SCCs.
Where customer personal data originating from Europe is transferred between Octopus to third-party sub processors, Octopus enters into SCCs with those parties.
- Assess whether the transfer tool relied upon is effective in light of the circumstances of the transfer.
The following US laws were identified by the Court of Justice of the European Union in “Schrems II” as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
- FISA 702
- Executive Order 12333
Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after “Schrems II” whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access to data and was issued in response to the “Schrems II” ruling.
U.S. Surveillance Laws
- FISA 702
FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers (“ECSP”) within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers (“RCSP”), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
- Regarding FISA 702 the whitepaper notes:
- For most companies, the concerns about national security access to company data highlighted by “Schrems II” are:
- “Unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”
- “Companies transferring data from the EU that have received orders authorized by FISA 702 requiring the disclosure of data to S. intelligence agencies for foreign intelligence purposes may consider the applicability of the “public interest” derogation in Article 49 of the GDPR as a basis for those transfers. In “Schrems II”, the ECJ made clear that notwithstanding the invalidation of Decision 2016/1250, Article 49 derogations continue to be available for transferring personal data to the United States”.
- The European Data Protection Board (“EDPB”) has recognized in this context that sharing data “in the spirit of reciprocity for international cooperation” qualifies as an “important public interest” under Article 3 The U.S. government frequently shares intelligence information with EU Member States, including data disclosed by companies in response to FISA 702 orders, based on longstanding cooperative arrangements between the intelligence agencies of the United States and Member States.
- For most companies, the concerns about national security access to company data highlighted by “Schrems II” are:
- Executive Order 12333
Executive Order 12333 (“EO 12333”) – authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign “signals intelligence” information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
- Regarding Executive Order 12333 the whitepaper notes:
- EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data.
- Bulk data collection, the type of data collection at issue in “Schrems II”, is expressly prohibited under EO 12333.
- And what about the CLOUD act?
For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act.
The whitepaper indicates:
- The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.
- The CLOUD Act does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance.
- Is Octopus subject to FISA 702 or EO 12333?
Octopus, like most SaaS companies, which keeping its customers data on US-based Cloud, technically be subject to FISA 702.
The Octopus platform contains many services (modules) which in most the personal data octopus processes are not likely to be of interest to US intelligence agencies. However, the C&C module is likely to be interest to US intelligence agencies.
EO 12333 contains no authorization to compel private companies (such as Octopus) to disclose personal data to US authorities and FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition.
Considering mentioned the above, In the event that US intelligence agencies were interested in the type of data that Octopus processes, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance. And in the event of US intelligence agencies request under the spirit of reciprocity for international cooperation for or the prevention of international crime is covered by Article 49.3 (“important public interest” derogation ) of the GDPR
- What about Israel?
On December 1st , 2009, the European commission, working party, on the protection of individuals with regard to the processing of personal data assessment, concluded in its opinion, 6/2009, that Israel guarantees an adequate level of protection according to provision 6 of Article 25 of Directive 95/46/EC of the European Parliament and of the Council, dated 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, in relation to automated international data transfers or, where they are not automated, they are subject to further automated processing in Israeli territory.
On January 31st , 2011 ,based on the adoption of opinion 6/2009 from December 1st , 2009, the European commission has based its decision, 2011/61/EU that the State of Israel is considered as providing an adequate level of protection for personal data transferred from the European Union in relation to automated international transfers of personal data from the European Union or, where they are not automated, they are subject to further automated processing in the State of Israel.
- What is Octopus’s practical experience dealing with government access requests?
To date, Octopus has never received a US National Security Request (including requests for access under FISA 702 or direct access under EO 12333 or the CLOUD act) or Israel agencies or any other international security agencies requests, in connection with customer personal data.
Therefore, while octopus may technically be subject to the surveillance laws identified in “Schrems II” we have not been subject to these types of requests in our day-to-day business operations.
- Identify the technical, contractual and organizational measures applied to protect the transferred data.
- Encryption: Octopus offers data encryption at rest and in transit.
- Security and certifications: Octopus comply with eight (8) quality standards which four of them are in information security. Additional information about Octopus’s security practices and certifications are available at: https://octopus-app.com/security-policy/
Octopu’s contractual measures are set out in our DPA which incorporates the SCCs. In particular, we are subject to the following requirements:
- Technical measures: Octopus is contractually obligated to have in place appropriate technical and organizational measures to safeguard personal data (both under the Data Processing Addendum as well as the SCCs we enter into with customers and service providers).
- Transparency: Octopus is obligated under the SCCs to notify its customers in the event it is made subject to a request for government access to customer personal data from a government authority. In the event that octopus is legally prohibited from making such a disclosure, Octopus is contractually obligated to challenge such prohibition and seek a waiver.
- Actions to challenge access: Under the SCCs, Octopus is obligated to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful.
Octopus’s organizational measures to secure customer data include:
- Policy for government access: Octopus follows its Information technologies procedures in responding to any government requests for data. To obtain data from octopus, government agencies must provide legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant.
- Onward transfers: Whenever we share your data with Octopus services providers, we remain accountable to you for how it is used. We require all service providers to undergo a thorough cross-functional diligence process by subject matter experts in our Security, Privacy, and Risk & Compliance Teams to ensure our customers’ personal data receives adequate protection. This process includes a review of the data Octopus plans to share with the service provider and the associated level of risk, the supplier’s security policies, measures, and third-party audits, and whether the supplier has a mature privacy program that respects the rights of data subjects.
- Security & Privacy by design: Octopus’s approach to Security and Privacy is according to the most stringent accepted standards.
- Employee training: Octopus provides data protection training to all its employees on a regular basis.
- Procedural steps necessary to implement effective supplementary measures
In light of the information provided in this document, Octopus considers that the risks involved in transferring and processing European personal data in/to the US do not impinge on our ability to comply with our obligations under the SCCs (as “data importer” and “data exporter”) or to ensure that rights and freedom of an individual’s remain protected. Therefore, to our opinion, no additional supplementary measures are necessary at this time.
- Re-evaluate at appropriate intervals
Octopus will review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.
- Legal Notice: Customers are responsible for making their own independent Data Transfer Impact Assessment. This document:
- Is for informational purposes only,
- represents current Octopus product offerings and practices, which are subject to change without notice,
- Does not create any commitments or assurances from Octopus, suppliers or licensors. The responsibilities and liabilities of Octopus to its customers are controlled by Octopus agreements, and this document is not part of, nor does it modify, any agreement between Octopus and its customers.