The purpose of this article is to provide Voyado customers information to help them conduct data transfer impact assessments related to the use of Engage and Elevate products in the context of the “Schrems II” ruling of the Court of Justice for the European Union and other recommendations from the European Data Protection Board.
This article also provides a perspective with the context of transfers or potential transfers of personal data due to the use of US based public cloud services. It factors in the ruling that Privacy Shield is no longer a satisfactory way to satisfy that a third country has equivalent privacy guarantees as in the EU/EEA.
For more information about Voyado’s data processing agreement, see this Voyado DPA Engage and Voyado DPA Elevate.
Step 1: Know your transfers
The data is stored in the EU/EEA in Microsoft Azure and AWS public cloud service providers; however, it can be remotely accessed, resulting in a potential transfer to the United States.
|Product(s) and Services||In what countries does Voyado store Customer Personal Data?||In what countries does Voyado process (e.g., access, transfer, or otherwise handle) Customer Personal Data?|
|Elevate||Sweden, Germany, Ireland, Japan||Sweden, Germany, Ireland, Japan|
|Microsoft Azure||United States||United States|
|Amazon Web Services||United States||United States|
For a more detailed list of sub-processors, see Voyado Engage Sub-processors and Voyado DPA Elevate.
Step 2: Identify the transfer tools you are relying on
Where personal data originating from Europe is transferred to Voyado, Voyado relies on the European Commission’s SCCs to provide the appropriate safeguard for the transfer. To review Voyado’s Customer DPA please visit Voyado Engage Sub-processors and Voyado DPA Elevate.
Step 3: Assess whether Article 46 GDPR transfer tool you are relying on is effective considering all circumstance of the transfer
The data stored in the EU/EEA can be remotely accessed by United states authorities by accessing the public cloud infrastructure providers thus the following U.S. Surveillance Laws comes to bear:
FISA 702 and Executive Order 12333
The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
- FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers ("ECSP") within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP"), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
- Executive Order 12333 ("EO 12333") - authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
Additional information can be found in U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II.
The FISA 702 white paper from September 2020 notes that:
- “As a practical matter, for many companies the issues of national security data access that appear to have concerned the ECJ in Schrems II are unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.”
- “In Schrems II, the ECJ voiced a second concern with FISA 702, namely, whether U.S. law provides individual redress for violations of the FISA 702 program. A review of applicable U.S. law demonstrates that several U.S. statutes authorize individuals of any nationality (including EU citizens) to seek redress in U.S. courts through civil lawsuits for violations of FISA, including violations of Section 702. This information was not addressed by the ECJ in Schrems II.”
Regarding Executive Order 12333, the white paper also notes that:
- “Unlike FISA 702, however, EO 12333 does not authorize the U.S. government to require any company or person to disclose data. Any requirement that a company in the United States disclose data to the government for intelligence purposes must be authorized by statute and must be targeted at specific persons or identifiers, such as through FISA 702 orders as discussed above;”
- “bulk collection is expressly prohibited.”
BSA Software Alliance’s white paper on: What is the CLOUD Act? notes that:
- The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.
- The CLOUD Act does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance.
Is Voyado subject to FISA 702 or EO 12333?
Voyado like most SaaS companies using US-based companies for public cloud infrastructure hosting could be subject to FIS 702. However, Voyado does not process personal data that is likely to be of interest to the US intelligence agencies.
Voyado is unlikely to be subject to upstream surveillance orders under FISA 702 as addressed in the Schrems II ruling. Voyado is not a provider of internet backbone services. Thus far, the US Government has applied only FISA 702 upstream surveillance orders to ISPs such as telecommunication carriers.
EO 12333 does not require that private companies disclose data to US authorities and FISA 702 requires an independent court to authorize such surveillance or data disclosure. In the case of such request, the requirement of the independent court authorization would protect the data from excessive surveillance based on necessity and proportionality requirements.
What is Voyado’s practical experience dealing with government access requests?
Voyado publishes an annual Transparency Report with information about government request to access data. To date, Voyado has never received a US National Security Request (including requests for access under FISA 702 or direct access under EO 12333) in connection with a customer for neither Engage nor Elevate’s customer data.
Voyado may be technically subject to the surveillance laws identified in Schrems II but we have not been subject to any of these requests in our day-to-day operations.
For more information about transparency reports see AWS Transparency Reports and Microsoft Transparency Reports.
Some suppliers have some coverage due to damage caused by FISA 702 request. See white paper.
Step 4: Identify the technical, contractual and organizational measures applied to protect the transferred data
- Security certifications: ISO 27001, ISO 27018 are on the roadmap.
- Our SCCs contractually obligates us to have technical measures in place to safeguards to protect personal data.
- Our SCCs contractually obligates us to notify the customer in the event we are subject to a government request for access to personal data.
- Our SCCs obligates us to review and challenge the legitimacy of the government access request and legally challenge such requests when deemed unlawful.
COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 4 June 2021
- Organizational measures:
Voyado provides data protection training to all employees.
- Voyado has guidelines regarding law enforcement requests. To access data from Voyado, law enforcement officials must follow a legal process according to the type of information they are seeking access, in the form of a subpoena, court order or warrant.
- Voyado follows a privacy by design in by following privacy principles such as:
- Proactive not Reactive; Preventive not Remedial
- Privacy as the Default Setting
- Full Functionality- Positive-Sum, not Zero-Sum
- End-to-End Security- Lifecycle Protection
- Visibility and Transparency – Keep it Open
- Respect for User Privacy – Keep it User-Centric
Step 5: Procedural steps if you have identified effective supplementary measures
Given the technical, contractual and organizational measures described above and the obligations under the SCCs, Voyado considers that it has taken appropriate measures to ensure that personal information is protected. Therefore, no additional supplementary measures are necessary at this time.
Step 6: Re-evaluate at appropriate intervals.
Voyado follows the European Data Protection Board’s report on Government access to data in third countries to monitor the development of the third country that could affect the initial assessment.
Voyado has the technical mechanisms in place to suspend transfer where commitments to GDPR Article 46 are not upheld by the data importer or the situation in the third country has changed.