Data Collaboration Platform Playbook On-Demand Get Yours Now

Data Transfers Pursuant to Article 46 of the GDPR Following Schrems II

In light of the decision of the Court of Justice of the European Union (the “ECJ” or “Court“) in the “Schrems II” case, EU data controllers are reviewing the data transfer mechanisms they rely upon for transferring personal data pursuant to Article 46 of the General Data Protection Regulations (“GDPR“). This note is issued to our EU data controller customers to assist in such a review as it relates to the transfer of EU personal data to Lotame in the U.S., and onward transfers per instructions from our EU data controller customers to other platforms in countries that do not have an adequacy decision by the European Commission.

The information below is intended to:

  • Help our customers determine whether and how Schrems II might apply to the transfer of EU personal data in connection with Lotame’s delivery of its services;
  • Describe the safeguards Lotame has in place to protect personal data in light of the Schrems II recommendations;
  • Provide a mechanism for entering into Standard Contractual Clauses (“SCCs“) where those are not already in place; and
  • Provide information to assist our customers in their role as EU data controllers to conduct any risk assessments that may be required in response to Schrems II.

PLEASE NOTE: The Schrems II decision has no effect and no additional action needs to be taken by either Lotame or our customers unless and to the extent that EU personal data is actually transferred to Lotame in connection with its provision of its products or services. There are situations where Lotame’s provision of services does not involve the transfer of EU personal data to Lotame or third countries. Where such a situation is applicable, it will be reflected in the governing services agreement. If Article 46 transfers are not applicable, no further examination of the impact of Schrems II is necessary.

Immediate and Automatic Transition from Privacy Shield to Standard Contractual Clauses

Lotame has utilized the U.S./EU Privacy Shield Framework to support personal data flows from the European Union and has also entered into GDPR-compliant Data Protection Agreements (“DPAs“) with customers for whom we process personal data of EU data subjects. However, under the ECJ decision, EU data controllers can no longer rely on Privacy Shield commitments; as such, personal data transfers from the EU under the Lotame DPA are now governed by Commission-approved SCCs. Lotame’s current standard DPA provides that the applicable SCCs spring into effect automatically upon the commencement of a transfer of EU personal data to Lotame. Please contact your account manager to initiate the execution of a Lotame DPA in the event your review suggests SCCs are called for but not yet in place.

While Lotame no longer relies on EU-U.S. and Swiss-U.S. Privacy Shield as a lawful basis for international transfers of personal information from EU/EEA and Switzerland to the U.S., Lotame remains certified under both EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information transferred from the EU/EEA, the UK and Switzerland to the United States.

SCCs Remain Valid for Data Transfers to Lotame

Although the ECJ confirmed the continuing validity of SCCs, it indicated that data controllers who want to rely on SCCs may be required to undertake additional due diligence regarding the legal system governing access to personal data by public authorities in the data importer’s country. Specifically, the Court said that European data exporters may be obligated to verify “whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.”

U.S. Surveillance Laws

The ECJ examined issues arising from the concern that U.S. intelligence agencies might access transferred data under two sources of U.S. law: Executive Order 12333 (“EO 12333“) and Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702“).

EO 12333 is a general directive organizing U.S. intelligence activities. In particular, it provides authority for U.S. intelligence agencies to collect foreign “signals intelligence” information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. What is important to note is that EO 12333 does not, in and of itself, include any authorization to compel private companies to disclose data.

FISA 702 is a statute establishing a judicial process authorizing a specific type of data acquisition. Unlike EO 12333, under FISA 702, an independent court may authorize the government to issue orders compelling electronic communication service providers (“ECSP“) in the United States to disclose communications data of specific non-U.S. persons located outside the United States to obtain specified types of foreign intelligence information.

With respect to FISA 702, the ECJ identified two U.S. government surveillance programs – “PRISM” (now “DOWNSTREAM”) and “UPSTREAM” – that, in its view, “exceed what is necessary in a democratic society for national security purposes” and disproportionately undermine the fundamental privacy rights of EU data subjects. To the extent that a particular data flow is susceptible to U.S. government surveillance under either of these programs, the ECJ concluded that controllers may need to adopt “supplementary measures” in order to ensure the level of protection required under EU law.

  • PRISM (or “DOWNSTREAM”) Data Collection: Under this program, U.S. intelligence agencies can direct ‘downstream’ collection of communications through the compelled assistance of ECSPs. Effectively, the government sends a selector, for example, an email address, to the ECSP, and the ECSP is required to provide the government with all communications sent to or from that selector.
  • UPSTREAM Data Collection: This program, involves the indirect ‘upstream’ collection of communications through the compelled assistance of ECSPs that provide the backbone of the U.S. telecommunications and the internet infrastructure. Essentially, the U.S. intelligence agencies copies and filters the vast quantity of data flowing through the network of cables, switches and routers that make up the U.S. telecommunications and the internet infrastructure.

Is Lotame Subject to U.S. Surveillance Laws

Based on a careful review, Lotame has determined that neither EO 12333 or the programs under FISA 702 pose a material risk of government access to personal data transferred to and processed by Lotame by or on behalf of customers that transfer personal data of European data subjects.

First, as noted above EO 12333 does not, in and of itself, include any authorization to compel private companies such as Lotame to disclose personal data U.S. intelligence agencies. Any requirement that a company in the United States disclose data to the government for intelligence purposes must be authorized by statute and must be targeted at specific persons or identifiers, such as through FISA 702 orders – bulk collection is expressly prohibited.

Second, like most U.S. technology companies offering cloud-based services, Lotame could be deemed an ECSP and therefore be subject to FISA 702. However, Lotame does not handle any personal data that could be of any interest to U.S. intelligence agencies. U.S. government commitments and public policies restrict intelligence collection to what is required for foreign intelligence purposes and expressly prohibit the collection of information for the purpose of obtaining a commercial advantage. The Behaviors Lotame obtains from its Business Customers and Data Partners are ordinary commercial information used to assist in Tailored Advertising and Content Personalization and it is unlikely that those Behaviors are of any interest or value to U.S. intelligence agencies. Lastly, Lotame does not operate any part of the backbone of the U.S. telecommunications and the internet infrastructure so it would be unlikely that Lotame will be subject to an UPSTREAM data collection order.

Technical Measures Employed by Lotame Consistent with European Data Protection Board (“EDPB”) Published Recommendations

The Lotame Information Security Management System is ISO/IEC27001:2013 certified and as such, Lotame provides robust safeguards for personal information transferred to the U.S. in connection with its services. For example:

  • Application logs, which may contain full IP addresses, are transferred to the U.S. only for internal operational purposes and retained for no more than 10 days.
  • Behavioral data of data subjects is associated only with pseudonymous identifiers.
  • Ad campaign identifiers and similar information are captured and transmitted in the form of alpha-numeric strings that are meaningless to third parties, including the government.
  • Lotame stores personal data about EU residents securely via Amazon’s S3 service. More information about S3 security is available here. In connection with our use of this service, Lotame deploys a number of additional safeguards:
    • Data is encrypted in transit using HTTPS over TLS v1.2 and at rest;
    • For those customers who are unable to make server to server transfers via Amazon’s S3 service, we support Secure File Transfer Protocol functionality, which ensures that both command and data connections are encrypted between the client and the FTP server to allow personal data to be transferred securely over the network.
  • Finally, to the limited extent Lotame uses sub-processors, we have entered into GDPR compliant DPAs with our subprocessors, which include SCCs, to safeguard customer data.

Enhanced Safeguards and Continuous Improvement

Consistent with our commitment to Privacy by Design, Lotame will continue to review and refine its policies and procedures to maximize personal privacy and security of personal data collected and transmitted from Europe and all other jurisdictions in which we do business.


Lotame is committed to complying with applicable law and best practices to safeguard consumer privacy and maintain the confidentiality and integrity of our customers’ data, and we remain vigilant for opportunities to enhance the security of personal data in accordance with Privacy by Design and Default.