In light of the decision of the Court of Justice of the European Union (the “ECJ” or “Court“) in the “Schrems II” case, EU data controllers are reviewing the data transfer mechanisms they rely upon for transferring personal data pursuant to Article 46 of the General Data Protection Regulations (“GDPR“). This note is issued to our EU data controller customers to assist in such a review as it relates to the transfer of EU personal data to Lotame in the U.S., and onward transfers per instructions from our EU data controller customers to other platforms in countries that do not have an adequacy decision by the European Commission.
The information below is intended to:
PLEASE NOTE: The Schrems II decision has no effect and no additional action needs to be taken by either Lotame or our customers unless and to the extent that EU personal data is actually transferred to Lotame in connection with its provision of its products or services. There are situations where Lotame’s provision of services does not involve the transfer of EU personal data to Lotame or third countries. Where such a situation is applicable, it will be reflected in the governing services agreement. If Article 46 transfers are not applicable, no further examination of the impact of Schrems II is necessary.
Lotame has utilized the U.S./EU Privacy Shield Framework to support personal data flows from the European Union and has also entered into GDPR-compliant Data Protection Agreements (“DPAs“) with customers for whom we process personal data of EU data subjects. However, under the ECJ decision, EU data controllers can no longer rely on Privacy Shield commitments; as such, personal data transfers from the EU under the Lotame DPA are now governed by Commission-approved SCCs. Lotame’s current standard DPA provides that the applicable SCCs spring into effect automatically upon the commencement of a transfer of EU personal data to Lotame. Please contact your account manager to initiate the execution of a Lotame DPA in the event your review suggests SCCs are called for but not yet in place.
While Lotame no longer relies on EU-U.S. and Swiss-U.S. Privacy Shield as a lawful basis for international transfers of personal information from EU/EEA and Switzerland to the U.S., Lotame remains certified under both EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information transferred from the EU/EEA, the UK and Switzerland to the United States.
Although the ECJ confirmed the continuing validity of SCCs, it indicated that data controllers who want to rely on SCCs may be required to undertake additional due diligence regarding the legal system governing access to personal data by public authorities in the data importer’s country. Specifically, the Court said that European data exporters may be obligated to verify “whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.”
The ECJ examined issues arising from the concern that U.S. intelligence agencies might access transferred data under two sources of U.S. law: Executive Order 12333 (“EO 12333“) and Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702“).
EO 12333 is a general directive organizing U.S. intelligence activities. In particular, it provides authority for U.S. intelligence agencies to collect foreign “signals intelligence” information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. What is important to note is that EO 12333 does not, in and of itself, include any authorization to compel private companies to disclose data.
FISA 702 is a statute establishing a judicial process authorizing a specific type of data acquisition. Unlike EO 12333, under FISA 702, an independent court may authorize the government to issue orders compelling electronic communication service providers (“ECSP“) in the United States to disclose communications data of specific non-U.S. persons located outside the United States to obtain specified types of foreign intelligence information.
With respect to FISA 702, the ECJ identified two U.S. government surveillance programs – “PRISM” (now “DOWNSTREAM”) and “UPSTREAM” – that, in its view, “exceed what is necessary in a democratic society for national security purposes” and disproportionately undermine the fundamental privacy rights of EU data subjects. To the extent that a particular data flow is susceptible to U.S. government surveillance under either of these programs, the ECJ concluded that controllers may need to adopt “supplementary measures” in order to ensure the level of protection required under EU law.
Based on a careful review, Lotame has determined that neither EO 12333 or the programs under FISA 702 pose a material risk of government access to personal data transferred to and processed by Lotame by or on behalf of customers that transfer personal data of European data subjects.
First, as noted above EO 12333 does not, in and of itself, include any authorization to compel private companies such as Lotame to disclose personal data U.S. intelligence agencies. Any requirement that a company in the United States disclose data to the government for intelligence purposes must be authorized by statute and must be targeted at specific persons or identifiers, such as through FISA 702 orders – bulk collection is expressly prohibited.
Second, like most U.S. technology companies offering cloud-based services, Lotame could be deemed an ECSP and therefore be subject to FISA 702. However, Lotame does not handle any personal data that could be of any interest to U.S. intelligence agencies. U.S. government commitments and public policies restrict intelligence collection to what is required for foreign intelligence purposes and expressly prohibit the collection of information for the purpose of obtaining a commercial advantage. The Behaviors Lotame obtains from its Business Customers and Data Partners are ordinary commercial information used to assist in Tailored Advertising and Content Personalization and it is unlikely that those Behaviors are of any interest or value to U.S. intelligence agencies. Lastly, Lotame does not operate any part of the backbone of the U.S. telecommunications and the internet infrastructure so it would be unlikely that Lotame will be subject to an UPSTREAM data collection order.
The Lotame Information Security Management System is ISO/IEC27001:2013 certified and as such, Lotame provides robust safeguards for personal information transferred to the U.S. in connection with its services. For example:
Consistent with our commitment to Privacy by Design, Lotame will continue to review and refine its policies and procedures to maximize personal privacy and security of personal data collected and transmitted from Europe and all other jurisdictions in which we do business.
Lotame is committed to complying with applicable law and best practices to safeguard consumer privacy and maintain the confidentiality and integrity of our customers’ data, and we remain vigilant for opportunities to enhance the security of personal data in accordance with Privacy by Design and Default.