International data transfers / Verwerkingen van persoonsgegevens buiten de EER
Following the Schrems ruling of the Court of Justice of the European Union, Springest has published a conclusion of their analysis of data transfers to countries outside the EEA. A version of this article including sources can be requested from your contactperson. Published November 2021
Data transfers to the US
Data transfers to the US
As many EU based companies, also Springest uses cloud services for conducting its business. The Springest platform is hosted with Amazon Web Services (Amazon Web Services EMEA SARL, located in Luxemburg) and we use Google Workspace in our day to day business and communications. We also use the services of HelpScout, Jotform and Sendgrid.
These five parties have their principal seats in the United States (US), as well as a large part of their server capacity. Consequently, data processed through their services can be transferred to the United States. Following the Schrems II ruling of the Court of Justice of the European Union (16 July 2020), such transfers can no longer be based on the Privacy Shield. When relying on other transfer mechanisms, it must be assessed whether in the country of the data importer, such mechanism provides for a level of protection for the personal data that is equivalent to that guaranteed in the EEA, or whether supplementary measures would be required to achieve that.
Standard Contractual Clauses
The transfer of Springest data to our service providers in the US is based on the new EU Standard Contractual Clauses (SCC) for the international transfer of personal data. The European Commission (EC) issued these new SCC for controllers and processors to provide appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679. For the SCC to provide appropriate safeguards the EC takes into account the Schrems II ruling, indicating the standard contractual clauses should ensure an essentially equivalent level of protection to the data transferred on that basis.
Binding requests for disclosure of data
As laws of the country of destination however could have a negative effect on the level of protection provided by the SCC, the SCC now contain specific safeguards to address such law’s effects on the data importer’s compliance with the clauses, in particular addressing binding requests from such country’s public authorities for disclosure of the transferred personal data. For this, in the new SCC the “Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses.”
The risk of binding requests for disclosure in practice
Indeed we have no reason to believe that the US laws applicable to our service providers in the US will prevent them from fulfilling their obligations under the SCC between them and Springest. U.S. Executive Order 12333 (EO 12333) allows the U.S. government to collect data directly from infrastructure outside the United States, such as undersea cables. To nevertheless maintain the level of protection, the data passing through all our US service providers is encrypted. As to FISA 702 (Title 50 United States Code (U.S.C.) § 1881a), the downstream section enables the U.S. government to oblige electronic communication service providers, such as Google and Amazon, to assist in targeted surveillance of foreign persons who are located outside the United States and are expected to possess, receive, or communicate foreign intelligence information.
The chance that the U.S. government would issue such a request is very small in general; for their millions of enterprise/AWS customers Amazon and Google each received less than 800 government data requests over the latest reported 12 month period. Neither HelpScout nor Jotform ever received such a government request in the past. Sendgrid received 39 requests from US government authorities in the first half of 2021 for 58.000 active customer accounts. Only in 15 cases did Sendgrid provide the information. None of our service providers are prohibited by law to provide us with information about such requests, although they may be required to do so by specified court order or by reference to another legal authority.
A search for public information obtained from case law and reports from oversight bodies, civil society organisations, and academic institutions did not reveal that data importers that are active in the same field as our data importers, have received requests for access to data for similar transferred data (i.e. personal data processed for the purpose of booking learning products) in the past.
Taking into account the nature of Springest activities in particular, this small chance becomes negligible as a platform for personal development where trainings and learnings can be booked is not a place or context where foreign intelligence information would be communicated over or looked for. In practice FISA 702 therefore does not apply to our particular transfer and therefore, does not impinge on the effectiveness of the SCC concluded with our US service providers.
Furthermore, our US service providers are large organisations with strong reputations. They are capable of quickly adapting to new legislation and security demands and have proven so in the past. They have been quick to update their DPA’s and have been diligent in responding to our questionnaires, to enable us to perform our Transfer Impact Assessments.
In view of the above, we have concluded that transfer of Springest data to Amazon Web Services, Google Workspace, Jotform, HelpScout and Sendgrid can be based on the SCC concluded with these parties in compliance with the GDPR.