What is Schrems II?
Schrems II is the commonly-used name for the ECJ case C-311/18. On 16 July 2020, the ECJ decided that the EU-US Privacy Shield would be invalid and could no longer be used as a personal data transfer mechanism to safeguard the transfer of personal data to the US. Data exporters (companies transferring personal data outside of the EU/EEA), where appropriate with the collaboration of the data importer (the company in a third country receiving the personal data from the data exporter directly or indirectly), will now have the responsibility to verify, on a case-by-case basis, if the law and practices of the non-EU third country provide “essentially equivalent” protection for personal data transferred from the EU/EEA. When conducting this analysis, the parties must take into account, among other things, the circumstances of transfer, nature of the data, and the availability of possible additional safeguards (i.e. supplementary measures).
What is a transfer impact assessment (TIA) and why is it relevant?
A Transfer Impact Assessment – or TIA – is a documented assessment of a transfer of personal data from the EU/EEA to non-EU/EEA countries that do not benefit from an adequacy decision of the European Commission (here’s the list of countries benefiting from an adequacy decision). TIAs are required to be conducted under the new Standard Contractual Clauses and serve to document a proper assessment of risks associated with the transfer. This is particularly relevant for transfers to the US, as the Privacy Shield has been invalidated by the ECJ in its “Schrems II” decision. Because Bandwidth provides its services globally, Bandwidth is committed to ensuring that if and when personal data is transferred to a non-EEA country on our watch, the relevant legal obligations are met.
What are the SCCs?
Standard Contractual Clauses (SCCs) are standard contractual terms that have been pre-approved by the European Commission and serve as one of the legal transfer mechanisms to allow personal data to flow outside of the EU/EEA. The EU Commission published an updated version of the SCCs on 4th June 2021 to modernize the SCCs, account for sub-processors and additional models (e.g. P2C and P2P), and add additional contractual safeguards in response to the Schrems II decision.
How are the Bandwidth services relevant under this decision?
Bandwidth provides its services on a global scale and as an international organization, has offices in various countries, including in the US, South Korea and Singapore. As such, even though we maintain separate and regionalized storage of customer data, either in the EU (Belgium, Germany and Ireland) for customers using Global services or in the US for customers using Domestic (i.e. US and Canada) and Communication APIs services, customer data may be accessed by our employees around the world on a need to know basis, for example in order to be able to support our customers in various parts of the services (sales, billing and payment, technical support and maintenance, fraud detection and prevention, etc). You can find more detailed information on the purposes of the transfers in Bandwidth standard DPA – Appendix 1.
Can transfers of personal data to the US continue?
Yes. In the same Schrems II ruling, the ECJ confirmed that the Standard Contractual Clauses remain a valid transfer mechanism, subject to certain conditions. The European Data Protection Board (EDPB) states in its guidance, that transfer mechanisms such as SCCs, may need to be paired with supplementary technical, organizational and contractual measures as may be appropriate in a particular personal data processing context to provide an adequate level of protection essentially equivalent to the EU standards
Bandwidth relies on SCCs for intracompany transfers of personal data to the US and Singapore, as well as with third party vendors. The Bandwidth standard DPA also incorporates up-to-date SCCs for the benefit of our customers.
We have to date no reason to believe that the laws and practices in the US and Singapore applicable to the processing of personal data in the context of our services prevent Bandwidth from fulfilling its obligations under the SCCs. Nonetheless, please note that we do not provide customers with legal advice with respect to their use of the services, for which Customers shall perform their own legal assessment.
What are FISA 702 and EO 12333 that were mentioned in Schrems II?
FISA 702 and Executive Order 12333 were identified by the ECJ in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
- FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers (“ECSP”) within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers (“RCSP”), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
- Executive Order 12333 (“EO 12333”) – authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign “signals intelligence” information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
Further information about these and other US Surveillance Laws may be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II whitepaper (published by the US Department of Commerce, Department of Justice, and Office of the Director of National Intelligence), which discusses the limits and safeguards relevant to US public authority access to data in response to Schrems II.
Is Bandwidth subject to US Surveillance Laws (such as FISA 702 and EO 12333)?
Bandwidth is an electronic communications service provider operating a Communications Platform as a Service (CPaaS). As such, Bandwidth may be subject to FISA 702. However, our practical experience to date shows us that the probability to be subject to a FISA 702 directive is low. Bandwidth publishes a transparency report related to access requests on an annual basis as part of its Corporate Responsibility Report, a current copy of which may be found at https://investors.bandwidth.com.
Bandwidth is not subject to EO 12333, because US electronic communications service providers may not be compelled to cooperate with data acquisition activities carried out under this Executive Order, nor may they or other US persons be targeted.
What is the purpose of the transfer?
To provide you with a flexible, reliable, global communications platform. Bandwidth may transfer personal data in order to be able to support our customers in various parts of the services (sales, billing and payment, technical support and maintenance, fraud detection and prevention, etc). You can find more detailed information on the purposes of the transfers in Bandwidth standard DPA – Appendix 1.
Who are the data importer(s) under the SCCs?
Bandwidth Inc. (US)
Voxbone SA (Singapore Branch)
What data is affected?
You can find a complete list of categories of data affected in Bandwidth standard DPA – Appendix 1 to the DPA for information on the nature of Bandwidth’s processing activities in connection with the provision of the Services, the types of customer personal data we process and transfer, and the categories of data subjects. As noted above, Bandwidth maintains separate and regionalized storage of customer data, either in the EU (Belgium, Germany and Ireland) for customers using Global services or in the US for customers using Domestic (i.e. US and Canada) and Communication APIs services; however, customer data may be accessed by our employees from our offices locations around the world (including in the US and Singapore) in order to provide the services and support our customers. You can find more detailed information on the purposes of the transfers in Bandwidth standard DPA – Appendix 1.
What sub-processors does Bandwidth use?
You can find a list of our current sub-processors here.
What contractual, technical and organizational supplementary measures does Bandwidth implement to protect the data in the case of a transfer?
Contractual: Bandwidth relies on SCCs, both intracompany and with any third party vendor involved in an onward transfer. As a customer, you will also benefit from our Bandwidth standard DPA with new SCCs included as of September 27, 2021. The new SCCs contain specific provisions on notification and handling government data requests in accordance with the expectations of the EDPB.
If your customer agreement is still based on a DPA template signed before September 27, 2021 either with Bandwidth Inc. or with Voxbone SA, or you are unsure about it, we will be pleased to amend it to refer to the new Standard Contractual Clauses. Please feel free to reach out to your Bandwidth representative or [email protected] to execute an updated DPA.
Technical: Security is a high priority for Bandwidth, which has a comprehensive Information Security Management System (ISMS) based on ISO 27001 requirements and ISO 27001:2013 certified. In addition to protecting its network and software, Bandwidth is committed to protecting all access points to that network and Customer information. All Bandwidth desktops, laptops, and mobile devices are centrally managed and fully encrypted. All end user computers have anti-virus and anti-malware protections. Access to Bandwidths production systems and services by employees is on a need-to-know model with least privileges. Bandwidth continuously monitors user accounts using security analytics and anomaly detection. Bandwidth requires two-factor authentication for all remote access to Bandwidth networks and systems. You may review the Bandwidth Security Fact Sheet for more details.
Bandwidth reviews and reinforces our internal policies to respond to government access requests of personal data. Our regulatory operations teams implement and enforce a tailored review process for government access requests to ensure appropriate responsiveness in applicable jurisdictions and the protection of the personal data of our customers and their end users; more information is available at. Information on law enforcement requests may be found at the Law Enforcement Guide. Bandwidth publishes a transparency report related to access requests on an annual basis as part of its Corporate Responsibility Report, a current copy of which may be found at https://investors.bandwidth.com
What is the risk?
In light of the information reviewed in our assessment, including Bandwidth’s practical experience dealing with government requests and the technical, contractual, and organizational measures Bandwidth has implemented to protect customer personal data, Bandwidth considers that the risks involved in transferring and processing of personal data from the EU/EEA in/to the US and Singapore do not impinge on our ability to comply with our obligations under the SCCs (as “data importer”) or to ensure that data subjects’ rights remain protected.
Why do we still refer to the Privacy Shield in our Privacy Notice?
Bandwidth is maintaining our certification under the Privacy Shield, as the US Department of Commerce encouraged participants after the Schrems II decision to maintain their adherence to the principles and requirements of the Privacy Shield Framework. The US Department of Commerce continues to administer and enforce the Privacy Shield program, and while the latter is no longer a valid transfer mechanism, our continued participation demonstrates Bandwidth’s continued commitment to adhere to attendant principles and EU standard of care.