Data Transfer Risk Assessment
Effective Date: September 22, 2022
This transfer impact assessment (TIA) is intended to provide information to help our customers conduct their own transfer impact assessments in connection with their use of our services, in light of the “Schrems II” ruling of the Court of Justice for the European Union (CJEU) and recommendations from the European Data Protection Board and the UK’s Information Commissioner’s Office.
This TIA describes the relevant legal regimes applicable to Contentstack in the US, the safeguards we put in place in connection with transfers of customer personal data from the European Economic Area, the United Kingdom and Switzerland (Europe), and our ability to comply with our obligations as a "data importer" under (i) the EU Standard Contractual Clauses (2021) and (ii) the UK International Data Transfer Addendum to the EU Commission Contractual Clauses (B1.0) (collectively referred to in this TIA as theSCCs).
This TIA identifies and describes the risks associated with transfers of customer personal data to Contentstack in the US or our subsidiary in India, as well as any supplementary measures we have taken — or have required our vendors to take — to safeguard customer personal data.
Step 1: Know your transfer
Where we process customer personal data that is subject to European and/or UK data protection laws as a processor, we will comply with our obligations under ourData Processing Addendumor data processing terms in a similar agreement with our customers (DPA). Any DPA that we enter into with a customer will incorporate the appropriate SCCs.
The DPA will set out information on the nature of our processing activities in connection with the provision of services to our customers, the types of customer personal data we process and transfer, the categories of data subjects and our security measures. The type of personal data that we process, and categories of data subjects, is generally limited to personal data relating to individuals who have been authorized by a customer to use our services on behalf of that customer (e.g., first and last name, business contact information and IP address).
We transfer customer personal data to a number of sub-processors in connection with our services. A list of all of our sub-processors (including their processing location(s)) is available at www.contentstack.com/legal/sub-processors/and we notify customers when this list changes.
Step 2: Identify the transfer tool relied upon
We rely on SCCs for customer personal data that is transferred from Europe to the US. These SCCs are included withinDPAs that we enter into with customers.
Where customer personal data originating from Europe is transferred between Contentstack subsidiaries in India or transferred by us to third party sub-processors, we will enter into SCCs with those parties where there is no relevant adequacy decision, such as those in the US, Philippines and India.
Step 3: Assess whether the transfer tool relied upon is effective in light of the circumstances of the transfer
US Surveillance Laws
FISA 702 and Executive Order 12333
FISA 702 and EO 12333 were identified by the CJEU in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data transferred to the US.
The Foreign Intelligence Surveillance Act (FISA)regulates US governmental electronic and physical surveillance of communications for foreign intelligence purposes.FISA generally requires the US government to apply for a court order with respect to each target of surveillance. FISA requires the US government to include information in its applications that demonstrates that probable cause exists to believe that the target of surveillance is a foreign power or an agent of a foreign power. Such applications are made to, and evaluated by, the specializedForeign Intelligence Surveillance Court(FISC), which is comprised of sitting Article III judges who have been designated for that role by the Chief Justice of the US Supreme Court.
Section 702 of FISA contains less restrictive procedures for the US government to acquire foreign intelligence information targeting non-US persons who are not within the US. Surveillance under Section 702 is subject to supervision by theFISC, but the provision does not require the FISC to review individual targets of surveillance. Instead, under Section 702, the FISC reviews generally applicable targeting and minimization procedures and guidelines submitted by the US Attorney General and the Director of National Intelligence to determine whether they are “reasonably designed” to: (1) ensure that surveillance only targets persons who are reasonably believed to be outside the US; and (2) prevent the intentional acquisition of purely domestic communications. Once the FISC approves those procedures and guidelines, the US government may issue directives to “electronic communication service providers” requiring them to provide the US government with “all information, facilities, or assistance”needed to conduct the surveillance in a manner that does not undermine its secrecy.
Under Section 702, the term “electronic communication service provider” includes communications providers (such as telephone, email, or internet service providers) (ECSPs) as well as remote computing service providers that provide “computer storage or processing services” to the public (RSCPs). Although Section 702 requires the target of surveillance to be outside the US (e.g., an EEA or UK citizen in Europe), the information may be acquired from facilities within the US, such as data centers operated by US-based electronic communication service providers. If the US government targets a non-US person through an acquisition that occurs outside the US, that acquisition would not necessarily be governed by FISA, including Section 702, but would still need to comply with EO 12333 (see below).
For example, the government has used FISA 702 to implement downstream (previously referred to as “PRISM”) and upstream collection programs. In downstream collection, the US government typically directs consumer-facing communications service providers—such as ISPs, telephone providers, or email providers—to provide all communications “to or from” a “selector” (e.g., an email address).Upstream collection similarly involves the collection of all communications “to or from” a selector, but the requests are directed at telecommunications “backbone” providers (i.e., companies that operate the long-distance, high-capacity internet cables that interconnect with ISPs’ local networks) and it does not involve collection of telephone calls. Under the US government’s procedures, the National Security Agency (NSA) is the primary intelligence agency that collects data through the downstream and upstream programs, although the Federal Bureau of Investigation and Central Intelligence Agency also receive data from these programs in more limited circumstances.
Executive Order 12333
EO 12333 addresses the organization and allocation of foreign intelligence surveillance responsibilities among elements of the US Intelligence Community. EO 12333 addresses all US foreign intelligence surveillance activities, including those which may fall outside of FISA’s statutory scheme, such as activities conducted overseas targeting non-US persons. Under EO 12333, the NSA may “collect (including through clandestine means), process, analyze, produce, and disseminate signals intelligence information and data for foreign intelligence and counterintelligence purposes to support national and departmental missions.”
As described in a 2014 report by the Privacy and Civil Liberties Oversight Board, the US government also conducts foreign intelligence surveillance outside of the US against non-US persons under the authority of EO 12333. In some instances, this surveillance can capture the same communications that the US government obtains within the US through FISA 702. And because this collection takes place outside the US, it is not restricted by the detailed rules of FISA outlined above.
EO 12333 also includes some privacy protections generally applicable to US foreign intelligence surveillance, but these do not appear to extend to non-US persons. For example, with respect to surveillance conducted abroad, the order requires the Attorney General to determine that probable cause exists to believe that the target of surveillance is an agent of a foreign power, but only if the surveillance is against a US person under circumstances in which a warrant would have been required for law enforcement purposes. Furthermore, the order also expressly states that it does not create any legally enforceable right or benefit against the US. As a result, the CJEU found that EU data subjects did not have enforceable rights under EO 12333, and that the order did not include sufficient protections to limit surveillance to only what was strictly necessary.
Further information about these US surveillance laws can be found in theWhite Paper entitled “Information on US Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-US Data Transfers after Schrems II.”
The CLOUD Act contains two key parts. The first part responds to foreign governments’ concerns about US laws that restrict foreign law enforcement’s access to communications content held by US service providers — restrictions that apply even when foreign governments are seeking to access data regarding their own nationals in the investigation of local crime. This part of the CLOUD Act authorizes the creation of bilateral executive agreements that would lift those restrictions and thereby enable foreign governments to access communications content directly from US-based service providers, subject to a set of conditions.
The second key part clarifies the rules governing US law enforcement access to data in the hands of US providers.
The following seeks to answer key questions and clarify the operation of both parts.
Executive Agreements and Non-U.S. Access to Evidence
How does the Stored Communications Act create obstacles for non-U.S. law enforcement to access evidence?
The Stored Communications Act (SCA) operates as a “blocking statute.” Except where a statutory exception applies, it prohibits US-based service providers from disclosing communications content to a foreign government, unless there is a CLOUD Act agreement in place (as discussed below).
The SCA applies even if the non-US government is seeking communications content with regard to one of its own nationals in the investigation of a local crime. It also applies even if the non-US government has obtained a compelled disclosure order pursuant its national laws.
More specifically, the SCA states that a covered service provider “shall not divulge” stored communications content to “any person or entity,” unless pursuant to one of nine statutory exceptions, none of which authorizes disclosure to foreign governments.
The SCA also sets out the situations in which service providers can be compelled to disclose communications content. Only a “governmental entity” (defined as a US federal or state department or agency) is given the authority to compel a provider to disclose communications content, and only according to specified substantive and procedural standards. As discussed further below, access to communications content requires a search warrant, signed by an independent US judge, based on the judge’s finding that there is “probable cause” both that (a) a specific crime has occurred or is occurring and (b) the place to be searched, such as an email account, contains evidence of that specific crime. In addition, the warrant must describe with particularity the data to be searched or seized. Service providers who furnish the content of communications to a US or foreign government, in the absence of such a search warrant or a CLOUD Act-authorized executive agreement, risk civil liability. Prior to the Cloud Act, there was no provision that authorized disclosure of communications content to foreign law enforcement in any circumstance, even in response to compelled disclosure orders issued by foreign courts.
The Cloud Act:
- only permits the US government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act; and
- does not allow the US government access in national security investigations, and it does not permit bulk surveillance
Further information on theCLOUD Act can be found in“What is the CLOUD Act?”by BSA Software Alliance.
Is Contentstack subject to FISA 702 or EO 12333?
Contentstack, like most US-based SaaS companies, could, on a theoretical and technical level be subject to FISA 702 where it is deemed to be an RCSP. However, Contentstack, as an enterprise-level content management SaaS service that primarily collects a very limited scope of customer personal data does not process personal data that is likely to be of interest to US intelligence agencies.
Furthermore, for the same reason, we are not likely to be subject to upstream surveillance orders under FISA 702, the type of order principally addressed in, and deemed problematic by, the Schrems II decision. We do not provide internet backbone services, but instead we only carry traffic involving our own customers. To date, the US government has interpreted and applied FISA 702 upstream orders to only target market providers that have traffic flowing through their internet backbone and that carry traffic for third parties (i.e., telecommunications carriers).
EO 12333 contains no authorization to compel private companies (such as Contentstack) to disclose personal data to US authorities and FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information. In the event that US intelligence agencies were interested in the type of data that we process, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance.
What is Contentstack’s practical experience dealing with government access requests?
To date, we have not received any requests for access under FISA 702 or direct access under EO 12333 in connection with customer personal data. Once we receive such a request, we will commence providing a transparency report with respect to such requests. Therefore, while we may theoretically and technically be subject to the surveillance laws identified in Schrems II, to date we have not been subject to these types of requests in our day-to-day business operations.
Step 4: Identify the supplementary measures applied to protect the transferred customer personal data
We providetechnical measures to secure customer personal data as set out in ourSecurity Addendum:
Appropriatecontractual measures will be set out inDPAs that we enter into with customers, which also incorporates the SCCs. In particular, we are subject to the following requirements:
- Technical measures: We are contractually obligated to have in place appropriate technical and organizational measures to safeguard customer personal data and regularly test technical measures.
- Transparency: We are obligated under the SCCs to notify customers in the event we are made subject to a request for government access to customer personal data from a US government authority. In the event that we are legally prohibited from making such a disclosure, we are contractually obligated to challenge such prohibition and seek a waiver.
- Actions to challenge access: Under the SCCs, we are obligated to review the legality of US government authority access requests and challenge such requests where they are considered to be unlawful.
Our organizational measures to secure customer personal data include:
- Policy for government access:To obtain customer personal data from us, law enforcement officials must provide legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant.
- Onward transfers: Whenever we share customer personal data with sub-processors, we remain accountable to customers for how it is used. We require all sub-processors to undergo a thorough cross-functional diligence process by subject matter experts in our Security, Privacy, and Risk & Compliance Teams to ensure our customers' personal data receives adequate protection. This process includes a review of the customer personal data we plan to share with sub-processors and the associated level of risk, sub-processors security policies, measures, and third-party audits, and whether the sub-processor has a mature privacy program that respects the rights of data subjects.
- Employee training: All our staff undergo data protection training in relation to the handling of customer personal data in relation to their role.
Step 5: Procedural steps necessary to implement effective supplementary measures
In light of the information provided in this TIA, including our practical experience of dealing with US government requests and the technical, contractual, and organizational measures we have implemented to protect customer personal data, we consider that the risks involved in transferring and processing customer personal data from Europe in/to the US do not impinge on our ability to comply with our obligations as a data importer under the SCCs or to ensure that individuals' rights remain protected. Therefore, no additional supplementary measures are necessary at this time.
Step 6: Re-evaluate at appropriate intervals
We will constantly review and, if necessary, reconsider the risks involved and the measures we have implemented to face changing data privacy regulations and risk environments associated with transfers of customer personal data outside of Europe.