SCHREMS II AND BLOOMREACH: FREQUENTLY ASKED QUESTIONS
At Bloomreach, we’re committed to ensuring privacy principles are upheld throughout our business and that our customers have the confidence to entrust us with their data. Since the European Court of Justice issued its "Schrems II" judgment, we know that our customers have faced an additional challenge when selecting service providers located outside of Europe. We are excited to share how Bloomreach can help.
What does the Schrems II judgment mean?
Back in July 2020, the European Union's highest court delivered its “Schrems II” judgment, which invalidated the EU-US Privacy Shield Framework (a partial adequacy decision, under which the transfer of personal data from Europe to US-headquartered organisations was permitted in compliance with the General Data Protection Regulation (“GDPR”)). In particular, concerns were raised over the effectiveness of the framework in light of US surveillance laws. In the same judgment, the court confirmed that the European Commission's standard contractual clauses would remain a valid transfer mechanism. However, the court provided that such safeguards could be used only where they ensured an "essentially equivalent" level of protection for data as that guaranteed by European law.
In other words, data can still be transferred to the US, so long as the protection afforded by the transfer safeguards used are not undermined by the local laws applicable to the data importer.
What transfer safeguard does Bloomreach rely on?
Bloomreach's Customer Data Processing Addendum incorporates the 2021 Standard Contractual Clauses ("SCCs"). As noted above, the court in Schrems II provided that SCCs would remain a valid transfer safeguard; the 2021 SCCs are the latest transfer clauses published by the European Commission and address several of the concerns raised in Schrems II.
Can Customers continue to transfer data to Bloomreach? Does Bloomreach have a Transfer Impact Assessment?
As a result of Schrems II, transfers of data from Europe need to be assessed to ensure that adequate safeguards for the data are in place (taking into account local laws). This is commonly referred to as a "transfer impact assessment.” Bloomreach is happy to reaffirm our commitment to helping customers protect their data and navigate their compliance obligations when using the Bloomreach services. Accordingly, we have prepared a Transfer Impact Assessment. The outcome of our assessment is that Bloomreach can comply with the SCCs notwithstanding the potential application of certain US surveillance laws. The outcome of our assessment takes into account:
Our practical experience with relevant US surveillance laws (we have never received a request for access to personal data under the laws which formed the basis of the Schrems II judgment, nor are we aware that any US government agency has attempted to access personal data from us directly); and
Our comprehensive security measures designed to protect your data, including:
- capabilities such as layered encryption, network controls, and other access controls;
- internal organizational policies and processes to ensure data remains protected wherever it is processed;
- a dedicated internal data privacy team consisting of a Data Protection Officer, Chief Information Security Officer, and a number of Security Engineers, as well as legal professionals to monitor and ensure compliance with GDPR and local laws; and
- rigorous contractual commitments regarding the measures we take to protect data and to help customers address their obligations under the GDPR.
Is Bloomreach subject to Section 702 FISA?
Bloomreach, like most US-based SaaS companies, could technically be subject to Section 702 FISA and other US regulations. However, Bloomreach is not likely to be subject to upstream surveillance orders under Section 702 FISA, the type of order principally addressed in, and deemed problematic by, the Schrems II ruling.
Section 702 FISA requires an independent court to authorize a specific type of foreign intelligence data acquisition that is generally unrelated to commercial information. Bloomreach does not provide internet backbone services, but instead only carries traffic involving its own customers. To date, the US Government has interpreted and applied Section 702 FISA upstream orders to only target market providers that have traffic flowing through their internet backbone and that carry traffic for third parties (i.e., telecommunications carriers).
In the event that US intelligence agencies were interested in the type of data that Bloomreach processes, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect personal data from excessive surveillance.
EO 12333 contains no authorization to compel private companies (such as Bloomreach) to disclose personal data to US authorities.
Has Bloomreach ever received a government access request?
To date, Bloomreach has never received a US National Security Request (including requests for access under Section 702 FISA) in connection with customer personal data. We are also not aware of any direct access to customer personal data under EO 12333. Based on the services we provide and the scope of data we process, we do not anticipate receiving any requests in the future.
What other recent updates apply to Bloomreach?
In October 2022, President Biden signed an Executive Order titled "Enhancing Safeguards for United States Signals Intelligence Activities", which implements the EU-US Data Privacy Framework ("EU-U.S. DPF"). The EU-U.S. DPF is anticipated to form the basis of a new partial adequacy decision for the US (i.e., Privacy Shield 2.0) and has been negotiated with the European Commission. The Executive Order outlines various principles, restrictions, and standards, which now apply to US surveillance activities and establishes a two-tiered redress mechanism for European individuals who believe that US surveillance practices have violated such standards.
The US Department of Commerce has stated that “[t]hese commitments fully address the Court of Justice of the European Union’s 2020 Schrems II decision and will cover personal data transfers to the United States under EU law, including those using Standard Contractual Clauses, Binding Corporate Rules, or a future adequacy decision for the EU-U.S. DPF."
Additionally, in its October 2022 "Q&A on the EU-US Data Privacy Framework" the European Commission explained that:
(1) The Executive Order addresses the concerns raised by the Court of Justice of the EU in Schrems II and provides a durable and reliable legal basis for transatlantic data flows; and
(2) the safeguards provided by the Executive Order are available for all transfers to the US under the GDPR, including those under the SCCs.
In Bloomreach's view, as supported by the above statements, the Executive Order signals a significant shift in US law which addresses key issues raised in Schrems II and reaffirms the SCCs as a valid transfer mechanism to the US.
Will Bloomreach become Privacy Shield 2.0 certified?
As the European Commission has confirmed, the Executive Order addresses the concerns raised by the Court of Justice of the EU in Schrems II and provides a durable and reliable legal basis for transatlantic data flows. Bloomreach is fully committed to complying with the Privacy Shield 2.0 framework and becoming Privacy Shield 2.0 certified as soon as the mechanism is in place.
What about Bloomreach's use of Google Analytics?
Bloomreach is aware that over the course of the last year, a number of European data protection authorities have publicly scrutinised the use of Google Analytics (on the basis that Google Analytics' transfer of personal data to the US is not compatible with European data protection law). Generally speaking, various European data protection authorities have found that website operators and businesses need to assess their use of Google Analytics to ensure it complies with European data protection laws and they must document the contractual, technical, and organizational measures in place to ensure data transferred to the US has equivalent protection to that offered in the EU.
In a number of cases, European data protection authorities found that the use of Google Analytics was incompatible with European data protection law, in the form it had been deployed by the businesses under review. Enforcement actions have generally been limited to formal notices requesting changes be made or the use of Google Analytics cease (as opposed to large fines).
Bloomreach has not interpreted the decisions and guidance issued by European data protection authorities as an outright ban on the use of Google Analytics, per se, however, we do understand that any use of Google Analytics may in the future be subject to regulatory scrutiny. At the time of writing, Bloomreach can confirm that the only use of Google Analytics within our services is completely optional and turned off by default.