Transfer impact analysis (TIA) based on EDPB recommendations on supplementary measures for personal data transfers from the EEA/EU

Introduction

This document aims to address theEuropean Data Protection Board (EDPB) recommendations 01/2020 on measuresthat supplement transfer tools to ensure compliance with the EU level ofprotection of personal data transferred to third countries adopted on November10, 2020, and what we are doing at TeleSign in respect of our security,organizational and technical measures to comply with the EDPB recommendations.

Following its judgment of 16 July2020 (Data Protection Commissioner v. Facebook Ireland LTD, Maximillian Schrems, C-311/18), the  Court ofJustice of the European Union (CJEU) stated that Article 46 (1) and 46 (2)(c)of the GDPR must be interpreted in such a way to ensure that data subjects, whose personal data are transferred to a third country pursuant to Article 46 transfer tools, are afforded a level of protection essentially equivalent to that guaranteed within the European Union.

In response, the European DataProtection Board (EDPB) has recently published a the six-step recommendation list on measures to supplement the Article 46 transfer tools, which is available here.

Even though the data exporter (TeleSign’sCustomer) is liable for assessing its transfers and supplementary measures,TeleSign, as a data importer, wishes to offer its response to supplementary measures in compliance with the EDPB recommendations.

Step 1: Know your transfers (mapping all transfers of personal data to third countries) 

TeleSign is headquartered in Los Angeles, California (US) and additionally has offices in Belgrade, Serbia with support from an operational sub processor from Lithuania (EU). Personal data is transferred from the Customer to the US and Serbia offices daily for the purposes of service delivery, operational support, troubleshooting and billing. TeleSign’s current data center set up includes four data centers located in the US, UK, and the Netherlands (EU). The personal data is replicated across all four data centers for purposes of traffic load balancing and service availability. Furthermore, TeleSign uses various carriers, network transit providers and data service providers (Sub processors) for transmission of telecommunication services, such as SMS and Voice, globally. It is impossible to determine which provider is applicable to a specific Customer for the purposes of this document because TeleSign has connections with more than 250 different service providers worldwide, and such analysis would be disproportionate to the required result.  

For current Sub processor and data center list, please see Appendix 1 of TeleSign DPA.

Step 2: Identify the transfer tools your transfer relies on

 

TeleSign executes a Data Processing Agreement (DPA) that contains the Standard Contractual Clauses (SCCs) with all existing Customers (defining us as a data processor) and Sub processors. In the DPA, we commit to the obligations of data processors under the GDPR, and flow down those obligations to all our processors/sub processors, including the all-important data protection adequacy for international data transfers. Fortunately, TeleSign did not rely on the recently invalidated Privacy Shield as an international data transfer mechanism under the GDPR, as such the invalidation pursuant to the Schrems II judgment did not affect the way we do business. From the implementation of GDPR, we had relied on the SCCs to operationalize international transfers from the EEA/EU on legal grounds. Effective September 27, 2021, we have adopted the newly updated SCCs are applied to address all international transfers. These new SCCs are meant to better align with the regulatory requirements of the GDPR, and to address issues highlighted in recent legal decisions like Schrems II.

For current SCCs, please visit TeleSign SCCs.

Step 3: Assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer

United States

As a US-based company processing personal data in the EU, we understand our Customers’ concern on the application of FISA Section 702/Executive Order 12333 (US surveillance laws) when data is transferred to the US, as a result of the Schrems II decision. To provide some clarity, Schrems II was not a ruling on whether privacy protections in US law per se, as of either 2016 or 2020, are consistent with EU law. The CJEU ruled only on the validity of Decision 2016/1250 (Privacy Shield). Any assessment of US law (including FISA) by CJEU accordingly relied primarily on the limited findings about US law recorded by the Commission in 2016 in Decision 2016/1250.

It is known that the U.S. government frequently shares intelligence information with EU Member States to counter threats such as terrorism, weapons proliferation, and hostile foreign cyber activity. Such intelligence may include data disclosed by companies in response to FISA 702 orders. Sharing of FISA 702 information undoubtedly serves important EU public interests by protecting the governments and people of the EU Member States.

Data transferred outside the EU, whether destined for the United States or any other country, flows through numerous transmission networks and is potentially subject to access by such countries’ intelligence agencies, as well as by private entities acting illicitly, and the extent to which the data is protected from such access depends largely on the data security measures taken by individual companies, and on the laws and practices in each jurisdiction through which the data passes. No country acknowledges the specific locations and operational details of its clandestine overseas intelligence activities. Many countries do not even regulate such activities by law, including some EU Member States. Were the lawfulness of data transfers outside the EU to depend on an assessment of intelligence agencies’ clandestine access to data outside a given destination country while in transit, no data transfers could be found lawful under EU standards because intelligence agencies worldwide potentially could access the data as it travels over global networks.

There is a wealth of public information about privacy protections in US law concerning government access to data for national security purposes, including information not recorded in Decision 2016/1250, new developments that have occurred since 2016, and information the CJEU neither considered nor addressed. Companies may wish to take this information into account in any assessment of US law post-Schrems II.

The United States government has prepared a Whitepaper to provide a detailed discussion of privacy protections in current U.S. law and practice relating to government access to data for national security purposes, focusing in particular on the issues that appear to have concerned the CJEU in Schrems II, for consideration by companies transferring Personal Data from the EU to the United States and the recently published 6-step recommendation list on measures to supplement transfer tools for Controllers (TeleSign Customers). We trust that the US Government Schrems II Whitepaper will be able to assist our Customers in their assessment of the US law that may impinge on the effectiveness of the appropriate safeguards on the transfer tools they are relying on.

In TeleSign’s case, personal data is transferred from the Customer in the EU to the US and Serbia offices daily for the purposes of service delivery, operational support, troubleshooting and billing. TeleSign’s current data center set up includes four data centers located in the US, UK, and the Netherlands (EU). The personal data is replicated across all four data centers for purposes of traffic load balancing and service availability. The EU-US personal data typically transferred for the provision of TeleSign services involves ordinary commercial information, such as phone numbers, IP addresses, names of end users. The use cases for TeleSign’s services involves authentication, fraud prevention and securing end user accounts on behalf of its Customers. Such transferred data would not be of interest to US foreign intelligence agencies. To date TeleSign has not received any government requests to disclose data under FISA 702. Nevertheless, all data is transferred while having in place and maintaining network protection intended to deny the ability to intercept data and encryption of personal data whilst in transit. The theoretical possibility that a U.S. intelligence agency could unilaterally access data being transferred from the EU without the company’s knowledge is no different than the theoretical possibility that other governments’ intelligence agencies, including those of EU Member States, or a private entity acting illicitly, might access the data. Moreover, this theoretical possibility exists with respect to data held anywhere in the world, so the transfer of data from the EU to the United States in particular, does not increase the risk of such unilateral access to EU citizens’ data. In summary, as a practical matter, TeleSign has no reason to believe our data transfers from the EU to the US present the type of data protection risks that concerned the CJEU in Schrems II.

Serbia

Outside of its US headquarters, TeleSign has an office in Belgrade, Serbia. The office has more than two thirds of TeleSign’s employees working on service delivery, engineering, operational and billing support. In late 2018, Serbia updated its data protection law to better align with the GDPR. Serbian data protection practices and laws are largely harmonized with the EU, even though Serbia is not afforded an adequacy decision yet. International data transfers outside of Serbia are based on Standard Contractual Clauses issued by the Serbian Data Protection Commissioner which are based on the provisions offered in EU Model Clauses. To conclude, Serbian data protection practices offer the same level of protection offered to data subjects under the GDPR and therefore, the risk to personal data that is transferred outside of the EU to Serbia is very low.

United Kingdom

On 28 June 2021, the EU Commission adopted an adequacy decision for transfers of personal data to the UK from EEA/EU, therefore UK data protection practices fall within scope of adequate safeguards under the GDPR.

Global

TeleSign uses various third-party sub processors for service delivery, such as SMS/Voice and data providers. When we transfer personal data to a third-party provider acting as our sub processor, we enter into a written agreement (Vendor DPA) requiring that the provider warrants at least the same level of privacy and protection as is required by: (1) applicable data protection laws, (2) our Privacy Policy and Global Information Security Policy (GISP), and (3) any other representations that we have made to relevant End Users, Customers, or other third-parties in agreements or otherwise. Additionally, in the Vendor DPA, we flow down data processor obligations to all our processors/sub processors, including the data protection adequacy requirements for international data transfers using the Standard Contractual Clauses.


Step 4: Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence  

TeleSign maintains, in accordance with good industry practice, measures for protection of personal data from interception (including in transit from the Customer to TeleSign and between different systems and services). This includes having in place and maintaining network protection intended to deny the ability to intercept data and encryption of personal data whilst in transit.

TeleSign encrypts all customer transactions to our APIs via the Internet with TLS 1.2, as well as customer access to our management console, TelePortal. Advanced Encryption Standard(AES) and Secure Hash Algorithm 2 (SHA-2) are the most widely used encryption and hashing algorithms within TeleSign.

For services requiring third-party requests (e.g., SMS delivery), the requests are sent over TLS to ensure encryption of data in transit. Mobile devices (laptops, mobile phones, tablets, etc.) are encrypted. Encryption is also in use for remote access to the TeleSign network, as well as company Wi-Fi.

For more information onTeleSign’s security practices, please review the Security Whitepaper: https://www.telesign.com/security.


Step 5: To take any formal procedural steps the adoption of your supplementary measure may require 

TeleSign remains committed to complying with the newly adopted SCCs and responding to any additional transfer impact analysis (TIA) questionnaires coming from our Customers to the best of our ability without undue delay. TeleSign is open to negotiating any reasonable supplementary measures (technical, contractual or organizational) in good faith, as long as they are not contradictory to any applicable law. In addition, TeleSign commits to being compliant with any applicable privacy regulations in their existing form and, also when they get updated.

Step 6: Continuous vigilance of the level of protection of personal data – to re-evaluate at appropriate intervals the level of protection afforded to the data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it

As already mentioned, TeleSign commits to being compliant with any applicable privacy regulations in their existing form and, also when they get updated.

We employ various independent third parties to perform an ISO 27002-based Enterprise Risk Assessment (ERA) across the entire network on an annual basis to measure our compliance with the ISO-based standard and the internal Global Information Security Policy (GISP) based on the ISO 27002:2013 standard for information security management. We review and update our internal policies, including the Privacy Policy and GISP, on an annual basis or when necessary.

The design, acquisition, implementation, configuration, and management of our business processes, infrastructure, assets, systems, products, and services are routinely reviewed for consistency with existing internal policies and related applicable data protection laws. Our team of privacy professionals is dedicated to closely monitoring any significant developments that could materially downgrade the level of protection afforded to personal data our Customers share with us. To that end, we warrant in Data Processing Agreements (DPA) with Customers that any updates to the DPA will not result in the material degradation of the originally agreed privacy and security protections. Privacy (and security) risk is considered throughout the data processing lifecycle, and we hold ourselves accountable for the protection of personal data from start (collection) up until the end (deletion).


Conclusion

At TeleSign, we have no reason to believe that the laws and practices in third countries applicable to the processing of the personal data by TeleSign as the data importer prevent us from fulfilling our obligations under the Standard Contractual Clauses. For any additional information, please contact: PrivacyOffice@telesign.com or view TeleSign Privacy Whitepaper.