Transfer impact analysis (TIA) based on EDPB recommendations on supplementary measures for personal data transfers from the EEA/EU

Introduction

This document aims to address the European Data Protection Board (EDPB) recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data transferred to third countries adopted on November 10, 2020, and what we are doing at TeleSign in respect of security, organizational and technical measures to comply with the EDPB recommendations.

Following its judgment of 16 July 2020 (Data Protection Commissioner v. Facebook Ireland LTD, Maximillian Schrems, C-311/18, ”Schrems II”), the Court of Justice of the European Union (CJEU) stated that Article 46 (1) and 46 (2)(c) of the GDPR must be interpreted in such a way to ensure that data subjects, whose personal data are transferred to a third country pursuant to Article 46 transfer tools, are afforded a level of protection essentially equivalent to that guaranteed within the European Union.

In response, the European Data Protection Board (EDPB) has recently published a six-step recommendation list on measures to supplement the Article 46 transfer tools, which is available here

Even though the data exporter (TeleSign’s Customer) is liable for assessing its transfers and supplementary measures, TeleSign, as a data importer, wishes to offer its response to supplementary measures in compliance with the EDPB recommendations.

Step 1: Know your transfers (mapping all transfers of personal data to third countries)

Telesign is headquartered in Los Angeles, California, USA and additionally has offices in Belgrade, Serbia with support from an operational sub processor based in Lithuania (EU). Personal data, including Customer data, is transferred from the Customer to the US and Serbia offices daily for the purposes of service delivery, operational support, troubleshooting and billing. Telesign’s current data center set up includes four data centers: two in the United States (California and Texas), one in Belgium (EU) and one in the Netherlands (EU). Furthermore, TeleSign uses various carriers, network transit providers and data service providers (Sub processors) for transmission of telecommunication services, such as SMS and Voice, globally.

Currently, all personal data is replicated across four data centers (some of which are outside of the EU/EEA) for traffic load balancing and service availability. As a part of Telesign’s ongoing commitment to data privacy and in response to increased Customer requests for EU data residency, Telesign will soon have the capability to ensure that personal data is processed and stored only within the European Union (EU) for most of its Services.

For Telesign’s current Sub processor and data center list, please see Appendix 1 of Telesign’s Customer DPA.

Step 2: Identify the transfer tools your transfer relies on

Telesign executes a Data Processing Agreement (DPA) that contains the EU Standard Contractual Clauses (‘SCCs’) with all Customers (defining Telesign as a data processor), as well as with all our Processors (where Telesign acts as data controller), and Sub processors. In the DPA, we commit to the obligations of data processors under the GDPR, and flow down those obligations to all our processors/sub processors, including the all-important conditions for international data transfers and related safeguards. Telesign relies on the SCCs to operationalize international transfers from the EEA/EU on legal grounds. Effective September 27, 2021, we have adopted the newly updated SCCs are applied to address all international transfers. These new SCCs are meant to better align with the regulatory requirements of the GDPR, and to address issues highlighted in recent legal decisions like Schrems II.

For current SCCs, Module II: Controller (Customer) to Processor (Telesign), please visit Telesign SCCs.

Step 3: Assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer

United States

As a US-based company processing personal data emanating from the EU, we understand our Customers’ concern following the Schrems II decision, on the application of the Foreign Intelligence Surveillance Act, Section 702 (FISA 702)/Executive Order 12333 (US surveillance laws) when data is transferred to the US.

Telesign, as a US-based company, could technically be subject to FISA 702 where it is deemed to be an electronic communications service provider. However, Telesign does not process personal data that would be of interest or value to US intelligence agencies, for example an SMS with a OTP (one-time passcode) verification code or a risk score assigned to a phone number, wouldn’t be of interest to US intelligence agencies for any counter-terrorist operation.

Executive Order (EO) 12333 contains no authorization to compel private companies (such as Telesign) to disclose personal data to US authorities, and thus is not applicable to Telesign.

To date, Telesign did not receive any access requests based on FISA 702 or EO 12333.

There is a wealth of public information about privacy protections in US law concerning government access to data for national security purposes, including information not recorded in Decision 2016/1250, new developments that have occurred since 2016, and information the CJEU neither considered nor addressed. Organizations may wish to take this information into account in any assessment of US law post-Schrems II.

The United States government has prepared a Whitepaper to provide a detailed discussion of privacy protections in current U.S. law and practice relating to government access to data for national security purposes, focusing in particular on the issues that appear to have concerned the CJEU in Schrems II, for consideration by companies transferring Personal Data from the EU to the United States and the recently published 6-step recommendation list on measures to supplement transfer tools for Controllers (Telesign Customers). We trust that the US Government Schrems II Whitepaper will be able to assist our Customers in their assessment of the US law that may impinge on the effectiveness of the appropriate safeguards on the transfer tools they are relying on.

The EU-US personal data typically transferred for the provision of Telesign services involves ordinary commercial information, such as phone numbers, IP addresses and names of end users. The use cases for Telesign’s services involves authentication, fraud prevention and securing end user accounts on behalf of its Customers. Such transferred data would not be of interest to US foreign intelligence agencies. Nevertheless, all data is transferred while having in place and maintaining network protection intended to deny the ability to intercept data and encryption of personal data whilst in transit. The theoretical possibility that a U.S. intelligence agency could unilaterally access data being transferred from the EU without Telesign’s knowledge is no different than the theoretical possibility that other governments’ intelligence agencies, including those of EU Member States, or a private entity acting illicitly, might access the data. Moreover, this theoretical possibility exists with respect to data held anywhere in the world, so the transfer of data from the EU to the United States in particular, does not increase the risk of such unilateral access to EU citizens’ data.

In summary, to underline again, Telesign has not received any access requests based on FISA 702 or EO 12333. As a practical matter, Telesign has no reason to believe our data transfers from the EU to the US present the type of data protection risks that concerned the CJEU in Schrems II.

Serbia

Outside of its US headquarters, Telesign has an office in Belgrade, Serbia. The office has more than two thirds of Telesign’s employees working on service delivery, engineering, operational and billing support. In late 2018, Serbia updated its data protection law to better align with the GDPR. Serbian data protection practices and laws are largely harmonized with the EU, even though Serbia is not afforded an adequacy decision yet. International data transfers outside of Serbia are based on Standard Contractual Clauses issued by the Serbian Data Protection Commissioner which are based on the provisions offered in EU Model Clauses. To conclude, Serbian data protection practices offer the same level of protection offered to data subjects under the GDPR and therefore, the risk to personal data that is transferred outside of the EU to Serbia is very low.

United Kingdom

On 28 June 2021, the EU Commission adopted an adequacy decision for transfers of personal data to the UK from EEA/EU, therefore UK data protection practices fall within scope of adequate safeguards under the GDPR.

Global

Telesign uses various third-party sub processors for service delivery (“Third-Party Provider”), such as SMS/Voice and data providers. When Personal Data is transferred to a Third-Party Provider acting as Telesign’s processor, we enter into a written agreement with such Provider requiring that the Provider collect and use Personal Data from Data Subjects solely for the purpose of providing services to Telesign and that it will do so in a manner that provides at least the same level of privacy and data protection as is required by: (1) applicable data protection laws (such as the GDPR, CCPA, etc.), (2) Telesign’s Internal Privacy Policy (IPP) and Global Information Security Policy (GISP), and (3) any other representations that we have made to relevant Data Subjects, Customers, or partners in agreements or otherwise.

Any Third-Party Provider who is processing Personal Data on behalf of Telesign must sign a Data Processing Agreement (DPA) with Telesign, committing the Third-Party Provider to compliance with applicable data protection law. They must also complete a Vendor Self-Assessment (VSA) questionnaire which allows Telesign’s Privacy and Security teams to assess the overall risk involved.

Step 4: Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence

Technical measures‍

Telesign maintains, in accordance with good industry practice, measures for the protection of personal data from interception (including in transit from the Customer to Telesign and between different systems and services). This includes having in place and maintaining network protection intended to deny the ability to intercept data, as well as encryption of personal data whilst in transit.

Telesign encrypts all Customer transactions to our APIs via the Internet with TLS 1.2, as well as Customer access to our management console, TelePortal, and specific hashing algorithms are used to hash some Customer Data. Hashing is a form of cryptographic security and a pseudonymization technique that, taking into consideration the costs of and the amount of time required with the available technology at the time of the processing, makes it very unlikely that the data can be attributed to a specific individual. Pseudonymization is recognized in the GDPR as both a security and data protection by design mechanism.

Advanced Encryption Standard (AES) and Secure Hash Algorithm 2 (SHA-2) are the most widely used encryption and hashing algorithms within Telesign during storage. For services requiring third-party requests (e.g., SMS delivery), the requests are sent over TLS to ensure encryption of data in transit. Mobile devices (laptops, mobile phones, tablets, etc.) are encrypted. Encryption is also in use for remote access to the Telesign network, as well as company Wi-Fi. There is no existence of backdoors to encrypted infrastructure.

In addition to these measures, we have implemented measures to prevent, detect and protect against data loss. All Customer Data is kept in accordance with Telesign’s Data Retention Policy. This Policy mandates that personal data received from our Customers be deleted after 90 days. Data destruction is performed by secure means that guarantees non-reversibility and evidence/certificate will be provided upon request. CISO/Security Department, Security Policies, Antimalware, Business Continuity, perimeter security, network segmentation, Security Monitoring and Incident Response Plans are all in place.

Organizational measures

FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information that Telesign is processing. In the event that US intelligence agencies were interested in the type of data that Telesign processes, safeguards put in place by Telesign, such as the requirement for authorization by an independent court and the necessity and proportionality requirements, would protect personal data from “excessive surveillance”. If, taking into account the nature, scope, context and purposes of the intended government authority access to personal data, Telesign has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, Telesign shall notify the Customer, as soon as possible, following the access by the government authority, and provide the Customer with relevant details of the same, unless and to the extent legally prohibited to do so. However, Telesign does not process personal data that would be of interest or value to US intelligence agencies, and this scenario would be highly unlikely to ever happen.

Step 5: To take any formal procedural steps the adoption of your supplementary measure may require

Telesign remains committed to complying with the newly adopted SCCs and responding to any additional transfer impact analysis (TIA) questionnaires coming from our Customers to the best of our ability without undue delay. Telesign is open to negotiating any reasonable supplementary measures (technical, contractual or organizational) in good faith, as long as they are not contradictory to any applicable law. In addition, Telesign commits to being compliant with any applicable privacy regulations in their existing form and, also when they get updated.

Step 6: Continuous vigilance of the level of protection of personal data – to re-evaluate at appropriate intervals the level of protection afforded to the data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it

As already mentioned, Telesign commits to being compliant with any applicable privacy regulations in their existing form and, also when they get updated.

We employ various independent third parties to perform an ISO 27002-based Enterprise Risk Assessment (ERA) across the entire network on an annual basis to measure our compliance with the ISO-based standard and the internal Global Information Security Policy (GISP) based on the ISO 27002:2013 standard for information security management. We review and update our internal policies, including the Privacy Policy and GISP, on an annual basis or when necessary.

The design, acquisition, implementation, configuration, and management of our business processes, infrastructure, assets, systems, products, and services are routinely reviewed for consistency with existing internal policies and related applicable data protection laws. Our team of privacy professionals is dedicated to closely monitoring any significant developments that could materially downgrade the level of protection afforded to personal data our Customers share with us. To that end, we warrant in Data Processing Agreements (DPA) with Customers that any updates to the DPA will not result in the material degradation of the originally agreed privacy and security protections. Privacy (and security) risk is considered throughout the data processing lifecycle, and we hold ourselves accountable for the protection of personal data from start (collection) up until the end (deletion).

Conclusion

At Telesign, we have no reason to believe that the laws and practices in third countries applicable to the processing of the personal data by Telesign as the data importer prevent us from fulfilling our obligations under the Standard Contractual Clauses. For any additional information, please contact: [email protected] or view Telesign’s Privacy Hub