Purpose of this Transfer Impact Assessment
This Transfer Impact Assessment (“TIA”) has been prepared in response to the EDPB Recommendations (the “Recommendations”), and the UK ICO's Transfer Risk Assessment guidance, and provides an assessment of whether the laws or practice of a third country, where Memberstack processes customer personal data, impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools. Where any risks have been identified, it provides details of the appropriate supplementary measures which Memberstack implements to mitigate these risks, and to help ensure the level of protection afforded by EU law standards are maintained. In addition to fulfilling Memberstack's data protection obligations, this TIA will assist Memberstack's customers with their own due diligence obligations as data controllers/data exporters.
Memberstack is committed to enabling customers to use all Memberstack services in compliance with the EU’s data protection regulations, including the GDPR. The steps laid out in this TIA outline how customers can conduct assessments of their use of the Memberstack services in accordance with the Recommendations, and as a result, enable them to comply with EU data protection regulations.
What is the Schrems II Decision?
On July 16, 2020, the Court of Justice for the European Union validated the use of standard contractual clauses (SCCs) as a legal mechanism for transferring personal data outside the European Economic Area (EEA). The CJEU also declared the Privacy Shield framework invalid and confirmed that organizations transferring personal data outside the EEA must work with recipients to assess whether the level of protection for transferred personal data is essentially equivalent to that guaranteed in the EEA by the General Data Protection Regulation (GDPR).
On June 4, 2021, the European Commission adopted two new sets of SCCs to replace the Privacy Shield data transfer scheme. These include one set for controllers and processors and another for transferring personal data to third countries.
What are the EDPB Recommendations?
In November 2020, the European Data Protection Board (“EDPB”) adopted the Recommendations for measures that supplement transfers. The Recommendations aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries. As such, the Recommendations provide exporters with the following six-step data transfer assessment (the “EDPB DTA”):
- Step 1: Know your transfer;
- Step 2: Verify the transfer tool your transfer relies on;
- Step 3: Assess if anything in the law and/or practices of the third country impinges on the effectiveness of the appropriate safeguards of the transfer tools being relied upon;
- Step 4: Identify and adopt supplementary measures;
- Step 5: Take procedural steps that may be required for adoption of supplementary measures; and
- Step 6: Re-evaluate.
For the purpose of this TIA, we adopt the EDPB six step plan.
- Step 1: Know your transfer
Memberstack, Inc. is a company organized and established under the laws of the State of Delaware, USA. Memberstack may process customer personal data to provide to the applicable agreement it has entered with the customer.
- Step 2: Verify the transfer tool your transfer relies on
As between Memberstack and its customers, for any transfers outside the EEA (or in respect of onward transfers), Memberstack relies on the EU standard contractual clauses, adopted as of 4 June 2021 ("Standard Contractual Clauses" and in each cases as amended or replaced from time to time), except for transfers to any country which has a valid adequacy decision from the European. Where applicable, the Standard Contractual Clauses are incorporated into the agreement (including the data protection agreement which fulfils Memberstack’s Article 28 GDPR obligations) between the customer and the relevant Memberstack entity which governs the provision of the Memberstack services. Where Memberstack utilizes any third-party sub-processors, it ensures a lawful transfer mechanism is in place between Memberstack and the relevant sub-processor.
- Step 3: Assess if anything in the law and/or practices of the third country impinges on the effectiveness of the appropriate safeguards of the transfer tools being relied upon
United States of America
- Overview of US surveillance laws
For information on US laws, including the Foreign Intelligence Surveillance Act 1978 (FISA) section 702, please review the Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II White Paper that the US Department of Commerce, Department of Justice, and the Office of the Director of National Intelligence jointly issued in September 2020, detailing the limits and safeguards pertaining to their access to data in response to the Schrems II ruling (the “US White Paper”). The key points of the US White Paper are as follows:
- Most U.S. companies do not deal in data that is of any interest to U.S. intelligence agencies, and have no grounds to believe they do. They are not engaged in data transfers that present the type of risks to privacy that appear to have concerned the CJEU in Schrems II.
- The US White Paper directly states: “The theoretical possibility that a U.S. intelligence agency could unilaterally access data being transferred from the EU without the company’s knowledge is no different than the theoretical possibility that other governments’ intelligence agencies, including those of EU Member States, or a private entity acting illicitly, might access the data. Moreover, this theoretical possibility exists with respect to data held anywhere in the world, so the transfer of data from the EU to the United States in particular does not increase the risk of such unilateral access to EU citizens’ data. In summary, as a practical matter, companies that fall in this category have no reason to believe their data transfers present the type of data protection risks that concerned the ECJ in Schrems II.”
- There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.
- The U.S. government frequently shares intelligence information with EU Member States, including data disclosed by companies in response to FISA 702 orders, to counter threats such as terrorism, weapons proliferation, and hostile foreign cyber activity. Sharing of FISA 702 information undoubtedly serves important EU public interests by protecting the governments and people of the Member States.
- There is a wealth of public information about privacy protections in U.S. law concerning government access to data for national security purposes, including information not recorded in Decision 2016/1250, new developments that have occurred since 2016, and information the CJEU neither considered nor addressed.
Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities
On 7 October 2022, the President of the US signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the “Executive Order”), which directs the steps that the US will take to implement its commitments under the EU - US Data Privacy Framework (“EU-US DPF”), which aims to restore the legal basis for transatlantic data flows by addressing concerns expressed by the CJEU ruling in Schrems II, whereby the Privacy Shield framework was invalidated as a EU-US data transfer mechanism.
The newly released Executive Order implementing the long-awaited EU-US DPF clears a path for trans-Atlantic business and diplomacy alike. The Executive Order requires US intelligence authorities to limit US signals intelligence activities to what is necessary and proportionate. This is a direct response to the first of the two tests for EU adequacy that the CJEU found the Privacy Shield failed. The Schrems II decision states that “[n]either Section 702 of the FISA, nor E.O. 12333, read in conjunction with PPD-28, correlates to the minimum safeguards resulting, under EU law, from the principle of proportionality, with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary.”
This TIA concludes that there are indications that the laws of the United States of America, at present, do not provide an equivalent level of protection considering fundamental rights under EU and UK law. This may lead to a level of risk posed by this data transfer on rights and freedom of data subjects. However, as set forth above, the Executive Order and DOJ regulations aim to address the two failings the CJEU cited in invalidating the Privacy Shield: lack of necessity and proportionality limits on US surveillance programs and insufficient redress rights to challenge unlawful government surveillance. Both the substance and legal structure of these components matter under the CJEU’s essential equivalence test.
Risk: Low; requires supplementary measures
Transfer can go ahead because supplementary measures in place.
Memberstack has not received any data request from any public authority, either in the United States or elsewhere.
- Step 4: If the laws or practices of the third countries mean that the use of the transfer tool alone would not provide an essentially equivalent level of protection, identify the supplemental contractual, technical, or organizational measures that are necessary to bring the level of protection of the data transferred up to the EEA standard of essential equivalence
Memberstack undertakes technical and organizational measures to secure customer data as described in our “Security Overview” document.
Memberstack’s contractual measures are set out in our Data Processing Addendum which incorporates the SCCs. These include:
- Technical measures: Memberstack is contractually obligated to have in place appropriate technical and organizational measures to safeguard personal data.
- Transparency: Memberstack is obligated under our SCCs to notify our customers in the event we are made subject to a request for government access to customer personal data from a government authority. In the event Memberstack is legally prohibited from making such a disclosure, we will use reasonable efforts to obtain the right to waive the prohibition to communicate as much information to you as possible.
- Actions to challenge access: Under our SCCs, Memberstack is obligated to review the legality of government authority access requests and challenge such requests where they are considered to be unlawful.
Memberstack will review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.
- Step 5: Take procedural steps that may be required for adoption of supplementary measures
At this stage, no further procedural requirements have been identified, in light of the lawful transfer mechanisms adopted and described above.
- Step 6: Re-evaluate
Memberstack shall review this TIA periodically (at least annually). Memberstack shall also review and update this TIA in the event: (i) a new processing location is used to process customer personal data; or (ii) it becomes aware of a change in local applicable law in an existing processing location which may impact the conclusions drawn in this TIA.