Date: 04.11.2024
Overview
This document provides information on the data transfer assessment we have carried out in connection with use of our Services, in light of the “Schrems II” ruling of the European Union Court of Justice and the recommendations from the European Data Protection Board.
In particular, this document describes the legal regimes applicable to transfers made, the safeguards put in place in connection with transfers of customer personal data from the European Economic Area, United Kingdom or Switzerland or a country deemed “adequate” by the EU Commission ("Europe"), and our ability to comply with our obligations as "data importer" under the EU, Swiss and UK Standard Contractual Clauses (together "SCCs").
Step 1: Know your transfer
Where we process personal data governed by European data protection laws as a data processor, we comply with the obligations set out in our data processing agreement ("DPA"). Our DPA incorporates the SCCs and provides the following information:
description of our processing of customer personal data (Exhibit A); and
description of our security measures (Exhibit B)
Please refer to Exhibit A of our DPA for information on the nature of our processing activities in connection with the provision of the Services, the types of customer personal data we process and transfer, and the categories of data subjects.
We may transfer Customer personal data to the sub-processers for the purpose of providing the Services to you. The countries to which Customer personal data will be transferred will depend upon: (i) the sub-processor used; (ii) the particular part of our Services used: and (iii) the location of the sub-processor providing this service on our behalf, and their own sub-processors.
Details of all transfers of Customer personal data to sub-processors are set out in our List of Sub-Processors published at: https://www.letsflo.co/legal-terms-and-policies/sub-processor-list.
Step 2: Identify the transfer mechanism relied upon
The following sub-processors located in third countries (i.e. countries which do not have an adequacy decision from the European Commission) transfer personal data originating from Europe relying upon SCCs:
Name | LOCATION | Transfer Mechanism | |
A. | OPENAI OpCo LLC | USA | SCCs incorporated into the OpenAI DPA. |
B. | UPTIME.COM LLC | USA | SCCs incorporated into the Uptime.com LLC DPA. |
C. | LUCIDLINK CORPORATION | USA | SCCs incorporated into the LucidLink Corporation DPA. |
D. | LETS FLO US INC. | USA | https://www.letsflo.co/legal/DPA |
A. OPENAI LLC
Step 3: Assess whether the transfer mechanism relied upon is effective in light of the circumstances of the transfer
US Laws
FISA 702 and Executive Order 12333
The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers ("ECSP") within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP"), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
Executive Order 12333 ("EO 12333") - authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling.
Regarding FISA 702 the whitepaper notes:
For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”
There is individual redress, including for UK citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.
Regarding Executive Order 12333 the whitepaper notes:
EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data.
Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.
CLOUD Act
For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act.
The whitepaper notes:
The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.
The CLOUD Act does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance
OPENAI is an "electronic communications service provider", under applicable laws in the USA and therefore, is subject to access requests under FISA 702.
Step 4: Identify the technical, contractual and organizational measures applied to protect the transferred data
OPENAI provide the following technical measures to secure customer data:
Encryption: Data encryption at rest and in transit.
Security and certifications: Additional information about our security practices and certifications are available in our SCCs.
OPEAI’s contractual measures are set out in their DPA which incorporates the SCCs.
Step 5: Procedural steps necessary to implement effective supplementary measures
In light of the information provided in this assessment document, no additional supplementary measures are necessary at this time.
Step 6: Re-evaluate at appropriate intervals
We will review and, if necessary, reconsider the risks involved and the measures OPENAI have implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of the EEA on a regular basis, and as a minimum once per calendar year.
B. UPTIME.COM LLC
Step 3: Assess whether the transfer mechanism relied upon is effective in light of the circumstances of the transfer
US Laws
FISA 702 and Executive Order 12333
The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers ("ECSP") within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP"), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
Executive Order 12333 ("EO 12333") - authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling.
Regarding FISA 702 the whitepaper notes:
For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”
There is individual redress, including for UK citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.
Regarding Executive Order 12333 the whitepaper notes:
EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data.
Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.
CLOUD Act
For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act.
The whitepaper notes:
The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.
The CLOUD Act does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance
Uptime.com LLC could be subject to access requests under FISA 702.
Step 4: Identify the technical, contractual and organizational measures applied to protect the transferred data
Uptime.com LLC provides the following technical measures to secure customer data:
Encryption: All personal data is encrypted at rest and in transit.
Security and certifications: Additional information about the company’s security practices and certifications are available in Annex 3 of their SCCs. The company’s contractual measures are set out in their DPA which incorporates the SCCs.
Uptime.com LLC’s organizational measures to secure customer data:
Uptime.com LLC will notify us and, where possible, the data subject promptly (if necessary with our help if they: (i) receive a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to SCCs; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or (ii) become aware of any direct access by public authorities to personal data transferred pursuant to the SCCs in accordance with the laws of the country of destination; such notification shall include all information available to them.
If Uptime.com LLC are prohibited from notifying us and/or the data subject under the laws of the country of destination, they agree to use their best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. Uptime.com LLC agrees to document their best efforts in order to be able to demonstrate them at our request.
Where permissible under the laws of the country of destination, Uptime.com LLC agrees to provide the us, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
Step 5: Procedural steps necessary to implement effective supplementary measures
In light of the information provided in this assessment document, no additional supplementary measures are necessary at this time.
Step 6: Re-evaluate at appropriate intervals
We will review and, if necessary, reconsider the risks involved and the measures Uptime.com LLC have implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of the EEA on a regular basis, and as a minimum once per calendar year.
C. LUCIDLINK CORPORATION
Step 3: Assess whether the transfer mechanism relied upon is effective in light of the circumstances of the transfer
US Laws
FISA 702 and Executive Order 12333
The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:
FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers ("ECSP") within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP"), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.
Executive Order 12333 ("EO 12333") - authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.
Further information about these US surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II whitepaper from September 2020. This whitepaper details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling.
Regarding FISA 702 the whitepaper notes:
For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”
There is individual redress, including for UK citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.
Regarding Executive Order 12333 the whitepaper notes:
EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data.
Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.
CLOUD Act
For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act.
The whitepaper notes:
The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.
The CLOUD Act does not allow U.S. government access in national security investigations, and it does not permit bulk surveillance
LucidLink Corporation could be subject to access requests under FISA 702.
Step 4: Identify the technical, contractual and organizational measures applied to protect the transferred data
LucidLink Corporation provides the following technical measures to secure customer data:
Encryption: All personal data is encrypted at rest and in transit.
Encryption Keys: Only customers are in possession of the encryption keys.
Security and certifications: Additional information about the company’s security practices and certifications are available in Annex II of their SCCs. The company’s contractual measures are set out in their DPA which incorporates the SCCs.
LucidLink Corporation’s organizational measures to secure customer data include:
Policy for government access: LucidLink Corporation will review the legality of any request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. Lucid Link Corporation shall, under the same conditions, pursue possibilities of appeal. When challenging a request, Lucid Link Corporation shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. LucidLink Corporation document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to us. It shall also make it available to the competent supervisory authority on request.
Step 5: Procedural steps necessary to implement effective supplementary measures
In light of the information provided in this assessment document, no additional supplementary measures are necessary at this time.
Step 6: Re-evaluate at appropriate intervals
We will review and, if necessary, reconsider the risks involved and the measures LucidLink Corporation have implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of the EEA on a regular basis, and as a minimum once per calendar year.