Freshworks’ transfers of personal data outside the EEA, UK and Switzerland and the impact of the Schrems II decision

The European Union’s General Data Protection Regulation (GDPR) (including for the purposes of this note, the UK GDPR and relevant Swiss legislation) prohibits the transfer of personal data outside of the European Economic Area (EEA), United Kingdom (UK) and Switzerland unless certain requirements are met.  The requirements of the GDPR continue to apply in the UK despite its withdrawal from the European Union.

As a global organisation headquartered in the United States (US), Freshworks implements several legal transfer mechanisms to keep personal data safe when it is transferred internationally.  Note this paper is focused on transfers to the US as it is the focus of the Schrems II decision refenced below, but Freshworks equally takes its data obligations seriously all around the world and any of the comments below apply equally to data transfers to other jurisdictions (for example but without limitation Freshworks’ strong security posture, use of SCCs etc.).

On 16 July 2020, the Court of Justice of the European Union (CJEU) handed down its decision in the case of Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (popularly known as “Schrems II” because it followed a similar and significant court action by Maximillian Schrems). The CJEU in Schrems II was concerned that government surveillance laws outside of the EEA, UK and Switzerland (particularly US government surveillance laws) could undermine the protection offered by GDPR legal transfer mechanisms.

Schrems II had an immediate impact on Freshworks because it invalidated the EU-U.S. Privacy Shield Framework (Privacy Shield), one of the mechanisms we were relying on to transfer data to the US.  Shortly after Schrems II, the Swiss Federal Data Protection and Information Commissioner invalidated the Swiss-U.S. Privacy Shield Framework (Swiss Privacy Shield) which Freshworks remains also registered under.

All data processing agreements between Freshworks and its customers include Standard Contractual Clauses approved by the European Commission (and the UK Government and the Swiss Government as relevant) (SCCs) which began applying automatically to US transfers when Privacy Shield and Swiss Privacy Shield were invalidated.  For any US transfers which relied solely on Privacy Shield or Swiss Privacy Shield, Freshworks is transitioning to implement additional SCCs to cover those transfers.

Schrems II also impacted SCCs.  Whilst it validated SCCs as lawful GDPR transfer mechanisms, this was on the condition that the parties to the SCCs implement any supplementary contractual, technical and organisation measures necessary to ensure that the terms of the SCCs are able to be complied with in practice by the recipient party ensuring a level of protection essentially equivalent to the protection guaranteed by the GDPR.

In practice this requires a transfer risk assessment to be undertaken by the data exporter. The assessment must take into account the surveillance laws of the recipient country and assess them against the European Essential Guarantees:

• Guarantee A- The surveillance laws should be based on clear, precise and accessible rules.
• Guarantee B- The surveillance laws should include principles of necessity and proportionality with regard to the legitimate objectives being pursued.
• Guarantee C- The surveillance laws are subject to independent oversite mechanisms.
• Guarantee D- That effective remedies are available to individuals whose data is subject to the surveillance laws.

Freshworks (as data exporter and importer of data within the Freshworks Group and as a data exporter and importer of Freshworks client data) has assessed that the SCCs it uses as a mechanism to transfer personal data outside of the EEA, UK and Switzerland to its headquarters in the US are able to work in practice despite any prospect of US surveillance laws being used to intercept data. Some observations to support this assessment are below:

1. For most of the data we process, Freshworks is not the target of US surveillance laws

Freshworks mostly does not deal in the type of data that is of interest to US intelligence agencies.  As detailed in the US Department of Commerce’s white paper “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II”, companies whose EEA, UK or Swiss operations involve data transfers limited to commercial information such as employee, customer or sales records are not the target of US intelligence and counter-terrorism agencies.

Of the two main laws examined by the CJEU in Schrems II, Executive Order 12333 contains no authorisation to compel private companies (such as Freshworks) to disclose personal data to US authorities, and Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) requires an independent court to authorise a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information (such as the information Freshworks generally transfers as a part of our business).  Where US intelligence agencies are interested in the type of data that Freshworks processes, safeguards such as the requirement for authorisation by an independent court and the necessity and proportionality requirements protect data from excessive US surveillance.

In terms of historical interest in Freshworks data, customers should note that we have never received a US government agency request for EEA, UK or Swiss personal data under US surveillance laws.

2. US surveillance laws are generally akin to European and UK surveillance laws

To the extent that US surveillance laws apply to Freshworks, these laws are more akin to European and UK surveillance laws than were described in the Schrems II decision.  FISA 702 does employ multiple safeguards which go to significant lengths to ensure that unauthorised and unnecessary surveillance does not take place.  For instance, surveillance under FISA 702 should be both necessary and proportionate as judged by an independent court on a case by case basis.  Further, the Privacy and Civil Liberties Oversight Board is an independent oversight entity which has conducted extensive reviews of FISA 702 and the Department of Justice also has independent oversight functions.

3. Freshworks implements state of the art technical security measures

We pride ourselves in our robust data security and privacy practices, which continually evolve to ensure the protection of our customer's personal data. You can read more about our extensive security program and design here.

In particular, Freshworks encrypts personal data at rest and in transit protecting it from interception from US government surveillance agencies.  We use AES 256 bit encryption for data at rest and HTTPS with TLS 1.2 encryption for data in transit, meaning that it will be intelligible to third parties.  We are also certified with ISO 27001 and undergo SOC 2 type 2 audit by independent third party firms.

4. Freshworks only uses service providers who offer sufficient data security guarantees

All of Freshworks’ service providers with access to Freshworks’ data are subject to rigorous due diligence checks to ensure they can provide sufficient guarantees to implement appropriate technical and organisation measures to keep data secure and protect the rights of data subjects.  As a part of this due diligence process for new service providers, where Freshworks’ data will be transferred to a service provider outside of the EEA, UK or Switzerland Freshworks conducts a transfer risk assessment on the service provider and the surveillance laws of the service provider’s country based on the principles in Schrems II. For existing Freshworks service providers, Freshworks is conducting a transfer risk assessment project using a risk-based approach.   Where necessary to ensure a level of protection essentially equivalent to the protection offered by the GDPR, Freshworks imposes on its service providers supplementary contractual terms and technological and organisational controls to further protect data from interception by government authorities.

5. Protective organisational measures are in place for Freshworks US

Our US operations are subject to strict policies and processes to ensure that (where permitted to do so by law) customers are notified promptly should a government request for EEA, UK or Swiss personal data ever be received.  Freshworks will not surrender EEA, UK or Swiss customer data to any US government agency unless legally compelled to provide the data, and Freshworks will only provide the minimum amount of personal data necessary in order to comply with the legal compulsion.

6. Effective remedies are available to EEA, UK and Swiss data subjects

Several US statutes authorise individuals of any nationality (including citizens within the EEA, UK or Switzerland) to seek redress in US courts for unlawful violations of US surveillance laws including the right to seek compensation for violations.  Individuals may also challenge unlawful US government access requests and Freshworks will provide assistance and cooperation to enable any affected data subject to exercise individual rights where appropriate to do so.