Airship’s Policy on Response to Public Authority Requests for Personal Data
The New Standard Contractual Clauses
While not exempt from US laws permitting public authority surveillance, the nature of Airship’s business means that we are not a likely routine target for US surveillance matters. In fact, the United States Department of Commerce has issued an official statement affirming that “most US companies do not deal in data that is of any interest to US intelligence agencies” and that the kinds of data transfers undertaken by most US companies do not present the type of privacy risk that concerned the European Union Court of Justice in Schrems II. The Department’s statement further clarifies that businesses whose operations involve “ordinary commercial products and services” with the transfer of personal data involving “ordinary commercial information like employee, customer or sales records” would have no basis to believe that US intelligence agencies would seek to collect such data.
In company history, Airship has never provided customer data in response to a public authority data request in the US or elsewhere. Airship is committed to honoring our obligations in compliance with Section III (“Local Laws and Obligations in Case of Access by Public Authorities”), Clause 14 (“Local laws and practices affecting compliance with the Clauses”) and Clause 15 (“Obligations of the data importer in case of access by public authorities”) as well as Section IV (“Final Provisions”), Clause 16 (“Non-compliance with the Clauses and termination”) of the updated Standard Contractual Clauses (“SCCs”) issued in June 2021.
Airship’s Policy on Responding to Public Authority Requests for Personal Data
For customers with whom we have entered a binding contract that includes the SCCs, and for the duration of that contract, our policy for any response to a public authority request for data is as follows:
- Airship agrees not to provide any public authority with direct or unlimited access to our customers’ data. We also agree not to provide access to our encryption keys. Requests for data access, if any, must comply with applicable legal requirements and procedures and must be reviewed by the Airship legal team. As a result, unless otherwise prohibited by legal standards or because there is imminent risk of serious harm, we will notify and consult with competent data protection authorities and the data exporter in addressing a request for disclosure.
- We agree to promptly notify the data exporter if we have reason to believe that Airship is or has become the subject of laws or practices not in line with the requirements of Clause 14(a).
- We agree to promptly notify the data exporter, and, where possible and acceptable to the data exporter, the data subject, if Airship (i) receives a legally binding request from a public authority, including a judicial authority, for the disclosure of personal data transferred pursuant to the SCCs, or (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to the SCCs. In providing such information, Airship will use the address on record for the data exporter or its data governance officer.
- If we are prohibited from notifying the data exporter and/or the data subject under US law, we will use our best efforts to obtain a waiver of the prohibition as soon as reasonably possible. We will document our best efforts in order to demonstrate them on request of the data exporter. We will then provide notice as soon as possible after a legal prohibition has been lifted as allowed by applicable orders or laws.
- Where permissible under US law, we agree to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on requests received from a public authority, if any.
- We agree to preserve the information required pursuant to Clause 15.1 paragraphs (a)-(c) for the duration of the contract and to make such information available to the competent supervisory authority on request.
- We agree to review the legality of any request for disclosure to a public authority, and to challenge the request if, after careful assessment, we conclude that there are reasonable grounds to consider the request unlawful under the laws of the US, applicable obligations under international law and principles of international comity. We agree that we will, under the same conditions, pursue possibilities of appeal. We will honor the obligations of Clause 15.2(a) in doing so.
- Without waiving any attorney client privilege or attorney work product protections afforded under applicable law, we agree to document our legal assessment and any challenges to the request for disclosure to a public authority and, to the extent permissible under US law, make the documentation available to the data exporter, and, upon request, to the competent supervisory authority.
- We agree to provide the minimum amount of information permissible when responding to such a request for disclosure based on our reasonable interpretation of the request. Our legal team will review all requests to ensure that there is a valid legal basis, and will provide only as much information as is required to be responsive. If a request is overly broad, we will challenge it.
- We agree to promptly inform the data exporter if we are unable to comply with the SCCs for any reason during the term of our contract.