New Standard Contractual Clauses
Airship is committed to upholding global data privacy and security standards, including those set forth by the European Commission (“Commission”) in the updated Standard Contractual Clauses (“SCCs”) issued in June 2021.
The new SCCs were developed in response to the European Union Court of Justice (“ECJ”) opinion in the Schrems II case. In Schrems II the ECJ established that organizations must conduct a case-by-case determination of whether foreign legal protections concerning government access to personal data meet EU standards.
The new SCCs provide helpful guidance for data controllers (data exporters) and data processors (data importers) when considering whether additional safeguards are needed to ensure appropriate data protection standards when personal data is transferred from the EU to third countries, including the US.
Airship’s Has Implemented the New SCCs
Airship has implemented the new SCC framework in its contracting processes with new customers effective as of September 27, 2021. The Commission has affirmed that contracts relying on the prior SCCs will provide appropriate safeguards for data transfers for a total of 15 months from the effective date, or until December 27, 2022. All existing Airship customers will be migrated to the new SCCs prior to the December 27, 2022 deadline.
Airship’s Technical, Operational and Policy Safeguards Respond to the New SCC Requirements
Like the previous SCCs, these new clauses can be used to facilitate lawful transfers of data if certain conditions are met. The new SCCs have also introduced a risk-based format and additional framework that data exporters can use in assessing the adequacy of a data importer’s data protection measures. In particular, SCC Annex II provides a list of technical and organizational measures that provide adequate protection for personal data transfers to third countries. Our Security Measures align with these Annex II supplementary measures. Together with our focus on Privacy by Design and contractual commitments, Airship’s policies and measures help global organizations meet the requirements of data privacy and protection regulations.
The following sections provide an overview of the measures, policies and procedures that align with the requirements set forth in the SCCs. For more details on any of these measures or policies, please contact the Airship Legal team at firstname.lastname@example.org.
Technical and Operational Safeguards:
- Our key technical and organizational measures are based on OWASP Top 10 best practices and include: Privacy by Design principles for the product development cycle
- Pseudonymization measures
- Encryption of data at rest and in transit
- Data Retention Policy focused on limited data retention
- Data minimization
- Data deletion functionalities directly available via API
- Data subject requests management functionalities available via API
- Testing and patch management standards and procedures
- Personnel security and confidentiality policies and procedures
- Business continuity planning including data restoration methods
- Access controls
- Regular independent verification and certification of security controls
Appropriate Legal Protections:
As part of this risk-based approach, the Implementing Decision issued by the Commission on 4 June 2021 provides a helpful framework for the overall assessment of whether additional measures are needed. When making the assessment, the parties are encouraged to consider factors such as:
- Reliable information on the application of the law in practice;
- The existence or absence of requests in the same sector; and
- The documented practical experience of the data exporter and/or data importer.
While not exempt from US laws permitting public authority surveillance, the nature of Airship’s business means that we are not a likely target for US surveillance matters. In fact, the United States Department of Commerce has issued an official statement affirming that “most US companies do not deal in data that is of any interest to US intelligence agencies” and that the kinds of data transfers undertaken by most US companies do not present the type of privacy risk that concerned the ECJ in Schrems II. The Department’s statement further clarifies that businesses whose operations involve “ordinary commercial products and services” with the transfer of personal data involving “ordinary commercial information like employee, customer or sales records” would have no basis to believe that US intelligence agencies would seek to collect such data.
In company history, Airship has never been the subject of a public authority data request in the US or elsewhere. If Airship were to receive such a request concerning the data of EU citizens, we would honor our obligations in compliance with Section III (“Local Laws and Obligations in Case of Access by Public Authorities”), Clause 14 (“Local laws and practices affecting compliance with the Clauses”) and Clause 15 (“Obligations of the data importer in case of access by public authorities”) as well as Section IV (“Final Provisions”), Clause 16 (“Non-compliance with the Clauses and termination”) of the SCCs.
For more details, please review our “Response to Public Authority Requests for Personal Data” policy.
Additional Steps Airship Will Take
In addition to the technical, operational and policy safeguards listed above, Airship will also:
- Evaluate and where necessary complete Transfer Impact Assessments for all Subprocessors involved in processing activities; and
- Update all relevant subprocessor agreements to comply with the new SCCs.