In light of the recent ruling by the Court of Justice of the European Union (“CJEU”) in Case C-311/18, known more commonly as “Schrems II” (the “Judgment”), Bristol Global Mobility LLC together with its affiliates (“Bristol”), provides this statement to assist you in assuring that there is an adequate level of protection for personal data transferred to Bristol. In particular, the purpose of this document is to provide data exporter customers with necessary information to assess whether there is risk to the customer’s data subjects of mass surveillance under United States (U.S.) and United Kingdom (“U.K.”) laws.
Bristol is a U.S.-based company that provides relocation and mobility services for employees of clients based all over the world, including in the European Union (“EU”). As part of providing that service, Bristol’s clients – who act as data controllers – transfer personal data to Bristol, which also acts as a data controller. Chapter 5 of the General Data Protection Regulation of the European Union (“GDPR”) requires that these transfers of personal data be conducted on the basis of a valid transfer mechanism. For these transfers, Bristol relies on the controller-to-controller Standard Contractual Clauses (“SCCs”).
Although the Judgment upheld the SCCs as a viable mechanism for transfers from the EU to third countries, the Judgment imposed additional obligations that must be considered when implementing SCCs to address the requirement of adequate protection. The Judgment places an obligation on a party exporting personal data (the “Data Exporter”) to a recipient in a third country (the “Data Importer”) to assess, along with the Data Importer, whether the SCCs can provide sufficient protection to data subjects in light of any laws or regulations enabling access to the personal data by public authorities (“Surveillance Laws”) in the third country to which the data is being transferred and in light of the circumstances of the transfer and any additional safeguards put in place by the Data Importer.
II. Summary of the Surveillance Laws in the United States and in the U.K.
While the Judgment sets out its own analysis of the two principal U.S. Surveillance Laws, a short summary on each is included below.
A. Foreign Intelligence Surveillance Amendment Act of 2008 (“FISA”)
This is a statute establishing a judicial process authorizing a specific type of data acquisition. FISA permits the U.S. government to request that certain organizations assist in collecting or providing data on certain individuals for purposes of national security.
B. Executive Order 12333 (“EO 12333”)
This is a general directive organizing U.S. intelligence activities, which does not include any
authorization to compel private companies to disclose data. EO 12333 authorizes bulk, indiscriminate collection of electronic communication, often as an alternative basis of authority for surveillance when the more limited collection under FISA is considered insufficient.
C. U.K.’s Investigatory Powers Act 2016 (“IPA 2016”)
For the purpose of preventing or detecting serious crimes, certain U.K. law enforcement authorities can use targeted investigatory powers, namely targeted interception (Part 2 of the IPA 2016), acquisition of communications data (Part 3 of the IPA 2016), retention of communications data (Part 4 of the IPA 2016) and targeted equipment interference (Part 5 of the IPA 2016). In order to exercise these powers, the authorities need to obtain a warrant issued by a competent authority and approved by an independent Judicial Commissioner. The obtaining of such a warrant is subject to a necessity and proportionality test. The IPA 2016 created an Investigatory Powers Commission (“IPC”) to oversee the use of all investigatory powers, alongside the oversight provided by the Intelligence and Security Committee of Parliament and the Investigatory Powers Tribunal.
III. Bristol’s Technical And Organizational Safeguards to Address U.S. AND U.K. Surveillance Concerns
A. Bristol’s Business Model and Purposes of Processing
Bristol is fundamentally an enterprise company, meaning that the majority of Bristol’s clients are typically other companies and organizations rather than individual customers. Bristol’s business model sets it apart from companies that have been associated with surveillance programs. Unlike those companies, Bristol’s business does not involve providing telephone or internet-based communication services to the general public, outside of minor messaging capabilities and feedback mechanisms within the Bristol Elite web application. These messaging capabilities are a minor and secondary portion of the actual services provided by Bristol rather than the main function of its offerings.
To the extent that Bristol’s clients or employees of those clients provide it with access to personal data, the clients have the same access as Bristol. The client is both the more direct source of personal data relating to its employees and is more likely to have the most up-to-date and complete information. For this reason, it would be expected that if the government did in fact have an interest in a client or client employee’s personal data, the government would be more likely to approach that client and not Bristol.
Additionally, Bristol operates in an industry that is not known to be highly monitored by the US government under FISA, EO 12333, or IPA 2016. This lessens the likelihood that EU personal data will be implicated in an investigation by U.S. or U.K. government agencies.
B. Categories and Volume of Personal Data Transfers
Bristol transfers personal data of its clients and their employees from the European Economic Area (“EEA”), Switzerland, and U.K. to the U.S. However, Bristol would likely not stand out as a key target for US or U.K. governmental agencies to attempt to surveil using FISA, EO 12333, or IPA 2016 based on the nature of the personal data being transferred.
The categories of the transferred client’s personal data are mainly biographical and identification information, contact information, professional information, travel information, and payment information (collectively the “Transferred Personal Data”). This information is typically processed solely to facilitate relocation, rather than for social or purely communication purposes. Several of these data categories are available via other sources, such as professional information available through client company websites or professional networks, travel information available from airlines or hotels, or address and contact information from a multitude of sources. If required by the government, this information could more easily be requested from these alternate sources, negating the need for Bristol to disclose such information. Further, this information does not include details of individual opinion, political affiliation, or other more sensitive topics that may be of interest to national security. Because of their nature, these categories of personal data are unlikely to be subject to investigations involving national security interests or criminal prosecution. This is in line with the information provided in the whitepaper issued by the United States’ Department of Commerce on September 28, 2020, which clarified that ordinary commercial information like employee, customer, or sales records is of no interest to U.S. intelligence agencies.
C. Bristol’s Security Practices
Bristol has implemented various technical, contractual, and organizational measures designed to protect any Transferred Personal Data from unauthorized disclosure and access (“Security Measures”). These measures serve to supplement the protections enshrined in the SCCs. While these alone would not protect the Transferred Personal Data from U.S. governmental surveillance, they could lower the likelihood of surveillance and the ease with which the U.S. government could obtain the Transferred Personal Data. In addition, they provide additional safeguards for the personal data itself. These measures include:
- Written policies and procedures requiring Bristol employees to maintain the privacy, security, and confidentiality of personal data.
- Contractual requirements for Bristol vendors that may receive Transferred Personal Data to uphold baseline security and confidentiality measures.
- Network and database activity are logged and actively monitored for potential security events including intrusion.
- Bristol-authored applications and IT systems are regularly scanned/monitored for vulnerabilities.
- Regular vulnerability and penetration testing is performed on the applicable IT systems and applications.
- Bristol restricts physical and logical access to IT systems, accounts, voicemail, and other applicable documents or systems that process Transferred Personal Data to those officially authorized persons with an identified need for such access.
- External points of connectivity in the Bristol network architecture are protected by firewall(s).
- All information within the systems and applications is encrypted in transit and at rest using at least Advanced Encryption Standard (“AES”) 256-level encryption.
- Encryption of email messages containing sensitive information through the Barracuda encryption service.
- Known exploitable vulnerabilities in Bristol-authored applications and IT systems are patched expeditiously.
- All devices that may process Transferred Personal Data are outfitted with protective software, must use a VPN, and implement security measures such as automatic lock time and disk encryption.
Additional details about Bristol’s Security Measures are maintained internally in Bristol’s “Supplementary Security Measures” document, which is regularly updated, and which is available on request. Broadly, the supplementary measures contained in this document provide further detail on:
- the technical measures implemented by Bristol which include access control, data encryption and device security measures;
- the contractual measures implemented by Bristol, such as service agreements, data protection addenda and SCCs; and
- the organizational measures implemented by Bristol which include internal polices and training for Bristol personnel.
D. Past Practices of Disclosures and Bristol’s Commitment to Clients
Bristol has never received a U.S. or U.K. governmental request for personal data and has not provided a client’s personal data to the U.S. or U.K. government under any national security order, such as a FISA directive. Bristol is also not aware of any instance where another company offering relocation and mobility services for employees has ever received a national security order. Neither is it aware of any indication that a U.S. intelligence agency has sought to obtain Transferred Personal Data unilaterally outside the United States under the authority of EO 12333.
Bristol requires an official, signed document issued pursuant to relevant U.S. law before it will consider a request for access to a client’s personal data. Bristol’s compliance team has committed to scrutinizing every request for legal validity and, as part of that procedure, will reject any request Bristol considers to be invalid. If Bristol is legally required to comply, it will respond as narrowly as possible to the specific request.
Furthermore, If Bristol receives a U.S. or U.K. government request for a client’s personal data, pertaining to EEA, Swiss, or U.K. individuals, it has committed that it will make every effort to refer the request to the affected client if permitted by law, so that the client can work with the government authority directly to respond.
As part of its policies, Bristol has committed to protecting clients’ personal data while complying with applicable laws. Under those policies, where Bristol is prohibited by law from notifying the affected client, Bristol will take into account the laws of other jurisdictions and use best efforts to request that any confidentiality requirements be waived to enable it to notify the appropriate EU data protection authorities.
E. Transfers of Data from Bristol
In the course of delivering its services, Bristol sometimes shares personal data with vendors or other third parties. This data sharing is performed under data processing and data sharing agreements setting forth confidentiality and security obligations compliant with the requirements of Article 28 of the GDPR and Chapter 5 of the GDPR.
The vast majority of these vendors and third parties are based within the United States, making it less likely that these transfers would fall under FISA observation since they are not international. Assessment of whether these third parties are likely subject to EO 12333 must be made on an individual basis for each company’s circumstance. The data processing and data sharing agreements in place with third parties mandate that the third parties inform Bristol wherever legally possible of any governmental requests for personal data prior to providing that personal data to the requesting governmental agency or body.
A full list of the vendors and other third parties with whom Bristol may share personal data when performing its services is available upon request.
IV. Bristol’s Position
Taking into account: (1) the business nature (rather than consumer-facing nature) of personal data processed by Bristol’s services; (2) the fact that Bristol has never received any request for disclosure of personal data under laws as FISA and other laws like the United Kingdom’s Investigative Powers Act; and (3) the relatively low impact to EU citizens’ right to data protection; it is Bristol’s position that transfers of personal data by data exporters to Bristol (as the Data Importer) do not undermine the protections afforded data subjects by the SCCs, the GDPR, and the agreement between Bristol and its customers.