Bristol News

share

Bristol Global Mobility's EU Data Transfer Statement

Last updated: September 15, 2023

I.  Overview

On July 16, 2020, the Court of Justice of the European Union (“CJEU”) decided Case C-311/18, captioned Irish Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). The CJEU decision in Schrems II included two main findings. First, it found that the European Commission’s adequacy determination for the EU-U.S. Privacy Shield Framework was invalid, due to concerns regarding the necessity and proportionality of U.S. government surveillance authorities and the availability of actionable judicial redress for EU data subjects. Second, it reaffirmed the validity of standard contractual clauses (“SCCs”) as an international data transfer mechanism, while clarifying that data exporters bear the responsibility for verifying whether the law in the recipient country ensures adequate protection, under the standards set by EU law, for personal data transferred under the SCCs and, where it doesn’t, for providing additional safeguards to guarantee such protection or suspend transfers.

On June 4, 2021, in the wake of the Schrems II decision, the European Commission released new SCCs for international transfers. Around the same time, on June 18, 2021, the European Data Protection Board (“EDPB”) released its “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (“EDPB Recommendations”). Many data exporters are now using a combination of the new SCCs and the supplemental measures recommended by the EDPB to ensure that their transfers of personal data to the United States (“U.S.”) remain compliant with the GDPR. 

Bristol is a U.S.-based company that provides relocation and mobility services (“Relocating Services”) for employees of its corporate customer based all over the world, including in the European Union (“EU”). Bristol has affiliate entities in the United Kingdom, Canada, and Singapore. As part of providing the Relocation Services, Bristol’s corporate customers – who act as data a controller and data exporter – may transfer personal data about their relocating employees or representatives to Bristol, which also acts as a controller and data importer. Bristol has compiled this FAQ document to assist you, as a data exporter, in verifying that your transfers of EU personal data to Bristol are compliant.

II. Summary of the Surveillance Laws in the United States

While Schrems II sets out its own analysis of the two principal U.S. Surveillance Laws, a short summary on each is included below.

A.  Foreign Intelligence Surveillance Amendment Act of 2008 (“FISA”)

This is a statute establishing a judicial process authorizing a specific type of data acquisition. FISA permits the U.S. government to request that certain organizations assist in collecting or providing data on certain individuals for purposes of national security.

B.    Executive Order 12333 (“EO 12333”)

This is a general directive organizing U.S. intelligence activities, which does not include any authorization to compel private companies to disclose data. EO 12333 authorizes bulk, indiscriminate collection of electronic communication, often as an alternative basis of authority for surveillance when the more limited collection under FISA is considered insufficient.

III.   FAQ

1.  Is Bristol certified under the Data Privacy Framework (“DPF”)?

Bristol Global Mobility LLC certified its adherence to the EU-U.S. and Swiss-U.S. Data Privacy Frameworks. The Bristol Privacy Statement is available here.

Since the European Commission granted adequacy for the EU-U.S. Data Privacy Framework on July 10, 2023, Bristol customers transferring personal data subject to the EU GDPR and within scope of Bristol’s certification to Bristol in the U.S. can enjoy seamless data transfers without needing to use other transfer mechanisms, such as the standard contractual clauses, and transfer impact assessments, in accordance with paragraph 27 of the EDPB Recommendations. This has been confirmed by the EDPB in its Information note on data transfers under the GDPR to the United States after the adoption of the adequacy decision on 10 July 2023.

2.  Has Bristol ever received a request for the disclosure of personal data from government authorities?

No.  As of the last updated date of this FAQ document, Bristol and its affiliate entities have not received a request or directive from any law enforcement, national security, or other government authority, representing any national, state, or local jurisdiction, for the disclosure of any personal data processed on behalf of its customers.  Bristol is not aware of any interception of customer personal data either.

Furthermore, If Bristol receives a government request for a customer representative or relocating employee personal data, pertaining to EEA, Swiss, or U.K. individuals, it has committed that it will make every effort to refer the request to the affected customer if permitted by law, so that the customer can work with the government authority directly to respond.

As part of its policies, Bristol has committed to protecting customers’ personal data while complying with applicable laws. Under those policies, where Bristol is prohibited by law from notifying the affected customer, Bristol will take into account the laws of other jurisdictions and use best efforts to request that any confidentiality requirements be waived to enable it to notify the appropriate data protection authorities.

3.  Has a Bristol sub-processor ever received a request for the disclosure of customer personal data from government authorities?

As of the effective date of this FAQ document, Bristol is not aware that any of its sub-processors have ever received a request or directive from any law enforcement, national security, or other government authority, representing any national, state, or local jurisdiction, for the disclosure of personal data processed on behalf of Bristol. Bristol is not aware of any interception of personal data either.

4.  Is Bristol theoretically subject to the U.S. surveillance laws at issue in Schrems II?

In its Schrems II decision, the CJEU criticized the scope of two U.S. surveillance laws: (1) Section 702 of FISA (“FISA Section 702”) and (2) EO 12333. Bristol may theoretically be eligible to receive a government request pursuant to the former—although it will have an opportunity to object if it ever does receive one—and Bristol is not eligible to receive a government request pursuant to the latter. In addition, Bristol has implemented supplemental measures to protect personal data from inappropriate or excessive governmental intrusion under either law.

FISA Section 702: Pursuant to FISA Section 702, the Foreign Intelligence Surveillance Court may authorize the U.S. government to issue orders requiring certain companies in the United States to disclose communications data of non-U.S. persons located outside the United States to the government, provided that a “significant purpose” of the surveillance is the acquisition of “foreign intelligence information.” The statute explains that the government may direct such orders to “electronic communication service providers,” including telecommunications carriers, as that term is defined in the Communications Act of 1934; providers of an electronic communication service, as that term is defined in the Electronic Communications Privacy Act (“ECPA”); providers of a remote computing service, as that term is defined in ECPA; and any other communication service provider who has access to wire or electronic communications, either as such communications are transmitted or as such communications are stored. See 50 U.S.C. § 1881.

Bristol believes that it could make a good faith legal argument against its classification as an electronic communication service, a remote computing service, or an entity otherwise subject to FISA Section 702. No court has declared that Bristol or (to Bristol’s knowledge) any of its direct competitors qualify as electronic communication service providers as that term is defined in the ECPA and therefore subject to FISA Section 702. However, it is important to acknowledge that law enforcement authorities in the United States, including the United States Department of Justice, have assigned expansive scope to these terms, and that federal courts have often sided with law enforcement authorities on questions of scope. As such, you should consider that Bristol could be required to respond to an order under FISA Section 702, despite any arguments that it might make to the contrary. However, it is important to note that FISA Section 702 allows the recipient of a disclosure order to challenge the validity of that order (see 50 U.S.C. § 1881a(i)(4)-(6)), and that the Bristol entities have implemented supplemental measures to protect personal data from excessive or disproportionate intrusion under FISA Section 702.

EO 12333: EO 12333 is an Executive Order that organizes the intelligence gathering activities of various U.S. surveillance authorities. In relevant part, it is the primary source of authority for the NSA’s collection of signals intelligence from telecommunications infrastructure located outside of the U.S. EO 12333 does not authorize the government to compel any private company to disclose any information to any government authority, and it is therefore impossible for Bristol to receive a demand for information pursuant to it.

While it remains a theoretical possibility that the NSA could use its access to telecommunications infrastructure located outside of the U.S. to intercept personal data that you send to Bristol in transit, that theoretical possibility exists to a substantially identical degree with respect to every data transfer that uses the same telecommunications infrastructure, regardless of country of origin, country of destination, or the identity of the parties involved. In our opinion, your transfers to Bristol do not create any unique or elevated risk.

In addition, as set forth below, Bristol has implemented supplemental measures to protect data transfers occurring within Bristol product environments.

Executive Order on Enhancing Safeguards for U.S. Signals Intelligence Activities: On October 7, 2022, President Biden signed an Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities (“EO 14086”). This order outlines the measures the U.S. undertakes to implement its commitments under the EU-U.S. DPF announced in March 2022 by President Biden and European Commission President von der Leyen.

The EO 14086 emphasizes the strengthening of privacy and civil liberties safeguards against U.S. signals intelligence activities. It establishes requirements that signals intelligence activities should be conducted solely for defined national security objectives, taking into consideration the privacy and civil liberties of all individuals, regardless of nationality or country of residence. Under the EO 14086, such activities should only be pursued when necessary to advance a validated intelligence priority and in a manner proportionate to that priority.

Moreover, the EO 14086 mandates specific handling requirements for personal data collected through signals intelligence activities. It extends the responsibilities of legal, oversight, and compliance officials to ensure appropriate actions are taken to remediate incidents of non-compliance.

To align with the new privacy and civil liberties safeguards, U.S. intelligence community are required to update their policies and procedures accordingly. These updates will reflect the enhanced protections outlined in the EO 14086.

The EO 14086 also establishes a multi-layer redress mechanism for individuals from qualifying states and regional economic integration organizations. This mechanism allows individuals to seek independent and binding review and redress for claims that their personal data, collected through U.S. signals intelligence activities, was handled in violation of applicable U.S. law. The redress process includes an initial investigation conducted by the Civil Liberties Protection Officer (“CLPO”), followed by review from a Data Protection Review Court (“DPRC”). The Privacy and Civil Liberties Oversight Board is tasked with reviewing intelligence community policies and procedures to ensure compliance with EO 14086. Additionally, the board will conduct an annual review of the redress process, including compliance with determinations made by the CLPO and the DPRC.

5.  Is personal data shared with Bristol likely to be subject to request for the disclosure of personal data from government authorities?

In Bristol’s opinion, no. Bristol is a U.S.-based company that provides Relocation Services to employees of its its corporate customer through its network of suppliers. Bristol operates in a distinct manner compared to data importers that have been mentioned in recent enforcement decisions on international data transfers to the U.S., such as Meta Platforms, Inc. (a U.S. entity) in the Irish Data Protection Commission’s decision against Meta Ireland.

Bristol operates a B2B (business-to-business) company, meaning that Bristol’s customers are other companies and organizations rather than individual customers. Bristol’s business model sets it apart from companies that have been associated with surveillance programs. Unlike those companies, Bristol’s business does not involve providing telephone or internet-based communication to the general public, outside of minor messaging capabilities and feedback mechanisms within its products. These messaging capabilities are a minor and secondary portion of the actual services provided by Bristol rather than the main function of its offerings.

The categories of the transferred customer representative’s personal data are mainly biographical and identification information, contact information, professional information. The categories of transferred relocating employee personal data depends on the relocating in question and may include travel information, employment information, information pertaining to residency (collectively the “Transferred Personal Data”). This Transferred Personal Data is typically processed solely to facilitate relocation, rather than for social or purely communication purposes. Several of these data categories are available via other sources, such as professional information available through customer company websites or professional networks, travel information available from airlines or hotels, or address and contact information from a multitude of sources. If required by the government, this information could more easily be requested from these alternate sources, negating the need for Bristol to disclose such information. Further, this information does not include details of individual opinion, political affiliation, or other more sensitive topics that may be of interest to national security. Because of their nature, these categories of personal data are unlikely to be subject to investigations involving national security interests or criminal prosecution. This is in line with the information provided in the whitepaper issued by the United States’ Department of Commerce on September 28, 2020, which clarified that ordinary commercial information like employee, customer, or sales records is of no interest to U.S. intelligence agencies.

To the extent that Bristol’s customers or relocating employees of those customers provide Bristol with personal data, the customers have the same access as Bristol and, as the customer is the data controller in this circumstance, customer would be a more direct source. In addition, Bristol’s customers are more likely to have the most up-to-date and complete personal data. In contrast, Bristol solely has personal data directly related to the Relocating Services and depends on the customers or employees for direct updates to personal data. For this reason, it would be expected that if the government did in fact have an interest in a customer or customer employee’s personal data, the government would be more likely to approach that customer and not Bristol.

Additionally, Bristol operates in an industry that is not known to be highly monitored by the U.S. government under FISA or EO 12333. This lessens the likelihood that EU personal data will be implicated in an investigation by U.S. government agencies.

6. Has Bristol put supplemental measures in place to protect transferred personal data?

Yes. The Bristol entities have implemented contractual, organizational, and technical supplemental measures to protect personal data from inappropriate or excessive governmental intrusion.

Contractual Measures: Bristol will sign a data processing addendum (“DPA”), or similar document with you. Bristol’s customer DPA is available here: https://www.bristolglobal.com/client-dpa/. The Customer DPA includes a set of supplementary measures in its Exhibit C, and it also includes the EU 2021 standard contractual clauses, which apply when the EUI-U.S. DPF is not the applicable transfer tool. As shown in the table below, the EU 2021 Standard Contractual Clauses incorporate in clauses 14 through 16 many supplementary contractual measures recommended by the EDPB recommendations designed to protect transferred personal data from unreasonable surveillance.

In the following we list  Type of Contractual Supplementary Measure followed by its associated EU 2021 SCCs

  • Obligation to use of specific security measures:    Annex II
  • Obligation to provide information about requests of access to personal data by public authorities:    Clause 15.1(c)
  • Obligation to notify the exporter of inability to comply with contractual commitments:    Clause 14(e) and clause 16(b) and (c)
  • Suspension and/or termination rights upon notification of inability to comply with contractual requirements:    Clause 14(f) and clause 16(b) and (c)
  • Obligation to notify the exporter of requests from public authorities before granting access, where allowed by law:    Clause 15.1
  • Obligation to monitoring of legal and policy developments on public authorities' access to personal data:    Clause 15.2(a)
  • Obligation to review the legality of orders to disclose personal data:    Clause 15.2(a)
  • Obligation to challenge orders to disclose personal data:    Clause 15.2(a)
  • Obligation to seek interim measures:    Clause 15.2(c)
  • Provision of the minimum amount of information to orders to disclose personal data:    Clause 15.2(c)
  • Notification to the data subject of requests from public authorities:    Clause 15.1(a)

In addition, Bristol is willing to assure its customers that if it determines that it is no longer able to comply with its commitments set forth in its contract(s) with those data exporters, it will promptly notify them, and the customer may suspend the transfer of data and/or terminate the agreement without liability for any additional fees or payments beyond any amount owed for services already delivered.

Organizational Measures: While it has not yet received a government request for customer personal data, Bristol has implemented a Policy and Procedure for Managing Law Enforcement Data Requests to govern the organization’s response in case it ever does receive one. With some degree of variation, depending on the circumstances of the request, the Policy and Procedure for Managing Law Enforcement Data Requests requires the following:

  • Bristol will notify its customer of a disclosure request for personal data processed on behalf of that customer unless prohibited by law. If Bristol is prohibited from making such a notification, it will make reasonable and lawful efforts to secure an exception to the prohibition, including by informing the authorities that the prohibition stands in conflict with other legal and contractual obligations.
  • Where possible, Bristol will ask the requesting authority to redirect its request to the customer.
  • Where it has grounds to do so, Bristol will use reasonable and lawful means to challenge the disclosure request on the basis of any legal deficiencies under applicable law.
  • Where possible, Bristol will seek interim measures to suspend the effects of the disclosure request until a competent court has determined its validity on the merits.
  • Bristol will not disclose any personal data unless and until required to do so, and Bristol will never disclose more personal data than required (i.e., Bristol will provide the minimum amount of information possible to comply with a request, including redacting personal data where appropriate).

Please note that these procedures may not apply in the case of a genuine emergency.

Technical Measures: Bristol has implemented various technical, contractual, and organizational measures designed to protect the Transferred Personal Data from unauthorized disclosure and access (“Security Measures”). These Security Measures serve to supplement the protections enshrined in the EU 2021 Standard Contractual Clauses. While these alone would not protect the Transferred Personal Data from U.S. governmental surveillance, they could lower the likelihood of surveillance and the ease with which the U.S. government could obtain the Transferred Personal Data. In addition, they provide additional safeguards for the personal data itself. These measures include:

  • Written policies and procedures requiring Bristol employees to maintain the privacy, security, and confidentiality of personal data.
  • Contractual requirements for Bristol vendors that may receive Transferred Personal Data to uphold baseline security and confidentiality measures.
  • Network and database activity are logged and actively monitored for potential security events including intrusion.
  • Bristol-authored applications and IT systems are regularly scanned/monitored for vulnerabilities.
  • Regular vulnerability and penetration testing is performed on the applicable IT systems and applications.
  • Bristol restricts physical and logical access to IT systems, accounts, voicemail, and other applicable documents or systems that process Transferred Personal Data to those officially authorized persons with an identified need for such access.
  • External points of connectivity in the Bristol network architecture are protected by firewall(s).
  • All information within the systems and applications is encrypted in transit and at rest using at least Advanced Encryption Standard (“AES”) 256-level encryption.
  • Encryption of email messages containing sensitive information through the Barracuda encryption service.
  • Known exploitable vulnerabilities in Bristol-authored applications and IT systems are patched expeditiously.
  • All devices that may process Transferred Personal Data are outfitted with protective software, must use a VPN, and implement security measures such as automatic lock time and disk encryption.
  • Additional details about Bristol’s Security Measures are maintained internally in Bristol’s “Supplementary Security Measures” document, which is regularly updated, and which is available on request. Broadly, the supplementary measures contained in this document provide further detail on: the technical measures implemented by Bristol which include access control, data encryption and device security measures; the contractual measures implemented by Bristol, such as service agreements, data protection addenda and SCC’s; and the organizational measures implemented by Bristol which include internal polices and training for Bristol personnel.

7. Is personal data processed by Bristol subject to any onward transfers?

Yes. Bristol may share personal data that customers provide to Bristol in connection with their use of Bristol services with Bristol’s network of suppliers, affiliates, and sub-processors located outside of the EEA. This data sharing is performed under data processing and data sharing agreements setting forth confidentiality and security obligations compliant with the requirements of Article 28 of the GDPR and Chapter 5 of the GDPR. The vast majority of these vendors and third parties are based within the United States, making it less likely that these transfers would fall under FISA observation since they are not international. Assessment of whether these third parties are likely subject to EO 12333 must be made on an individual basis for each company’s circumstance. The data processing and data sharing agreements in place with third parties mandate that the third parties inform Bristol wherever legally possible of any governmental requests for personal data prior to providing that personal data to the requesting governmental agency or body. A full list of the vendors and other third parties with whom Bristol may share personal data when performing its services is available upon request.

share

Stay in touch with Bristol