Data Transfers Pursuant to Article 46 of the GDPR Following Schrems II

Last Modified: December 1, 2021

In light of the decision of the Court of Justice of the European Union (the “ECJ”) in the “Schrems II” case, EU data controllers are reviewing the data transfer mechanisms they rely upon for transferring personal data pursuant to Article 46 of the General Data Protection Regulations (“GDPR”). This note is issued to our EU data controller customers to assist in such a review as it relates to the transfer of EU personal data to Neustar in the U.S. and other so-called “third countries” that have been found by the European Commission to not have adequate protection for the rights and freedoms relating to individuals’ personal data, equivalent to those available within the EU.

The information below is intended to:

• Help you determine whether and how Schrems II might apply to your transfer of EU personal data in connection with Neustar’s delivery of products and services;
• Describe the safeguards Neustar has in place to protect that data in light of the Schrems II requirements;
• Provide a mechanism for entering into Standard Contractual Clauses where those are not already in place; and
• Provide information to assist you in your role as EU data controllers to conduct any risk assessments that may be required in response to Schrems II.

PLEASE NOTE: The Schrems II decision has no effect and no additional action needs to be taken by either Neustar or our customers unless and to the extent that you transfer EU personal data is actually processed by Neustar in connection with its provision of the applicable products or services and such processing takes place outside the EU. There are many situations where Neustar’s provision of products or services does not involve the processing of EU personal data and/or such processing only takes place in the the EU. Where such a situation is applicable, it will be reflected in the governing purchase or services agreement. In the event that Article 46 transfers are outside the scope of our relationship, no further examination of the impact of the Schrems II is necessary.

Immediate and Automatic Transition from Privacy Shield to Standard Contractual Clauses

Neustar has utilized the U.S./EU Privacy Shield Framework to support personal data flows from the European Union and has also entered into GDPR-compliant Data Protection Agreements (“DPAs”) with customers for whom we process personal data of EU data subjects. Section 12 of Neustar’s standard DPA provides that SCCs spring into effect automatically upon the commencement a transfer that would otherwise be prohibited by applicable data protection laws. Because, under the ECJ decision, EU data controllers can no longer rely on Privacy Shield commitments, personal data transfers from the EU under the Neustar DPA are now governed by Commission-approved SCCs. If we have not entered into Neustar DPA, that may or may not be the case.

Please contact your account manager to initiate the execution of Neustar DPA in the event your review suggests SCCs are called for but not yet in place.

SCCs Remain Valid for Data Transfers to Neustar

While the ECJ confirmed the continuing validity of SCCs, the court indicated that data controllers who want to rely on SCCs may be required to undertake additional due diligence regarding the legal system governing access to personal data by public authorities in the data importer’s country. Specifically, the Court said that European data exporters may be obligated to verify “whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.”

With respect to transfers to the U.S., the ECJ identified two U.S. government surveillance programs – “PRISM” (now “DOWNSTREAM”) and “UPSTREAM” – that, in its view, “exceed what is necessary in a democratic society for national security purposes” and disproportionately undermine the fundamental privacy rights of EU data subjects. To the extent that a particular data flow is susceptible to U.S. government surveillance under either of these programs, the ECJ concluded that controllers may need to adopt “supplementary measures” in order to ensure the level of protection required under EU law.

Based on a careful review, we have determined that neither the PRISM nor the UPSTREAM program pose a material risk of government access to personal data transferred to and processed by Neustar by or on behalf of customers transferring personal information of European data subjects.

• PRISM (or “DOWNSTREAM”) Data Collection: Under this program, the U.S. government may collect stored communications (the content of calls, email, chat, posts, videos, photos, files, etc.) in the possession of online services such as Microsoft (Hot Mail), Google (Gmail, YouTube), Facebook, Skype, Yahoo!, AOL, etc. Neustar simply does not collect or store communications to or from European consumers on behalf of its customers: the bottom line is that Neustar had never received a request for data under this program and does not maintain information that would be responsive to an order under this program.
• UPSTREAM Data Collection: Under this program, the U.S. Government may collect communications in transit over the Internet backbone, for instance in transit via undersea cables. For the following reasons, the UPSTREAM program does not create a material risk of governmental access to personal data transferred to Neustar.
  • First, the purpose of the UPSTREAM program is to access communications content and, as explained above, Neustar does not collect or process such content in the course of providing its products or services.
  • Second, Neustar has adopted Privacy by Design principles to minimize the collection of personal data and to safeguard the limited personal data that may be collected.
  • Neustar truncates, hashes, or encrypts personal data in transit from Europe.

Below we provide greater detail regarding the security of personal data collected and transmitted from Europe.

Marketing and Data Analytics Services

Neustar provides robust safeguards for personal information transferred in connection with marketing and data analytics services. For example:

• Application logs, which may contain full IP addresses, are transferred to the US only for internal operational purposes and retained for no more than 10 days.
• IP addresses, which we treat as personal data, are truncated and/or hashed before being sent to the U.S.
• Persistent identifiers that can be associated with user-level data are pseudonymous to begin with (e.g., alpha-numeric strings that are meaningless to third parties, including the government) and additionally hashed prior to transmission outside of the EEA.
• Ad campaign identifiers and similar information is captured and transmitted in the form of alpha-numeric strings that are meaningless to third parties, including the government.
• Neustar receives and transmits personal data about EU residents securely via the Amazon’s S3 service. More information about S3 security is available here. In connection with our use of this service, Neustar deploys a number of additional safeguards. For example:
  • Data is encrypted in transit using HTTPS over TLS v1.2;
  • We are currently deploying server side encryption at rest;
  • We have deployed a “personal data scrubber” to identify and over-write personal data that may inadvertently appear in data feeds, e.g. email, phone numbers, names, physical addresses, advertising or other persistent identifiers, date of birth, etc.;
  • For those customers who are unable to make server to server transfers via Amazon’s S3 service, we support Secure File Transfer Protocol (“SFTP”) functionality, which ensures that both command and data connections are encrypted between the client and the FTP server to allow personal data to be transferred securely over the network.
  • Finally, to the limited extent Neustar uses sub-processors, access to customer data is provided only after IP addresses and other user-level identifiers have been removed/over-ridden, truncated, and/or hashed. We have entered into GDPR compliant DPAs with our subprocessors, which include SCCs, to safeguard customer data.

Pathfinder

Pathfinder data transmitted to servers in the U.S. may include telephone numbers (i.e., the telephone number being called, but not the telephone number of the caller) but contains no other personal data. All such data is encrypted in transit using 128-bit Advanced Encryption Standard (“AES”). Upon request, Neustar will de-identify telephone numbers in Pathfinder logs by obfuscating the last four digits of the Mobile Station International Subscriber Directory Number (“MSISDN”). While this eliminates the trans-Atlantic flow of any potential personal information, it does limit our ability to respond to customer support requests.

IP Geopoint and IP Reputation Services

Neustar receives very little data in connection with IP Geopoint/IP Reputation. In response to a customer query containing an IP address, date and time stamps, and an alpha-numeric business customer ID, Neustar returns (1) imprecise, publicly available lat/long information aggregated to the centroid of a postal code (truncated in the UK) or higher (e.g., city, state, or country) and/or (2) scores assessing the likelihood that the IP address is associated with a machine (e.g., a proxy server) and the likelihood that the IP address is associated with spam or other malicious online behavior.

Enhanced Safeguards and Continuous Improvement

Consistent with our commitment to Privacy by Design, Neustar will continue to review and refine its data collection practices to maximize personal privacy and security of personal data collected and transmitted from Europe and all other jurisdictions in which we do business.

Conclusion

Neustar is committed to complying with applicable law and best practices to safeguard consumer privacy and maintain the confidentiality and integrity of our customers’ data. While the U.S. government surveillance programs identified as the reasons for the ECJ’s invalidation of the U.S./EU Privacy Shield Framework do not pose a threat to Neustar’s processing of personal data on behalf of data controllers subject to the EU’s General Data Protection Regulation, we remain vigilant for opportunities to enhance the security of personal data.