Last Modified: October 21, 2020
In light of the decision of the Court of Justice of the European Union (the “ECJ”) in the “Schrems II” case, EU data controllers are reviewing the data transfer mechanisms they rely upon for transferring personal data pursuant to Article 46 of the General Data Protection Regulations (“GDPR”). This note is issued to our EU data controller customers to assist in such a review as it relates to the transfer of EU personal data to Neustar in the U.S. and other so-called “third countries” that have been found by the European Commission to not have adequate protection for the rights and freedoms relating to individuals’ personal data, equivalent to those available within the EU.
The information below is intended to:
PLEASE NOTE: The Schrems II decision has no effect and no additional action needs to be taken by either Neustar or our customers unless and to the extent that you transfer EU personal data is actually processed by Neustar in connection with its provision of the applicable products or services and such processing takes place outside the EU. There are many situations where Neustar’s provision of products or services does not involve the processing of EU personal data and/or such processing only takes place in the the EU. Where such a situation is applicable, it will be reflected in the governing purchase or services agreement. In the event that Article 46 transfers are outside the scope of our relationship, no further examination of the impact of the Schrems II is necessary.
Neustar has utilized the U.S./EU Privacy Shield Framework to support personal data flows from the European Union and has also entered into GDPR-compliant Data Protection Agreements (“DPAs”) with customers for whom we process personal data of EU data subjects. Section 12 of Neustar’s standard DPA provides that SCCs spring into effect automatically upon the commencement a transfer that would otherwise be prohibited by applicable data protection laws. Because, under the ECJ decision, EU data controllers can no longer rely on Privacy Shield commitments, personal data transfers from the EU under the Neustar DPA are now governed by Commission-approved SCCs. If we have not entered into Neustar DPA, that may or may not be the case.
Please contact your account manager to initiate the execution of Neustar DPA in the event your review suggests SCCs are called for but not yet in place.
While the ECJ confirmed the continuing validity of SCCs, the court indicated that data controllers who want to rely on SCCs may be required to undertake additional due diligence regarding the legal system governing access to personal data by public authorities in the data importer’s country. Specifically, the Court said that European data exporters may be obligated to verify “whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.”
With respect to transfers to the U.S., the ECJ identified two U.S. government surveillance programs – “PRISM” (now “DOWNSTREAM”) and “UPSTREAM” – that, in its view, “exceed what is necessary in a democratic society for national security purposes” and disproportionately undermine the fundamental privacy rights of EU data subjects. To the extent that a particular data flow is susceptible to U.S. government surveillance under either of these programs, the ECJ concluded that controllers may need to adopt “supplementary measures” in order to ensure the level of protection required under EU law.
Based on a careful review, we have determined that neither the PRISM nor the UPSTREAM program pose a material risk of government access to personal data transferred to and processed by Neustar by or on behalf of customers transferring personal information of European data subjects.
Below we provide greater detail regarding the security of personal data collected and transmitted from Europe.
Neustar provides robust safeguards for personal information transferred in connection with marketing and data analytics services. For example:
Neustar’s DNS and DDoS mitigation solution services provide query response and DDoS mitigation using servers in the European Economic Area. In connection with the Site Protect (DDoS mitigation) DNS traffic is processed locally, and only attack signature and related threat data is transferred to the United States. For both services, IP addresses transferred to servers in the U.S. are encrypted using SSH algorithms, which deploys symmetric encryption, asymmetric encryption and hashing in order to secure transmission of information.
Pathfinder data transmitted to servers in the U.S. may include telephone numbers (i.e., the telephone number being called, but not the telephone number of the caller) but contains no other personal data. All such data is encrypted in transit using 128-bit Advanced Encryption Standard (“AES”). Upon request, Neustar will de-identify telephone numbers in Pathfinder logs by obfuscating the last four digits of the Mobile Station International Subscriber Directory Number (“MSISDN”). While this eliminates the trans-Atlantic flow of any potential personal information, it does limit our ability to respond to customer support requests.
Neustar receives very little data in connection with IP Geopoint/IP Reputation. In response to a customer query containing an IP address, date and time stamps, and an alpha-numeric business customer ID, Neustar returns (1) imprecise, publicly available lat/long information aggregated to the centroid of a postal code (truncated in the UK) or higher (e.g., city, state, or country) and/or (2) scores assessing the likelihood that the IP address is associated with a machine (e.g., a proxy server) and the likelihood that the IP address is associated with spam or other malicious online behavior.
Consistent with our commitment to Privacy by Design, Neustar will continue to review and refine its data collection practices to maximize personal privacy and security of personal data collected and transmitted from Europe and all other jurisdictions in which we do business.
Neustar is committed to complying with applicable law and best practices to safeguard consumer privacy and maintain the confidentiality and integrity of our customers’ data. While the U.S. government surveillance programs identified as the reasons for the ECJ’s invalidation of the U.S./EU Privacy Shield Framework do not pose a threat to Neustar’s processing of personal data on behalf of data controllers subject to the EU’s General Data Protection Regulation, we remain vigilant for opportunities to enhance the security of personal data.