- Context: The Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield (Privacy Shield) as a valid mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US. The CJEU continues to view standard contractual clauses (SCCs) as a valid mechanism in the abstract, though this may be challenged on a case-by-case basis if the circumstances surrounding the transfer impinge on the adequate level of protection afforded by the SCCs.
- Rapid7 action: In light of the CJEU’s ruling, Rapid7 updated our Data Processing Addendum to, among other things, incorporate SCCs where required for the transfer of personal data outside of the EU or the UK. We are also continuing to monitor for further guidance from the EU supervisory authorities, including on any supplementary measures that we may undertake as a data importer.
- Ongoing commitments: Rapid7 upholds high standards of privacy and security for customer data. As such, we reiterate our commitment to provide for increased customer control over where their cloud data is stored and restrict access to such data, and to never sell customer data. In addition, we aim to be transparent with our customers about government requests that we receive for their data.
Background on changes to legal mechanisms for EU-US data transfer
On July 16, 2020, the CJEU invalidated Privacy Shield in the Schrems II case (also known as Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems). Privacy Shield was a voluntary program developed to enable companies to self-certify adherence to certain privacy protections for the transfer of personal data from the EU to the US. It was implemented to replace the Safe Harbor framework, which was struck down by the CJEU in 2015 and has since been operated by the US Dept. of Commerce. The recent CJEU decision echoes that of the 2015 ruling, concluding that US national security surveillance laws and programs are in conflict with Europeans’ fundamental right to privacy, and that the Privacy Shield did not provide an adequate level of protection or remedy to EU data subjects.
Although the CJEU invalidated Privacy Shield, the CJEU concluded that the SSCs, issued by the European Commission, continue to be a valid mechanism for companies to transfer personal data outside the EU, but may be challenged on a case-by-case basis, especially where national security laws conflict with the guarantees provided by the data importer in such clauses. As such, the CJEU noted that it’s the primary responsibility of the data exporter and data importer to assess whether supplemental measures are necessary to ensure an adequate level of protection, but did not specify what such supplemental measures could be. The European Data Protection Board recently also issued a statement that it’s analyzing the CJEU’s decision and expects to issue further guidance on what those supplemental measures could consist of.
Rapid7 actions in the wake of Schrems II
Since this landmark ruling, Rapid7 has taken immediate steps to ensure minimum disruption for our customers, including updating our Data Processing Addendum to incorporate SCCs to the extent required under applicable data protection law. The Data Processing Addendum also enumerates our commitments to security, confidentiality of processing, limitations on international transfers of personal data, cooperation with data subjects’ rights, notice of security incidents, and more.
Over the coming months, we anticipate the EU supervisory authorities to issue additional guidance on how to comply with the new legal landscape after the Schrems II decision, including what the supplementary measures could consist of. In addition, the current form of the SCCs were written before GDPR went into effect and may be due for an official revision; we continue to keep a close eye on forthcoming guidance to stay up to date.
In the meantime, we continue to uphold our obligations and commitments to our customers under our contracts, under GDPR, and under the Privacy Shield framework for the data we collected and transferred under that framework.
Rapid7’s ongoing commitment to privacy and security
While the CJEU’s ruling on the Privacy Shield complicates EU-US data transfers, it changes little regarding the paramount importance Rapid7 places on the privacy and security of our customers’ data. Rapid7 maintains a robust security and privacy program that is outlined in detail on our Trust page.
Importantly, Rapid7 does not sell, rent, or trade customers’ personal data. When Rapid7 accesses data hosted in the EU, it is in service to our customers, such as: to provide our customers 24/7 technical support for their most critical issues, to deliver the right security solutions or to optimize their experience. Rapid7 also gives customers control over where their cloud data is stored regionally. In addition, Rapid7 redirects to the customer any government requests for their data that we may receive, and contractually commits to providing advance written notice of any compulsory requests to access their data unless prohibited by law from doing so.
Rapid7 remains committed to maintaining the highest levels of privacy and security for our customers, and will continue to drive enhancements to our data protection safeguards. For more information about our security and privacy program, please email email@example.com.