Mersive – Transfer Impact Assessment

Transfer Impact Assessment
Updated: June 20, 2023

Mersive Technologies, Inc. (branded “Mersive”) is a U.S.-based software company that offers a training enterprise software product. Mersive collects personal data directly from its European customers, and to legalize such data transfers under EU law, Mersive has been executing Standard Contractual Clauses (“SCCs”). However, a recent decision from the European Union Court of Justice (“ECJ”) has called into question the validity of relying on SCCs to transfer data out of Europe. Accordingly, in the wake of this recent decision, Mersive investigated its data transfers and processing activities. Based on its investigation, it considers the risk to European data subjects to be relatively low, and it can likely continue to rely on the SCCs to lawfully transfer data out of the EU for the time being.

Factual Background

After a thorough investigation of its IT infrastructure and security protocols, Mersive determined that it has a number of technical and administrative controls in place that mitigate the risks of European data subjects with respect to U.S. surveillance laws.

Introduction

On July 16, 2020 the ECJ in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”) invalidated Commission Decision 2016/1250 underlying the EU-U.S. Privacy Shield framework, finding that privacy protections in U.S. law relating to intelligence agencies’ access to data does meet EU legal standards. The Court also upheld the SCCs as a lawful basis for transferring personal data from the EU to countries located outside of the EU, but indicated that companies transferring data to the United States under the SCCs are now responsible for undertaking their own independent analyses of all relevant and current U.S. law relating to intelligence agencies’ access to data, as well as the facts and circumstances of data transfers and any applicable safeguards, in assessing whether the data transfers offer adequate protection under EU law.

In Shrems II, the ECJ examined issues stemming from the concern that U.S. intelligence agencies might access transferred data under two U.S. laws: (1) Executive Order 12333 (“EO 12333”), a general directive organizing U.S. intelligence activities, which does not include any authorization to compel private companies to disclose data, and (2) Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702”), a federal statute establishing a judicial process authorizing a specific type of data collection. Pursuant to FISA 702, a court may authorize the government to conduct targeted surveillance of foreigners located outside of the United States, with the required assistance of U.S. electronic communication service providers, to acquire foreign intelligence information. The U.S. government uses the information collected to protect the U.S. from foreign adversaries such as terrorists, weapons proliferators, and spies.

In the wake of Shrems II, the European Data Protection Board (“EDPB”) published guidance outlining the steps to take to assess and protect cross-border data flows in accordance with EU law. An analysis of each of these steps is set forth below.

Step 1: Determine what data transfers are taking place and map them.
Step 2: Determine what transfer mechanism will be relied on.
Step 3: Assess whether there is anything in the law or practice of the U.S. that may impinge on the effectiveness of the appropriate safeguards of the chosen transfer mechanism (here, the SCCs) in the context of the specific transfer.
Step 4: Identify and adopt supplementary measures that are necessary to bring the level of protection of the transferred data up to EU standards, if Step 3 reveals that U.S. legislation impinges on the effectiveness of the appropriate safeguards of the chosen data transfer mechanism.

Step 1. Data Transfers

Upon its investigation, Mersive determined that in the normal course of its business, Mersive collects personal data from its European customers and transfers personal data of its customers to the United States.

Step 2. Lawful Data Transfer Mechanism

Mersive utilizes SCCs as a lawful basis for transferring data out of the EU.

Step 3. U.S. Law’s Effectiveness on Transfer Mechanism

The Wiretap Act, Electronics Communications Privacy Act of 1986, and Stored Communications Act

The Omnibus Crime Control and Safe Streets Act of 1968 (the “Wiretap Act”) prohibits the interception and disclosure of wire, oral and electronic communications, and the manufacture, distribution and possession of such interception devices. Originally the Wiretap Act only applied to oral and wire communications, but the Electronic Communications Privacy Act of 1986 (“ECPA”) broadened the application of the statute by expanding the types of communications to which the statute applied to cover electronic communications.

The Wiretap Act and ECPA require law enforcement authorities to obtain a judicial order authorizing interception of oral, wire, and electronic communications, based on a showing of probable cause that particular communications evidencing one of the crimes covered by the statute (consisting of serious felonies) will be obtained. Such a showing requires a full and complete statement of the facts and circumstances, including details underlying the alleged offense and a description of the nature and location of the facilities or place to be wiretapped, the types of communications to be intercepted, and the persons committing the offense and whose communications are to be intercepted.

Law enforcement authorities must also describe all other investigative techniques that have been tried and failed or explaining why such techniques are likely to be unsuccessful or too dangerous. The court must determine, prior to granting the order, that normal investigative procedures have been or would be unsuccessful or excessively dangerous. The government’s application must also show that the surveillance will be conducted with procedures in place to minimize the interception of communications irrelevant to the investigation.

The Wiretap Act applies to the live interception of communications and the Stored Communications Act (“SCA”) applies to the collection of stored communications maintained by third-party service providers. The SCA generally prohibits the unauthorized access of a facility through which an electronic communication service is provided, and sets forth requirements that law enforcement authorities must meet in order to require a third-party service electronic communications or remote computing service provider to disclose stored electronic communications. The SCA generally requires law enforcement authorities to obtain a search warrant in order to compel such a provider to disclose the contents of stored electronic communications.

Foreign Intelligence Surveillance Act

FISA establishes the standards and procedures for conducting electronic surveillance for foreign intelligence purposes in the U.S. For foreign intelligence surveillance directed at persons located within the United States, FISA generally requires the government to obtain an order on an individualized basis and demonstrate probable cause, similar to the type of order required under the Wiretap Act, except that instead of showing that there is probable cause to believe that the surveillance will yield evidence of a crime, the government must show probable cause to believe that the target of the surveillance is a foreign power or an agent of a foreign power (which can include a foreign terrorist group).

In 2008, FISA was amended to authorize intelligence authorities to conduct foreign intelligence surveillance of non-U.S. person targets located outside the U.S. by compelling electronic communications service providers to disclose the communications of such a target. This does not require individual warrants issued by the Foreign Intelligence Surveillance Court (“FISC”) because the targets of such surveillance are not U.S. citizens and as such are not protected by the Fourth Amendment of the U.S. Constitution. Nonetheless, the exercise of this authority is subject to multiple layers of oversight from the executive branch, the FISC (which is made up of independent judges), and congressional intelligence committees with multiple levels of internal review and technological controls over access to the data.

Executive Order 12333

EO 12333 was signed by Ronald Reagan in 1981 and was intended to expand the powers and responsibilities of U.S. intelligence agencies and direct the leaders of U.S. federal agencies to fully cooperate with CIA requests for information. Unlike FISA, surveillance under EO 12333 does not rely on the compelled assistance of electronic communications service providers. The technical details remain classified and obscure, but the NSA has confirmed it involves exploiting vulnerabilities in telecommunications infrastructure. Based on reports, there is a high likelihood that the EO 12333 surveillance consists primarily of the NSA and its confederates opportunistically collecting unencrypted data collected from the Internet Backbone. As a result, the use of well-deployed Transport Layer Security (TLS) or IPSec to encrypt data in transit is likely sufficient to defeat this type of collection under EO 12333.

There are controls around how U.S. government agencies can obtain signals intelligence. In 2014, President Obama issued Presidential Policy Directive 28 (PPD-28) which directed US intelligence agencies to review their policies regarding the treatment of non-U.S. persons in connection with signals intelligence programs. Effectively, PPD-28 imposes restrictions on signals intelligence activities, including those conducted under FISA 702 and EO 12333, regardless of the target’s nationality or location. Because of the way in which EO 12333 is used in practice, it appears that it could and may be being used to intercept all data that is coming into the U.S., which could theoretically include personal data transferred to the U.S. by Mersive.

Essential Guarantees

In order for U.S. surveillance measures to be considered to provide an “essentially equivalent” level of protection provided by EU law, they should comply with the following four “European Essential Guarantees”:

(a) Processing should be based on clear, precise and accessible rules

Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated

(b) An independent oversight mechanism should exist

The ECJ in Shrems II found that FISA 702 and EO 12333 failed all four of these tests and thus any entity that may be subject to FISA 702 or EO 12333 could not be said to be providing an essentially equivalent level of protection to that found under EU law.

However, a concern the ECJ raised in Schrems II with respect to FISA 702 is whether the FISC supervises whether individuals are properly targeted. However, the FISC is, in fact, actively involved in supervising whether individuals are properly targeted. Under the FISA 702 targeting procedures that are approved annually by the FISC, the National Security Agency (“NSA”) analysts are required to provide a written explanation of their targeting rationale, which is reported to attorneys in the Department of Justice (“DOJ”) for compliance with the applicable legal standards set forth in the targeting procedures. The DOJ is then required to report compliance incidents to the FISC, which can impose remedial action. Accordingly, the FISC does supervise the NSA’s assessments that individuals have been properly targeted for purposes of acquiring foreign intelligence information.

Another concern the ECJ had with FISA 702 in Shrems II was whether U.S. law provides individual redress for violations of FISA 702. Several U.S. statutes authorize individuals (including EU citizens) to seek redress in U.S. courts through civil lawsuits for violations of FISA, including Section 1810 of FISA, Section 2712 of the Electronic Communications Privacy Act (18 U.S.C. § 2712), and Section 702 of the Administrative Procedure Act (5 U.S.C. § 702). Notably, FISA allows anyone who has been subject to surveillance and whose communications are used or disclosed unlawfully to seek damages (both compensatory and punitive) and attorney’s fees, and the Electronic Communications Privacy Act also provides for compensatory damages and attorney’s fees against the U.S. government for willful violations of FISA. Indeed, U.S. courts have reviewed the legality of governmental data collection under FISA in various lawsuits.

Finally, additional privacy safeguards have been added to FISA 702 since the Privacy-Shield framework was first implemented and were therefore not considered by the ECJ in the Shrems II decision. For example, in January 2018 former President Trump signed into law the FISA Amendments Reauthorization Act of 2017 which added additional protections and safeguards with respect to FISA 702.

See U.S. Department of Commerce September 2020 White Paper: Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II, https://www.commerce.gov/sites/default/files/2020-09/SCCsWhitePaperFORMATTEDFINAL508COMPLIANT.PDF.

According to the EDPB, subjective factors such as the likelihood of public authorities’ access to a company’s data in a manner not in line with EU standards should not be considered as part of the transfer impact assessment. However, the European Commission appears to believe that these subjective factors should be relevant to the assessment. In line with the European Commission, Mersive takes the position that the assessment of the risks associated with any foreign surveillance law should take into account of subjective factors applicable to the specific transfers in question.

As described above, Mersive provides software services to businesses and the data it collects and transfers across borders is limited to European customer data. Such data is inherently of limited national security value. In addition, Mersive has never received a request from intelligence and security services to provide data in the past, and it is unlikely to have data intercepted by U.S. intelligence based on their nature. Finally, Mersive is much smaller compared to other organizations that appear likely to be subject to FISA 702 (e.g. Facebook, Google, AWS), and as discussed above, Mersive encrypts data in transit and such encryption should withstand any attempt of U.S. government authorities to gain access to it.

Analysis of Essential Guarantees with respect to Mersive’s Transfers

(a) Clear, Precise, and Accessible Rules for Processing

Mersive puts different types of parameters and security measures in place for all of its processing activities. It maintains comprehensive security and data protection policies that require: (i) employees of Mersive and any third parties authorized to use Mersive’s systems and data to ensure that they are familiar with and comply with Mersive’s security and data protection policies; (ii) personal data to be collected, used, and otherwise processed in compliance with the GDPR and all other applicable data protection laws; (iii) personal data to be secured against unauthorized access and/or processing; and (iv) security concerns or breaches to be reported to Mersive’s information security team and investigated promptly. In addition, Mersive conducts training programs and maintains contracts with its customers and sub-processors with respect to data usage, including data processing agreements in compliance with GDPR. Mersive takes privacy concerns very seriously and it does not disclose personal data to third parties wherever possible.

(b) Necessity and Proportionality

Mersive collects and transfers only the data that is necessary to perform its operational functions. The personal data of its customers that Mersive collects and transfers is not particularly sensitive as it is mainly contact information that is publicly available, and Mersive requires this information for its legitimate business and operational purposes.

In order to oversee Mersive’s data protection strategies and obligations, and to ensure its compliance with GDPR, Mersive regularly conducts thorough investigations regarding the data collected, stored, and transferred; reviews current data governance practices on a periodic basis; validate consent procedures; has assigned data protection leads within the organization; has established procedures for reporting breaches; has developed a framework of policies and procedures to support data subject rights; and requires privacy protection by design and default in all software development efforts and business processes.

(d) Effective Remedies

Mersive is available to handle data subjects’ requests and complaints regarding the processing of their personal data. In the unlikely event Mersive becomes subject to a governmental order, and to the extent Mersive is permitted under U.S. law, it will provide adequate notice to the relevant individuals and information about how they can seek redress in U.S. courts.

Step 4. Additional Safeguards

As set forth above, Mersive has implemented reasonable security protocols and policies to protect and monitor Mersive’s data processing and transfer activities, including encryption at rest and in transit, and other measures. Such protocols constitute sufficient safeguards necessary to protect the privacy and data protection rights of European data subjects.

Conclusion

To summarize, Mersive’s data transfers are limited to what is necessary for its intended business purposes, and are not of interest to U.S. intelligence agencies. Indeed, as set forth above, Mersive has never been subject to U.S. intelligence surveillance attempts. In balancing all of the facts and circumstances with respect to Mersive’s security protocols and data transfers, in addition to the landscape of U.S. surveillance laws, Mersive has determined that its ongoing transfers of data out of the EU within the scope of the services it provides presents an overall low risk to the data protection rights of European data subjects.