Last reviewed: June 2024
Background to & Purpose of this Transfer Impact Assessment This Transfer Impact Assessment (TIA) has been prepared in response to the Schrems II decision, the six step process provided in the EDPB Recommendations, the UK ICO's Transfer Risk Assessment guidance, and for the purposes of clauses 14(a) and 14(c) of the EU Standard Contractual Clauses and UK Addendum to the EU Standard Contractual Clauses, in connection with the international transfer of personal data.
It provides an assessment of whether the laws or practice of the third countries where Elucidat Ltd (Elucidat) processes personal data impinge on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR/UK GDPR transfer tools.
Topics covered in this TIA have also been developed to complement the requirements set out in the United Kingdom's Information Commissioner's Office Transfer Impact Assessment guidance released in December 2023.
This TIA provides a detailed overview of the local laws of the United States of America, the third country to which personal data is transferred by Elucidat. This TIA then considers the impact laws of the USA may have on the effectiveness of the security measures adopted by Elucidat.
Where any risks have been identified, this TIA provides details of the appropriate supplementary measures which Elucidat implements to mitigate these risks, and to help ensure the level of protection afforded by EU and/ or UK law standards are maintained.
In addition to fulfilling Elucidat's data protection obligations under the Standard Contractual Clauses and the UK's Addendum to the Standard Contractual Clauses, this TIA will assist Elucidat's customers with their own due diligence obligations as data controllers and/or data exporters.
1. EDPB STEP ONE: KNOW YOUR TRANSFERS
Purpose of Processing
- Elucidat processes customer personal data to provide its subscription-based online e-learning authoring software. The software provides subscribers with the ability to simply and quickly author and publish online e-learning.
- Elucidat collects names, addresses, email addresses, contact details, passwords, and profile information provided by its subscribers and learners, subscriber personal information included in course content, usage data, preferences/personalisation details, evidence of opt-ins, contact permissions and other privacy consents/unsubscribe requests and any special category data contained in the course content in order to provide its services.
Location of Customer Data
- Outside of the EU and UK, Elucidat may process customer personal data in the USA to provide its services as set out in more detail in section 2.
2. EDPB STEP TWO: IDENTIFY TRANSFER TOOLS
Where Elucidat utilises any third party processors or sub-processors, it ensures a lawful transfer mechanism is in place between Elucidat and the relevant processor.
For any transfers outside the EEA and/or the UK, where a country has not received an adequacy decision by the European Commission or the UK Government (as applicable), Elucidat relies on the Standard Contractual Clauses adopted by the Commission as referred in GDPR Article 46 Para 2 (C) (SCCs) or, where applicable, the UK Addendum to the SCCs, as the lawful transfer mechanism to third countries unless otherwise stated below. Further details in connection with the transfers to Elucidat's processors are available at Third Party Subprocessors.
3. EDPB STEP THREE: "ASSESS" THIRD COUNTRY SUMMARY OF LOCAL LAWS: UNITED STATES OF AMERICA
3.1 Are there laws which establish the rule of law and which protect human rights and fundamental freedoms?
The United States Constitution and Bill of Rights provide broad civil rights protections. For example, the First Amendment of the US Constitution protects the right to free speech, to peaceful assembly and to petition the government for redress, the Fourth Amendment protects against unreasonable search and seizure by the government (which has been construed to generally require a warrant for surveillance of electronic communications, outside the context of foreign intelligence activities directed outside the United States), the Fifth Amendment provides the right to due process of law and the right not to be compelled to incriminate oneself, the Sixth Amendment provides for a trial by jury and the right of confrontation, and the Eighth Amendment protects individuals from cruel and unusual punishment. In addition, the US Supreme Court has identified fundamental rights not explicitly stated in the Constitution, such as the presumption of innocence in a criminal trial rebuttable only by proof beyond a reasonable doubt. The United States Congress has also passed many various laws that protect individual freedoms in the privacy context, some of which specifically impose limitations on government search or surveillance of data, as discussed below.
3.2 What are the laws regulating public authority surveillance of personal data held by private organisations?
The United States has various federal and state laws that regulate electronic surveillance and protect privacy rights in that context. The key federal laws are as follows:
Omnibus Crime Control and Safe Streets Act of 1968 (18 U.S.C. §§ 2510-2522) Title III, also known as the Wiretap Act, broadly prohibits the interception and disclosure of wire, oral and electronic communications, as well as the manufacture, distribution and possession of such interception devices. At the same time, it establishes a detailed regulatory regime under which federal and state government authorities may, in certain criminal investigations, intercept, disclose and use such communications as evidence. Originally the Act only applied to 'oral' and 'wire' communications but the Electronic Communications Privacy Act of 1986 ('ECPA') broadened the application of the statute by expanding the kinds of communications to which the statute applied to also cover 'electronic' communications. Where it applies, the statute requires law enforcement authorities to obtain a judicial order authorising interception of oral, wire, and electronic communications, based on a showing of probable cause that particular communications evidencing one of the crimes covered by the statute (consisting of serious felonies) will be obtained through the intercept. This requires a 'full and complete statement of the facts and circumstances,' including 'details' underlying the alleged offense and a 'particular description' of the nature and location of the facilities or place to be wiretapped, the types of communications to be intercepted, and the persons committing the offense and whose communications are to be intercepted. The application must also contain a 'full and complete statement' describing all other investigative techniques that have been tried and failed or explaining why such techniques are likely to be unsuccessful or too dangerous. The court must determine, prior to granting the order, that 'normal investigative procedures' have been or would be unsuccessful or excessively dangerous. The government's application must also show that the surveillance will be conducted with procedures in place to minimise the interception of communications irrelevant to the investigation.
Stored Communications Act (18 U.S.C. § 2701 - 2712) Title II of the ECPA is the Stored Communications Act ('SCA'). Whereas the Wiretap Act applies to the live interception of communications, the SCA applies to the collection of stored communications maintained by third-party service providers. The SCA generally prohibits the unauthorised access of a facility through which an electronic communication service is provided. It also sets forth requirements that law enforcement authorities must meet in order to require a third-party service electronic communications or remote computing service provider to disclose stored electronic communications. In this regard, the SCA generally requires law enforcement authorities to obtain a search warrant in order to compel such a provider to disclose the contents of stored electronic communications.
Foreign Intelligence Surveillance Act (15 U.S.C. § 1681) ('FISA') establishes standards and procedures for conducting electronic surveillance for foreign intelligence purposes in the United States. FISA can be used when foreign intelligence is a 'significant purpose' of the investigation and orders permitting surveillance are issued by the Foreign Intelligence Surveillance Court ('FISC'). Surveillance methods include wiretaps, pen register, trap and trace and video surveillance. For foreign intelligence surveillance directed at persons within the United States, FISA generally requires authorities to obtain a judicial order authorising the surveillance, similar to the type of order required under the Wiretap Act, except that instead of showing that there is probable cause to believe that the surveillance will yield evidence of a crime, the government must show probable cause to believe that the target of the surveillance is a foreign power or an agent of a foreign power (which can include a foreign terrorist group).
FISA was not originally intended to apply to foreign intelligence surveillance activity directed outside the United States, which traditionally was done through interception of communications transmitted via satellite or undersea cable. In 2008, FISA was explicitly amended to authorise intelligence authorities to conduct foreign intelligence surveillance of non-US person targets located outside the United States by compelling electronic communications service providers to disclose the communications of such a target. While this authority does not require individual warrants issued by the FISC (since the targets of such surveillance are not US persons and as such are not protected by the Fourth Amendment of the US Constitution), the exercise of this authority is nonetheless subject to multiple layers of oversight from the executive branch, the FISC (made up of independent judges), and congressional intelligence committees alongside multiple levels of internal review and technological controls over access to the data. It is also subject to Presidential Policy Directive 28 ('PPD-28'), an executive directive that requires signals intelligence activities to be 'as tailored as feasible.'
Cloud service providers fall specifically within the scope of Section 702 of FISA, which provides that information must be acquired from an electronic communication service provider, including remote computing service providers that provide computer storage or processing services to the public. The DNI, DOC, and DOJ jointly produced a whitepaper discussing factors that companies should consider in their assessment of post-Schrems compliance with SCCs, specifically discussing the safeguards in place for those transferring personal data from the EU to the U.S. Of particular note, the whitepaper states:
"As a practical matter, for many companies the issues of national security data access that appear to have concerned the ECJ in Schrems II are unlikely to arise because the data they handle is of no interest to the U.S. intelligence community… Indeed, the overwhelming majority of companies have never received orders to disclose data under FISA 702 and have never otherwise provided personal data to U.S. intelligence agencies."
Reference was made in the Schrems II case to Executive Order 12333 ("EO12333"). EO12333 requires U.S. intelligence authorities to limit U.S. signals intelligence activities to what is necessary and proportionate. This is a direct response to the first of the two tests for EU adequacy that the CJEU found the Privacy Shield failed. The Schrems II decision states that “[n]either Section 702 of the FISA, nor E.O. 12333, read in conjunction with PPD-28, correlates to the minimum safeguards resulting, under EU law, from the principle of proportionality, with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary.”
EO12333 assigns the different U.S. intelligence agencies responsibilities related to clandestine intelligence collection and places restrictions on certain agencies’ activities. EO 12333 does not authorize the U.S. government to require any company or person to disclose data, including data transferred under SCCs. The whitepaper suggests that there is little to no concern with EO12333 as it relates to complying with the new SCCs.
The key points of the whitepaper are as follows:
Most U.S. companies do not deal in data that is of any interest to U.S. intelligence agencies, and have no grounds to believe they do. They are not engaged in data transfers that present the type of risks to privacy that appear to have concerned the ECJ in Schrems II.
The US White Paper directly states: “The theoretical possibility that a U.S. intelligence agency could unilaterally access data being transferred from the EU without the company’s knowledge is no different than the theoretical possibility that other governments’ intelligence agencies, including those of EU Member States, or a private entity acting illicitly, might access the data. Moreover, this theoretical possibility exists with respect to data held anywhere in the world, so the transfer of data from the EU to the United States in particular does not increase the risk of such unilateral access to EU citizens’ data. In summary, as a practical matter, companies that fall in this category have no reason to believe their data transfers present the type of data protection risks that concerned the ECJ in Schrems II.”
There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.
The U.S. government frequently shares intelligence information with EU Member States, including data disclosed by companies in response to FISA 702 orders, to counter threats such as terrorism, weapons proliferation, and hostile foreign cyber activity. Sharing of FISA 702 information undoubtedly serves important EU public interests by protecting the governments and people of the Member States.
There is a wealth of public information about privacy protections in U.S. law concerning government access to data for national security purposes, including information not recorded in Decision 2016/1250, new developments that have occurred since 2016, and information the ECJ neither considered nor addressed.
California's California Consumer Privacy Act of 2018 ('CCPA') and California Privacy Rights Act ('CPRA') require qualifying businesses to operate under strict obligations as to how they handle, sell, and share the personal information of Californian residents, introducing privacy requirements that align closely with the GDPR.
In addition to this, Protection Act ('ADPPA') has been tabled and is expected to come into force once approved. Whilst the ADPPA is still going through the legislative process, there are several related federal laws, including the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), which regulates the privacy and security of health information, the Gramm-Leach-Bliley Act of 1999 ('GLBA'), which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data, and the Children's Online Privacy Protection Act of 1998 ('COPPA'), which imposes requirements on operators of websites or online services directed to children under 13 years old.
3.3 What legal bases/purposes are there for public authorities to access personal data held by private organisations? Are these bases/purposes exhaustive or do public authorities have general discretion?
Law enforcement authorities in the US, like law enforcement authorities in many countries, have the authority to issue subpoenas to persons or companies for records in their custody, possession, or control that are relevant to a pending law enforcement investigation. Such records may include personal data. For example, it is common in law enforcement investigations for authorities to subpoena a person's telephone call records or bank records, which may contain personal data.
With respect to various specific types of information, there are heightened requirements in place. Most importantly, as indicated above, with respect to the content of communications, the government generally cannot intercept such communications or compel a third-party communications provider to disclose such communications without an appropriate judicial order or warrant, based on a showing of probable cause to believe that the interception or disclosure will yield evidence of a crime.
3.4 What other limits, such as limits to scope or retention periods, are there to the actions of public authorities?
Generally there are no specific retention periods required by statute. However, agencies may impose their own retention limits. Moreover, under the Fourth Amendment, any electronic search or surveillance must be conducted in a reasonable manner, meaning that law enforcement agents must tailor the scope of their search or surveillance based on what is relevant to the investigation.
3.5 Has an independent supervisory authority been established which provides oversight for the protection of privacy, and what is their role?
The courts and the Federal Trade Commission (FTC) are the primary mechanism for oversight of privacy protections, particularly in the criminal context.
The absence of a federal privacy law or a supervisory authority has made the FTC the de facto regulator resulting in a body of case law and settlements over violations of consumers' privacy rights or failures to maintain security of sensitive consumer information.
On 7 October 2022, the US President signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which directs the steps that the US will take to implement its commitments under the EU - US Data Privacy Framework ('EU-US DPF'), which aims to restore the legal basis for transatlantic data flows by addressing concerns expressed by the Court of Justice of the European Union ruling in Schrems II, whereby the Privacy Shield framework was invalidated as a EU-US data transfer mechanism.
On 10 July 2023 the European Commission formally endorsed the EU-US DPF. The EU-US DPF sets out various measures to govern the protection of personal data transferred to self-certified US organisations. Notably, data subjects in the EU/EEA will be able to access a redress/complaint scheme in relation to intelligence services processing.
In its Implementing Decision the European Commission said it considers that level of protection for personal data exported under the EU-US DPF would be “essentially equivalent” to the protection the data would benefit from under the GDPR with "new binding safeguards to address all the concerns raised” by the CJEU in the Schrems and Schrems II rulings. The Commission's assessment is that the EU-US DPF will limit US intelligence agencies' access to EU data to what is necessary and proportionate, with a right of redress for EU citizens.
On 12 October 2023 the UK Government confirmed that organisations operating in the UK may also rely on the EU-US DPF from transfers from the UK to the US, relying on the UK Extension to the DPF ('UK Extension').
As a result, data exporters should confidently be able to conclude that US law as it pertains to organizations certified under the EU-US DPF or the UK Extension (together the 'DPF'), meets UK and EU requirements for adequacy
3.6 What are the oversight mechanisms for the approval and review of relevant actions by public authorities? Are there oversight mechanisms in place for when actions by public authorities are conducted in secret?
As described above, for searches or surveillance of electronic communications, generally a warrant or judicial order is required, which must be approved by a neutral magistrate judge. Moreover, in the event that evidence gathered through such searches or surveillance is used as criminal evidence against a person, the person may challenge the admissibility of the evidence - including challenging the validity of the warrant or judicial order - if it was obtained in an unconstitutional or otherwise unlawful manner.
US laws also provide electronic communication service and remote computing service providers with a mechanism to challenge orders compelling disclosure of customer communications. Both the SCA and the FISA contain such provisions. In addition, the USA FREEDOM Act brought more transparency to government surveillance activities, including by requiring reporting certain information to Congress and the public each year and requiring FISC to make their orders publicly available if they were deemed to address any novel Fourth Amendment legal interpretations. Additionally, the Act allows companies to issue more detailed data about the demands for user information that they receive from the government. For instance, a number of organisations now release an annual transparency report indicating a range of national security letters ('NSLs') and other information requests they have received from the government.
Enforcement of the DPF continues to be by the FTC and the Department of Transport. The European Commission and UK Government will monitor the DPF through periodic checks and ensure compliance by US authorities. If the US does not meet its commitments, the DPF could be suspended by the UK or EU.
3.7 Are there legal remedies for data subjects?
As above, the courts are the primary mechanism for oversight of privacy protections in relation to actions by public authorities. In the criminal context, criminal defendants may challenge the admissibility of evidence on the basis that the surveillance or other method of obtaining such information was unconstitutional or otherwise unlawful.
Additionally, US law also provides various ways in which individuals can sue the government or individual government officials if they have been harmed by search or surveillance activity that is unconstitutional or unlawful, although such lawsuits can be limited by various sovereign or official immunity doctrines, depending on the facts.
The US Government has implemented a two-tier mechanism to address complaints from individuals in the UK or EU where data has been transferred to the US, in respect of access by US intelligence agencies. Individuals can submit complaints to their national data protection authority, which are then passed to the US via the European Data Protection Board. The initial investigation of complaints is performed by the US intelligence community's 'Civil Liberties Protection Officer'. If needed, individuals can appeal a complaint to the newly established Data Protection Review Court (DPRC), an independent entity comprised of individuals who are not part of the US Government. The DPRC can enact binding decisions, including the ability to order the deletion of improperly collected data. Throughout the investigation, the court appoints a special advocate to represent the complainant's interests. Once the investigation concludes, the complainant is informed that either no violation of US law was identified, or that a violation was found and remedied. A reasoned decision of the court can be released later once and if confidentiality requirements have concluded.
3.8 Can an organisation refuse to comply with a request and what remedies are available to them?
Yes, any organisation served with a warrant, subpoena or other form of legal process requiring disclosure of a customer's data may seek to challenge the legitimacy of the order and seek to quash it in court if it believes the order is somehow unlawful. In particular, an organisation may challenge such process on the ground that it would require them to violate foreign data privacy laws. In the face of such a challenge, if the court finds there to be a true conflict of laws, the court will apply a balancing test that weighs the US interests in enforcing the process against the interests of the foreign sovereign.
3.9 Do the above provisions apply to both residents/citizens of the jurisdiction and to foreign data subjects? If not, what are the differences?
The US Constitution does not apply to non-US citizens outside the United States and therefore the protections in the Fourth Amendment do not apply to non-US citizens abroad.
FISA, which specifically permits foreign intelligence surveillance of non-US persons located outside the US, provides for multiple layers of oversight from the executive branch, the FISC and congressional intelligence committees. Additionally, through PPD-28, the executive branch has extended some limitations designed to ensure that even signals intelligence activity directed towards non-US citizens abroad is as tailored as feasible, taking into account the availability of other sources of information.
3.10 Has the jurisdiction entered into international commitments, such as legally binding conventions or instruments related to data protection? For example, Convention 108.
The United States has Mutual Legal Assistance Treaties with a number of countries including the United Kingdom and every member of the EU. It is also a member of the Budapest Convention on Cybercrime which serves as a framework for international cooperation between parties to the Convention regarding the exchange of evidence and information in cybercrime-related matters, including electronic data. The United States has a CLOUD Act Agreement with the United Kingdom which makes it easier for American and British law enforcement agencies, with appropriate authorization, to obtain electronic data regarding serious crime, including terrorism, child sexual abuse, and cybercrime, directly from communication providers / technology companies based in the other country.
4. EDPB STEP 4: IDENTIFY SUPPLEMENTARY MEASURES AND ASSESS RISK
Measures in relation to
- encryption of personal data:
- ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing;
- user identification and authorization;
- the protection of data during transmission;
- the protection of data during storage;
- ensuring the physical security of locations at which personal data are processed;
- for ensuring events logging;
- for ensuring system configuration, including the default configuration;
- for internal IT and IT security governance and management;
- for certification or assurance of processes and products;
- for ensuring data minimization;
- for ensuring data quality;
- for ensuring limited data retention;
- for ensuring accountability; and
- for allowing data portability and ensuring erasure,
form part of Elucidat's security policy, a copy of which can be found at the Elucidat Security Policy. Elucidat Ltd acting in its sole discretion, shall maintain and update the Elucidat Security Policy in order to ensure compliance with applicable laws.
CONCLUSIONS
Extent to which data is accessed in the clear outside of the UK and EEA:
In respect of EU/UK customers, this is limited to support services and processing required to communicate with learners.
Likelihood of risk associated with data which is accessed in the clear outside of the UK and EEA, given understanding of local laws set out at section 3:
The location of the support technician providing the support and technical services depends on the volume of requests and time the request is addressed. When the customer contacts the support team, the individuals contacting the support team are welcome to ask where the support technician is located. Given the level of control the customer maintains here in respect of the personal data provided to the support technician, Elucidat considers the risk of the restricted transfer to be low.
Each customer will need to carry out its own overall assessment in light of its intended use of the Elucidat services and the information which Elucidat has provided within this TIA.
History of requests for access to personal data from any security or public authority to date:
To date, Elucidat has received no requests for access to personal data from any security or public authority. It should be noted that the nature of the Elucidat solution, as an authoring platform, does not result in Elucidat processing sensitive information belonging to its customers.
5. EDPB STEP 5: PROCEDURAL STEPS TO IMPLEMENT
No additional procedural steps in light of the lawful transfer mechanisms adopted and described above.
6. EDPB STEP 6: RE-EVALUATION AND REVIEW PROCESS
Elucidat shall review this TIA periodically (at least annually). Elucidat shall review and update this TIA in the event: (i) a new processing location is used to process customer data; or (ii) it becomes aware of a change in local applicable law in an existing processing location which may affect the conclusions drawn in this TIA.