International Data Transfers
What are SCCS?
Standard Contractual Clauses (SCCs) are terms and conditions that organisations sending EU personal data from within the EU must have in place with organisations outside the EU that they are sending it to.
These are published by the European Commission and are therefore the same for all organisations.
Cision has these SCCs in place with its customers and vendors.
On 4th June 2021 a new set of SCCs was published by the European Commission.
These new SCCs allow the existing SCCs to continue to be used for “new” data transfers over a transition period of three months— giving organizations the chance to read into and make any changes necessary for compliance with the new SCCs before deploying them in practice.
We plan to look into what additional technical safeguards will be prudent/necessary for our various data sets. Once we’ve made those decisions, they will be outlined here.
Similarly, the existing SCCs can continue to be used for existing data transfers for up to 18 months — giving organizations until the very start of 2023.
Frequently Asked Questions
This FAQ has been created to assist our customers and influencers with enquiries related to how Cision deals with has risk assessed the transfer of personal data outside the EEA. In particular it addresses questions related to:
- the July 2020 decision of the European Court in "Schrems II" (See here: http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=12312155);
- the EU's (draft) new Standard Contractual Clauses (SCCs) (see here: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries ; and
This is a developing area of law. Cision's approach will be kept under review, in particular in light of regulatory guidance from the European Data Protection Board (EDPB) and any applicable national Data Protection Authorities, and decisions of relevant Courts. Cision is committed to working with its customers and suppliers to ensure adequate protection of the personal data which it handles.
1. What was the Schrems II decision about?
Under European and UK data protection law (GDPR/UKGDPR) personal data cannot be transferred outside the EEA unless the exporter uses one of the approved mechanisms to make that transfer lawful. Two such mechanisms were Privacy Shield (only for transfers to the US) and EU Standard Contractual Clauses (SCCs) (for transfers anywhere outside the EEA).
The case was brought in the Irish Court by the privacy activist Mr Schrems against Facebook Ireland, and the Irish Court referred a number of questions to the European Court for determination. The European Court's decision concerned the potential (even where approved mechanisms are used) for US law enforcement and intelligence agencies to gain access to personal data transferred to the US, and what the European Court saw as being a lack of adequate redress in the US for EU citizens concerned about such use of their personal data.
The European Court ruled that Privacy Shield was no longer a valid mechanism but said that other transfer mechanisms (including SCCs) remained valid. In relation to SCCs, the European Court said that data exporters would need to carry out an assessment of its transfers to determine whether or not additional safeguards (over and above the terms of the SCCs) were necessary to ensure the adequate protection of personal data being transferred outside the EEA.
2. Do you transfer personal data outside Europe and specifically do you transfer personal data to the US?
Yes, we transfer personal data outside the EEA, including the US.
3. What personal data do you transfer?
The personal data we transfer is set out in the relevant privacy policies at https://gdpr.cision.com/.
Broadly speaking we transfer four different sets of personal data:
- Cision Influencer Data: influencer personal data collected by Cision and contained within our various influencer databases (including the Cision media database and TKIM). The vast majority of such data is publicly available data obtained from influencer social media profiles, websites, from published articles and other public domain information. Some further information may be provided by the influencers themselves, or by their employers.
- Customer Influencer Data: influencer personal data that our customers provide to us through Private List. This information is similar in nature to the Cision Influencer Data. It may include additional notes provided our customers.
- Customer Data: personal data included in account management information required by Cision to manage our customer accounts. This is primarily business contact details and job title.
- Cision internal business personal data (e.g. HR data). This FAQ does not deal with this data.
4. Who do you transfer personal data to?
We share Cision Influencer Data with our customers (including customers outside the EEA) and with our group companies in the United States, Canada, India, Brazil, and China.
Customer Influencer Data is provided to us by our customers and processed by us on their behalf. This may involve a transfer of such data from the EEA to our group companies in the US where such data will be hosted.
We may share Customer Data with our group companies in the US for managing customer accounts.
We may share Cision Influencer Data, Customer Influencer Data and Customer Data with third party supplier/vendors that we work with (for example email service providers) who process data on our behalf. Details of such vendors are set out in our privacy notices. .
5. What is your approved mechanism for international data transfers?
Some countries (such as Canada) have been deemed by the European Commission to have adequate data protection regimes – for those countries no further protections are necessary.
For countries where there is no adequacy decision we rely on the use of SCCs.
We have never relied on Privacy Shield for Cision intra-group transfers or for transfers to our customers.
We have carried out an audit of our suppliers/vendors to ascertain whether any such suppliers/vendors are relying on Privacy Shield when acting as data processors on our behalf and none are.
6. Is your business subject to US surveillance laws under Section 702 FISA and EO 12333?
Cision is not a 'telecommunications carrier' within the meaning of the relevant legislation.
In respect of some the services it provides (e.g. email services) Cision may be deemed to be provider of 'electronic communications services'. As a result Cision may be in principle subject to the surveillance regime under Section 702 FISA and EO 12333.
7. Is Cision aware of any surveillance being undertaken by law enforcement agencies in the US or elsewhere in relation to its systems and databases?
No, Cision is unaware of any surveillance activities being targeted at Cision's systems and databases.
8. Does Cision receive requests from law enforcement agencies for the disclosure of personal data?
Yes. Cision has received subpoenas and other requests for the disclosure of personal information.
9. What is Cision's approach to requests by government agencies for access to personal data held by Cision?
Cision will comply with its legal obligations.
Cision does not voluntarily cooperate with surveillance authorities and will not release personal data unless required to by law.
Cision will review all law enforcement requests and will only release personal data in response to such requests if it is satisfied that the request has been validly made in the correct form and with requisite authority and will only release personal data that falls within the scope of a lawful request.
10. Does Cision disclose the fact that government agencies have requested access to personal data?
Cision may on request disclose the fact of a request by a government agency if it is permitted to do so by applicable law. By their nature many (if not the majority) of government requests are confidential and Cision is often unable to disclose the fact of the request or the specifics of such requests.
11. How often does Cision receive requests from government agencies for the disclosure of personal information related to Cision's customers or influencers on the Cision platform?
Cision typically receives less than 15 requests per year in total across all its companies. Requests typically relate to Customer account and activity within which may not involve personal data.
12. What assessment have you made of your international data transfers?
Cision has conducted assessments of data flows within the Cision group and to our suppliers and customers in the US. We are looking at similar assessments in relation to other territories.
Our principal international data transfers are from our EU entities to our headquarters and other establishments in the US and to our US customers. For this reason and given that the issues addressed by the European Court related to transfers to the US, this has been our focus to date.
Cision and Customer Influencer Data
Given the nature of the data subjects, the personal data that we process, the recipients of that data, and the nature of Cision's business, we do not believe that the transfers outside the EEA of Cision and Customer Influencer Data create any or any material additional risk over and above the risks that already exist as a result of that data being made publicly available by the data subjects (influencers) prior to its collection, processing and onward transfer by Cision. The two critical factors in reaching this conclusion are that: (a) the vast majority of data that is transferred is public domain data (available for example on public social media platforms where it has been posted by the data subjects themselves); and (b) the nature of the data transferred is low risk. If a government agency wished to access influencer personal data it could access that data by accessing the public domain sources used by Cision. In our view the risk of the US surveillance mechanisms being applied to Cision is low and if they were applied it would relate to data that is already largely publicly available.
Customer Data is generally limited to the personal contact information of our customer account contacts and activity on customer accounts. We believe that such data is also low risk.
Notwithstanding the above, Cision acknowledges that access by US government agencies to personal data held by Cision is theoretically possible. For this reason Cision will be implementing certain additional safeguards to protect the personal data that it transfers outside the EEA, as below.
13. What if any technical measures are you taking to ensure that personal data transferred outside the EEA is adequately protected?
Cision maintains robust technical and organisational security measures to ensure the adequate protection of personal data. Details of such measures are summarised in our IT Security Policies available here: https://gdpr.cision.com/technicalorgmeasures.
Cision employs strong encryption both in transit (TLS) and at rest and continually works to enhance our abilities to encrypt personal data.
Where we engage processors to act on our behalf, we ensure that they have appropriate security measures.
14. What if any other supplemental measures are you taking to ensure that personal data transferred outside the EEA is adequately protected?
Despite our view of the risks, Cision will implement certain contractual changes to address concerns raised by the EDPB. Those changes will be implemented in updates to our Master Services Agreement and with new SCCs once final versions of the SCCs have been published. Those changes will take effect on renewal of ongoing customer contracts and on execution of new contracts.
New SCCs will be implemented within the timeframe specified by the EC, being twelve months from the date of publication of the SCCs.
15. Are you able to provide services without international transfer of customer data?
At present all Cision Influencer Data and Customer Influencer data is hosted on servers based in the US. There is no plan to change that arrangement. As a result it is not possible to provide Cision services to our customers without the transfer of EU personal data to the US.
16. What control does a customer have over the data that is transferred?
Customers may be concerned with Customer Data and Customer Influencer Data.
It is necessary for Cision's international businesses (in particular Cision US Inc.) to have access to Customer Data in order to manage the customer account.
It is within the customer's control what Customer Influencer Data it provides to Cision. If a customer has concerns about the international transfer of Customer Influencer Data then it should not provide such data to Cision or should discuss any concerns with Cision before doing so.
17. Should Cision customers be concerned about any personal data that may have been included in private lists that Cision processes on our behalf?
Customers should carry out their own assessment of whether any personal data they provide to Cision (either Customer Influencer Data or Customer Data) may be particularly sensitive, and, if so, should consider whether to withhold or remove such data from, for example, private lists.
18. Are you making any changes to the SCCs?
The decision in Schrems II does not mandate changes to the SCCs. It does recommend implementation of additional safeguards (including contractual safeguards) where appropriate which we will be implementing through updates to our MSA (see above).
We will be implementing the new SCCs once they have been published in their final form and within the timeframe required (i.e. within 12 months of the publication of the final form of the new SCCs). It is currently anticipated that the final form of the new SCCs will be published in early 2021.
19. How will you be addressing transfers to countries other than the US?
Cision is considering assessments of international transfers of personal data to territories other than the US.
Cision's view is that even if those regimes did allow access similar to that afforded to US law enforcement agencies, and even if the redress afforded to data subjects suffered from the same shortfalls as the European Court identified as existing in the US, the public nature of the data and its inherent lack of interest to law enforcement means that the risks involved in transfers to those countries are low.
We will be carefully monitoring any further guidance from the EDPB and national DPAs, and any best practice recommendations. This will be an ongoing process.
20. What steps are you taking to ensure that your third party suppliers/vendors provide an adequate level of protection in relation to data they process on Cision's behalf?
We are conducting audits of our third party suppliers and vendors to ensure that they provide adequate protection for personal data processed on Cision's behalf.
21. How will Cision be addressing transfers to and from the UK in light of Brexit?
Under domestic legislation the UK has adopted GDPR which is now known as UK GDPR. The law related to international data transfers thus continues to apply to transfers to and from the UK, save that the UK is now considered to be a 'third country' so far as GDPR is concerned. This means that transfers between the EU and the UK are now subject to the same restrictions as transfers from the EEA to other countries, and transfers from the UK to countries outside the EEA remain subject to the same restrictions.
The UK government has agreed an interim position with the EU whereby for a period of 6 months until 31 June 2021 the UK will be deemed to be an 'adequate' jurisdiction for the purposes of transfers to the UK. This means that during this interim period transfers from the EU to the UK will not require any further safeguards. It is undecided what the position will be after this interim period. Cision will monitor developments and update this FAQ when further information is available.
The UK has agreed to treat the EU as an 'adequate' jurisdiction of the purposes of UK GDPR. This means that transfers from the UK to the EU will not require any further safeguards.
Under UK GDPR transfers from the UK to countries outside the EEA will be subject to the same restrictions as currently. Cision will continue to rely on SCCs in relation to such transfers. It remains to be seen whether the UK will adopt the new EU SCCs or publish its own version. Cision will monitor the position and take appropriate steps when necessary.
22. What steps has Cision taken to tell influencers of these changes?
Cision has updated its Privacy Notices to alert influencers to the Schrems II decision and its implications, and to remind them of their ability to request amendment/removal of their profiles.
23. What steps can influencers take to protect their personal data if they are concerned about it being transferred outside the EEA?
Influencers should note an update to Cision’s Influencer Privacy Notice which sates the following
"You may be aware of a recent (July 2020) ruling by the European Court of Justice commonly known as "Schrems II" which impacts data transfers to the US and other countries outside the EU. The case arose out of concerns that the US law enforcement authorities may be able to access data that was transferred to the US, and that data subjects like you would not have adequate means objecting to such access or use of your data if you were concerned about it. The ruling affected two common means of ensuring that your data is protected which are known as (a) Privacy Shield and (b) 'Standard Contractual Clauses' (or 'SCCs'). The European Court ruled that Privacy Shield was no longer valid but confirmed that the SCCs were valid though data exporters (like Cision) who were using SCCs should take additional steps to ensure that there were adequate safeguards in place. Cision does not rely on Privacy Shield for its international data transfers. Regarding its use of SCCs, Cision has carefully assessed the transfers it conducts, and has concluded that there are adequate safeguards in place, particularly given that the vast majority of influencer data processed by Cision is public domain and given the nature of services provided by Cision. However, if you are at all concerned by the possibility that your personal data may be accessed by law enforcement agencies in the US (or in any other country) then please let us know by contacting us at email@example.com and we can either amend your profile to remove any data that is of concern, or remove you from our database."
EEA-based Influencers may wish to review their profiles to see whether there is any information in their profile that they would not want to be transferred outside the EEA. Influencers may contact Cision for a copy of their profile at firstname.lastname@example.org.
Cision will amend profiles on request and will remove any influencer from the Cision databases entirely if they no longer wish to be included.
LAST UPDATED FEBRUARY 2021