Cision International Data Transfers – FAQs
We have created this FAQ to assist our customers and influencers with enquiries arising out of the European Court of Justice's decision in Schrems II of July 2020.The Court’s decision related to the use of Privacy Shield and EU Standard Contractual Clauses (“SCCs”) as the legal basis for transferring personal data outside the EEA, and in particular to the US.The Court's concerns related to the potential for US intelligence agencies to gain access to personal data transferred to the US, and what the Court saw as a lack of adequate redress in the US for EU citizens concerned about such use of their personal data.
In light of this decision Cision has been assessing its compliance position and this note summaries its current position.
This is an interim note setting out Cision's current approach.That approach willbe kept under review, in particular in light of further regulatory guidance from the European Data Protection Board (EDPB) and any applicable national Data Protection Authority, and in light of the imminent publication of revised versions of the SCCs which are anticipated in September/October 2020.
Cision is committed to working with its customers and suppliers to ensure adequate protection of the personal data which it handles.
1. Do you transfer personal data outside the EEA and specifically do you transfer personal data to the US?
Yes, we transfer personal data outside the EEA, including the US.
2. What is your legal basis for such transfers?
We rely on EU Standard Contractual Clauses ("SCCs") as our legal basis for transferring data outside the EEA.
We have not relied on Privacy Shield for transfers between Cision entities nor for transfers to Cision by our customers We are carrying out an audit of our suppliers/vendors to ascertain whether any such suppliers/vendors have relied on Privacy Shield when acting as data processors on our behalf.
3. What data do you transfer and who to?
The data we transfer is set out in the relevant privacy policies at https://gdpr.cision.com/.Broadly speaking we transfer three different sets of personal data:
- Cision Influencer data: influencer personal data collected by Cision and contained within our various influencer databases (including the Cision media database and TKIM). The vast majority of such data is publicly available data obtained from influencer social media profiles, websites, from published articles and other public domain information. Some further information may be provided by the influencers themselves, or by their employers.
- Customer Influencer data: influencer personal data that our customers provide to us through Private List. This information is similar in nature to the Cision Influencer Data. It may include additional notes provided our customers.
- Customer Data: personal data included in account management information required by Cision to manage our customer accounts. This is primarily business contact details and job title.
We share Cision and Customer Influencer data with our group companies in the United States, Canada, India, Brazil, China and elsewhere.We also share it with our customers wherever they are situated, including customers outside the EEA.
We may share Customer Data with our group companies in the US for the managing customer accounts for our international customers.
We may engage third party supplier/vendors (for example email service providers) based in the US to process data on our behalf.Details of such vendors are set out in our privacy notices.
4. Is your business subject to US surveillance laws (i.e. under Section 702 FISA and EO 12333?
- Cision is not a 'telecommunications carrier' within the meaning of the relevant legislation.
- Cision is a provider of 'electronic communications services' as a result of the email services that we provide to customers. Consequently Cision may be in principle subject to the surveillance regime under Section 702 FISA and EO 12333. In practice, Cision is unaware of any such surveillance being undertaken in relation to its systems and databases.
5. Do you cooperate voluntarily with surveillance authorities seeking access to personal data held by Cision?
Cision does not voluntarily cooperate with surveillance authorities but will comply with its legal obligations.
6. What if any supplementary measures are you taking to ensure that personal data transferred outside the EEA is adequately protected?
We are in the process of conducting careful assessments of all data flows within Cision group companies and to our suppliers and customers outside the EEA.
Our principal international data transfers are from our EU entities to our headquarters and other establishments in the US.For this reason and given that the issues addressed by the European Court related to transfers to the US, this has been our focus to date.
Having conducted this assessment, Cision has concluded that the protections that it currently has in place provide an adequate level of protection for the data in question. Given the nature of the data in question, the recipients of that data, and the nature of Cision's business, we do not believe that the transfers outside the EEA of Cision and Customer Influencer Data create any or any material additional risk over and above the risks that already exist as a result of that data being made publicly available by the data subjects (influencers) themselves prior to its collection, processing and onward transfer by Cision. The two critical factors in reaching this conclusion are that: (a) the vast majority of data that is transferred is public domain data (available for example on social media platforms where the data has been posted by the data subjects themselves); and (b) the nature of the data transferred is low risk and in our view the risk of the US surveillance mechanisms being applied to Cision is low. In relation to Customer Data, we believe that such data is very low risk.
Cision has updated its Privacy Notices to alert influencers to the Schrems decision and its implications, and to remind them of their ability to request amendment/removal of their profiles.
7. Should Cision customers be concerned about any personal data that we may have included in our private lists that Cision processes on our behalf?
Customers should carry out their own assessment of whether any personal data they provide to Cision maybe particularly sensitive, and, if so, should consider whether to withhold or remove such data from, for example, private lists.
8. What steps can influencers take to protect their personal data if they are concerned about it being transferred outside the EEA?
Influencers should note an update to Cision’s Influencer Privacy Notice which states the following
"You may be aware of a recent (July 2020) ruling by the European Court of Justice commonly known as "Schrems II" which impacts data transfers to the US and other countries outside the EU. The case arose out of concerns that the US law enforcement authorities may be able to access data that was transferred to the US, and that data subjects like you would not have adequate means objecting to such access or use of your data if you were concerned about it. The ruling affected two common means of ensuring that your data is protected which are known as (a) Privacy Shield and (b) 'Standard Contractual Clauses' (or 'SCCs'). The European Court ruled that Privacy Shield was no longer valid but confirmed that the SCCs were valid though data exporters (like Cision) who were using SCCs should take additional steps to ensure that there were adequate safeguards in place. Cision does not rely on Privacy Shield for its international data transfers. Regarding its use of SCCs, Cision has carefully assessed the transfers it conducts, and has concluded that there are adequate safeguards in place, particularly given that the vast majority of influencer data processed by Cision is public domain and given the nature of services provided by Cision. However, if you are at all concerned by the possibility that your personal data may be accessed by law enforcement agencies in the US (or in any other country) then please let us know by contacting us at firstname.lastname@example.org and we can either amend your profile to remove any data that is of concern, or remove you from our database."
EEA-based Influencers may wish to review their profiles to see whether there is any information in their profile that they would not want to be transferred outside the EEA.Influencers may contact Cision for a copy of their profile at email@example.com.
Cision will amend profiles on request and will remove any influencer from the Cision databases entirely if they no longer wish to be included.
9. Do you have in place appropriate technological and organisational measures to protect personal data transferred outside the EEA.
Our technical and organisational measures are set out in our security policy at processes https://gdpr.cision.com/technicalorgmeasures.
Where we engage processors to act on our behalf, we ensure that they have appropriate security measures.
10. Are you making any changes to the SCCs in light of the Court's decision?
We intend to make certain changes to the SCCs to follow recommendations made by one of the German data protection authorities.We will keep the SCC's under review and will consider our approach in light of any further regulatory guidance and in light of the imminent publication of revised versions of the SCCs which are anticipated in September/October 2020.
11. How will you be addressing transfers to countries other than the US?
Cision is not at present able to conclusively analyse the surveillance and law enforcement regimes of all territories to which it may transfer personal data.However Cision's view is that even if those regimes did allow access similar to that afforded to US law enforcement agencies, and even if the redress afforded to data subjects suffered from the same shortfalls as the Court identified as existing in the US, the public nature of the data and its inherent lack of interest to law enforcement means that the risks involved in transfers to those countries are low. As a result, Cision expects that its conclusions regarding whether additional safeguards are required are likely to be the same or similar. We will be carefully monitoring any further guidance from the EDPB and national DPAs, and any best practice recommendations. This will be an ongoing process.