On July 16, 2020, the Court of Justice of the European Union (“CJEU”) published its ruling on the Schrems II case. The CJEU concluded that the EU-US Privacy Shield framework is invalid. Prior to the ruling, the EU-US Privacy Shield framework was one of several data transfer mechanisms available to companies to transfer personal data of European Union residents from the European Union to the United States. What this means is that organizations that relied on the EU-US Privacy Shield framework to transfer the personal data of residents of the European Union to servers in the United States will need to establish another transfer mechanism in order to continue this practice.
How Does the Ruling Affect Data You Send to Amplitude?
Data Minimization First
Before we dive-in further, it’s important to note that this decision affects the transfer of personal data. However, many of Amplitude’s customers do not send personal data of their end-users to Amplitude. Amplitude has been building features to support our customers in the elimination of personal data from product intelligence. Personal data is not required in order to obtain product intelligence insights using the Amplitude platform, and therefore eliminating personal data from the application event-data you provide the platform resolves this issue in permanence.
The EU Standard Contractual Clauses Were Always Better
This is not the first time concerns over the EU-US Privacy Shield framework have been brought to light, and we have already been through the invalidation of its predecessor, the EU-US Safe-Harbor framework. Although Amplitude self-certified to the EU-US Privacy Shield framework, Amplitude structured its Data Processing Agreements (DPA) to rely on the EU Standard Contractual Clauses (SCCs) because they are more prescriptive and require a higher level of protection for personal data of EU residents.
While the CJEU invalidated the EU-US Privacy Shield framework as a transfer mechanism, they followed the recommendation of the CJEU’s Advocate General who concluded that the SCCs provide sufficient protection for EU personal data. As a result, the use of the SCCs in Amplitude’s DPAs continue to provide a valid transfer mechanism for personal data being sent by our customers from the EU.
The SCCs Are Fine, but Additional Safeguards Are Needed
While the CJEU upheld the validity of the SCCs, it concluded that if organizations (Data Controllers) rely on them as the transfer mechanism, they need to determine if additional safeguards need to be implemented. The additional measures may be needed in order to ensure an “adequate level of data protection” for the personal data of EU residents with respect to national security laws and surveillance practices of the country where the data is sent, in our case the US.
Such measures are the driver behind Amplitude’s shared responsibility model and implementation of Security and Privacy-by-Design: Amplitude provides the infrastructure and tools to ensure data risk minimization for our customers. By providing a secure platform, regularly adding features to help limit access, and help our customers avoid storing data that may be considered personal data, our customers can ensure that only data that is truly necessary for their product improvement goals is sent to our platform, and avoid sending data that can identify an end-user. Working in partnership with our customers helps ensure that their unique data management needs are met.
For example: By practicing data minimization, customers can ensure that Amplitude’s systems are unable to identify end-users amongst their data and therefore cannot provide information on a particular user to third parties, even under court order. Our customers meanwhile can securely maintain the necessary information to tie their specific user to a profile on Amplitude’s platform.
Moving Forward Together
Amplitude’s customers, the Data Controllers, are ultimately responsible to ensure that the collection and protection of their end users’ data complies with regulations and is kept securely, and Amplitude’s responsibility is to continually step up our efforts and raise the bar to support them. The goal of our trust programs is not just to meet the requirements established by laws and industry regulations, but to exceed them and meet the expectations set by our customers.
Our commitment to protect the privacy of our customers’ end users revolves around three principles:
- Supporting our customers in practicing data minimization
- Relying on the EU Standard Contractual Clauses as a valid transfer mechanism when personal data needs to be transferred outside of the EU
- Maintain security and privacy-by-design programs and continue to expand our customer-facing security controls and features
Here’s some quick links to the overview of our security measures and the tools we provide our customers to help their data minimization practices: