International data transfers following the Schrems II decision
What did the Court of Justice of the European Union recently decide regarding data transfers from the EU?
On July 16, 2020 the Court of Justice of the European Union (the Court) invalidated the EU-US Privacy Shield, which was one of the ways for companies to transfer data legally from the EU to the US. At the same time, the Court confirmed that Standard Contractual Clauses (SCCs) continue to provide a valid mechanism for companies to transfer personal data outside the EU.
However, we understand the Court stated that the suitability of data transfers under the SCCs may be challenged on a case-by-case basis, and that, in addition to the SCCs, supplementary measures may be necessary to ensure an adequate level of protection. The Court did not clarify what those supplementary measures might be.
Privacy and Security are among the highest priorities at Atlassian, and we’re closely following the recent Court decision about the EU-US Privacy Shield - and subsequent developments related to the Swiss-US Privacy Shield. We’re aware the European Data Protection Board recently issued further guidance on supplementary measures to meet the adequacy requirements of GDPR. We will continue to analyze these requirements and any others issued by European data protection authorities as they arise.
What does this mean for Atlassian customers?
To address the court’s decision, we have updated our DPA to include a full copy of the Standard Contractual Clauses (SCCs). Additionally, older versions of our DPA include the SCCs as a fallback data transfer mechanism in the event of invalidation of the Privacy Shield.
While these older versions of the DPA should be legally sufficient, we anticipate that many customers will want to take advantage of the new DPA. If you wish to update to the latest DPA, please follow the instructions here.
We remain committed to ensuring our customers' data is protected with the utmost care and in compliance with applicable data privacy laws and requirements.
How does Atlassian ensure that data remains protected outside of Europe?
Atlassian has put in place a number of measures to ensure that EU, UK and Swiss data remains protected when it is transferred outside of Europe.
In addition to incorporating the SCCs, our DPA also sets out Atlassian’s commitments to confidentiality, security of processing, customer controls and how Atlassian helps to notify of incidents, and helps our customers honor data subject rights. The combination of the Atlassian DPA, SCCs, security commitments and additional measures continues to offer our customers a robust level of protection.
Please also note that Atlassian:
- already encrypts data in transit and at rest (see here for more information)
- publishes an annual Transparency Report with information about government requests for users' data as well as government requests to remove content or suspend accounts
- provides additional information about our policies and procedures for responding to requests for user data in our Guidelines for Law Enforcement. Atlassian responds to government requests in accordance with our Privacy Policy, customer agreements, Acceptable Use Policy, and any applicable Product-Specific Terms. Your trust is important to us, and we will continue to prioritize transparency around our practices moving forward.
We’re closely monitoring the developments following the Court’s decision to determine whether we need to make any additional changes to our privacy practices.