What are data transfers?
When NextRoll customers located outside of the US provide personal data to NextRoll, they engage in a cross-border transfer of this data. Because NextRoll is located in the US, special legal mechanisms are required for NextRoll to receive personal data from customers located in the European Economic Area (“EEA”) and customers located elsewhere that provide personal data subject to the data protection laws of the EEA. The legal mechanism that NextRoll and its customers rely on is the European Commission’s Standard Contractual Clauses (“SCCs”). The 2021 version of the SCCs is incorporated by reference in NextRoll’s Data Protection Addendum available at https://www.nextroll.com/terms/data-protection.
What data is transferred to NextRoll?
NextRoll customers transfer personal data to NextRoll either by directly providing such data or by enabling NextRoll to collect such data, for example, by including a NextRoll cookie on their website. The transferred data includes:
- Contact information of the customer’s customers, which may include name, email address, phone number, company name, and job title;
- Data automatically collected through NextRoll technologies on customers’ sites, like cookies and web beacons, which include browser data, such as IP addresses and time stamps, as well as unique cookie IDs, and sometimes a hashed email address, generally input by a visitor to a customer’s site; and
- Information about its employees who log in to the NextRoll services, including IP address and email address.
Does NextRoll transfer data outside of Europe? If so, to which countries?
Yes. NextRoll's headquarters are in the United States and our servers and facilities that maintain our websites, services, and the data we collect are also located in the United States. In addition, we work with third party vendors and data partners to process personal data to enable us to provide NextRoll’s services, and their servers may be located outside of Europe. A full list of these third parties is located here.
We take steps to ensure that our vendors and data partners with whom we may share personal data offer appropriate safeguards to protect the personal data they process on our behalf, and contractually obligate them to process such data in compliance with applicable data protection laws.
2. SCHREMS II
What is the Schrems II decision about?
Schrems II is the common name for the July 16, 2020 decision by the Court of Justice of the European Union (“CJEU”) in the case of the Irish Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case c-311/18). This case was about the legality of data transfers from the EEA to the US. Schrems II invalidated a transfer mechanism called the EU-US Privacy Shield Framework but confirmed that the SCCs are a valid transfer mechanism. However, Schrems II held that some US laws undermine the protections of the SCCs, raising the need for companies to potentially implement additional safeguards when transferring personal data from the EEA to the US.
In response to Schrems II, the 2021 SCCs require data exporters (like our customers) and data importers (like NextRoll) to analyze whether the laws and practices of the country where data is transferred (here, the US) undermine the protections of the SCCs. If so, the parties must describe the additional safeguards they will implement to ensure that the transferred data is adequately protected.
How does Schrems II affect my use of NextRoll?
Schrems II creates a few extra requirements for NextRoll and its EEA-based customers and customers that transfer EEA-regulated data. NextRoll and its customers can continue to use the SCCs as a transfer mechanism. However, they should assess the laws and practices of the US as discussed above, and evaluate whether they need to implement any additional safeguards. We undertake this analysis through a document called a transfer impact assessment (“TIA”).
What is a TIA and why does NextRoll have one?
A TIA is a document that completes the analysis of US laws required by the 2021 SCCs. This assessment must evaluate whether, in the case of the specific transfers between NextRoll and its customers, (1) the laws or practices of the US infringe on the protections of the SCCs and (2) what additional safeguards NextRoll and its customers are implementing to mitigate any such infringements.
NextRoll has proactively prepared a TIA to help it and its customers meet their obligations under the 2021 SCCs. The TIA specifically analyzes three main points:
- Whether the laws and practices of the US generally undermine the protections of the SCCs.
- Whether NextRoll is subject to the two laws that Schrems II specifically held to infringe on the SCCs, namely Section 702 of the US Foreign Intelligence Surveillance Act (“FISA 702”) and Executive Order 12333 (“EO 12333”).
- Whether additional safeguards are needed, and if so, what safeguards are in place to protect the transferred data.
The TIA concludes that (1) the laws and practices of the US do not undermine the SCCs, (2) the data that NextRoll processes is at very low risk of being requested under FISA 702 or surveilled under EO 12333, and (3) there are adequate safeguards in place to mitigate this very low risk. Points 2 and 3 are discussed more below.
3. DETAILED TIA ANALYSIS
Is NextRoll subject to US surveillance laws for any practical purposes?
The short answer, practically speaking (and see the below analysis), is “no”.
Background. US companies are subject to certain US government requests for information under various laws. These include laws that permit certain agencies (particularly law enforcement) to either issue subpoenas and seek court orders or to conduct certain types of surveillance for national security purposes. The latter category includes government requests for information under FISA 702. In certain circumstances, the US government may also intercept data in transit to or from any US company under EO 12333. However, this applies to information held anywhere in the world, so transferring information to the US does not increase risks under EO 12333.
FISA Section 702. FISA 702 may apply to NextRoll because (as described below) NextRoll may be a “remote computing service” subject to that section. However, as explained below, the risk that the US government would actually seek information from NextRoll via FISA 702 is extremely low and implausible.
A company is subject to FISA Section 702 if it is: (1) an electronic communication service (“ECS”) for purposes of the Electronic Communications Privacy Act (“ECPA”); (2) a remote computing service (“RCS”) for purposes of ECPA; (3) a telecommunications carrier as defined in 47 U.S.C. § 153 (i.e., an internet backbone provider that carries third parties’ traffic); (4) any other “communication service provider,” a term used but not defined in FISA; or (5) an employee, officer or agent of the above.
Application of FISA Section 702 to NextRoll. Most of the above categories are by definition inapplicable to NextRoll. NextRoll is not an ECS, for instance, as it doesn’t provide a tool for users to communicate with each other; nor does it facilitate communications in the other ways that FISA contemplates.
However, a court theoretically might hold that NextRoll is an RCS – i.e., a company that provides “computer storage or processing services by means of an electronic communications system.” On the one hand, NextRoll’s principal services do not involve such storage or processing – rather, NextRoll principally provides advertising and marketing services. However, there is an argument that a more-than-incidental aspect of the services that NextRoll provides to its customers involves the capture, storage, and processing of customer website data including IP addresses and cookie IDs; and that although customers can only view such data in aggregated form, the data nonetheless is captured and stored as personal data as a “service” to those customers. Under current legal precedent (of which it is very little), if that service is only incidental to the rest of what NextRoll does, then NextRoll is probably not an RCS. But there is little squarely relevant case law, so it is unclear how a court would decide the question.
But even assuming NextRoll is an RCS, and that FISA 702 theoretically could apply to its services, there is virtually no risk that the US government actually would seek such information under FISA 702. The government can use FISA 702 only if a significant purpose of the data sought is to acquire “foreign intelligence information,” defined as information related to national security, counterterrorism, or counterintelligence efforts (see 50 U.S.C. § 1801(e)). It is extremely unlikely and factually implausible that the limited information that NextRoll collects could qualify as “foreign intelligence information.” Thus, we cannot envision a scenario where the US government would, or even could, use FISA 702 directives to seek this information from NextRoll.
Thus, even if NextRoll was deemed to be an RCS and thus technically subject to FISA Section 702, it is highly unlikely that the US government would or could use FISA 702 to seek the limited personal data that NextRoll processes.
What is NextRoll's practice experience dealing with government access requests?
To date, NextRoll has never received an information request from the US government (including requests under FISA 702 or direct access under EO 12333) in connection with customer personal data.
How does NextRoll respond to government access requests?
If NextRoll were to receive a government access request or become aware of direct access, we would proceed in accordance with our obligations under the 2021 SCCs and our internal processes.
As a general principle, NextRoll does not disclose personal data in response to a government access request unless it is either under a compelling legal obligation to do so or there is an imminent risk of serious harm that merits compliance. If a request concerns personal information for which a customer is a controller, we will ordinarily, to the extent legally permitted, notify and provide the customer with details and will support the customer in accordance with the terms of our agreement with the customer.
What safeguards has NextRoll implemented to protect EEA data?
- The NextRoll services are hosted on data centers maintained by Amazon Web Services, an industry-leading service provider that offers state-of-the-art technical and organizational security measures designed to protect the data it hosts.
- We restrict access to our product systems and database infrastructure on a “least amount of privilege” basis. NextRoll maintains a formal information security program, including having clearly defined informational security roles, responsibilities, and accountability.
- NextRoll uses TLS 1.2 or above to secure data in transit over public networks. Data is also encrypted in storage using AES-256, the strongest commercially available encryption standard.
- When NextRoll contracts with a third party that processes personal data on our behalf (i.e., our processors), we ensure that these third parties contractually commit to implement and maintain appropriate security measures to protect the information. In addition, NextRoll has implemented rigorous due diligence checks to ensure that our service providers and partners can provide sufficient guarantees to implement appropriate technical and organizational measures to keep data secure.