International Data Transfer Assessment
This assessment has been created to assist our customers and influencers with enquiries related to how Cision has risk assessed the transfer of personal data outside the EEA and Quebec. In particular it addresses questions related to:
- the July 2020 decision of the European Court in "Schrems II" (See here: http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=12312155);
- the EU's 2021 Standard Contractual Clauses (SCCs) (see here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en; and
- Brexit.
- The Quebec Act to Modernize Legislative Provisions respecting the Protection of Personal Information 2021 (“Bill 64”)
This is a developing area of law, therefore Cision's approach will be kept under review, in light of regulatory guidance from the European Data Protection Board (EDPB), the Commission d'acces a l'information du Quebec, any other applicable national Data Protection Authorities and any decisions of relevant Courts. Cision is committed to working with its customers and suppliers to ensure adequate protection of the personal data which it handles.
1. What was the Schrems II decision about?
Under European and UK data protection law (GDPR/UKGDPR) personal data cannot be transferred outside the EEA unless the exporter uses one of the approved mechanisms to make that transfer lawful. Two such mechanisms were Privacy Shield (only for transfers to the US) and EU Standard Contractual Clauses (SCCs) (for transfers anywhere outside the EEA).
The case was brought in the Irish Court by the privacy activist Mr Schrems against Facebook Ireland, and the Irish Court referred a number of questions to the European Court for determination. The European Court's decision concerned the potential (even where approved mechanisms are used) for US law enforcement and intelligence agencies to gain access to personal data transferred to the US, and what the European Court saw as being a lack of adequate redress in the US for EU citizens concerned about such use of their personal data.
The European Court ruled that Privacy Shield was no longer a valid mechanism but said that other transfer mechanisms (including SCCs) remained valid. In relation to SCCs, the European Court said that data exporters would need to carry out an assessment of its transfers to determine whether or not supplemental measures (over and above the terms of the SCCs) were necessary to ensure the adequate protection of personal data being transferred outside the EEA.
2. Do you transfer personal data outside Europe or Quebec and specifically do you transfer personal data to the US?
Yes, we transfer personal data outside the EEA and Quebec, including to the USA.
3. What personal data do you transfer?
The personal data we transfer is set out in the relevant privacy policies at https://gdpr.cision.com/.
Broadly speaking we transfer four different sets of personal data:
- Cision Influencer Data: influencer personal data collected by Cision and contained within our various influencer databases (including the Cision media database and TKIM). The vast majority of such data is publicly available data obtained from influencer social media profiles, websites, from published articles and other public domain information. Some further information may be provided by the influencers themselves, or by their employers.
- Customer Influencer Data: influencer personal data that our customers provide to us through Private List. This information is similar in nature to the Cision Influencer Data. It may include additional notes provided our customers.
- Customer Data: personal data included in account management information required by Cision to manage our customer accounts. This is primarily business contact details and job title.
- Cision internal business personal data (e.g. HR data). This assessment does not deal with this data.
4. Who do you transfer personal data to?
We share Cision Influencer Data - data that Cision has gathered globally from public sources - with our customers (including customers outside the EEA) and with our group companies in the United States, Canada, India, Brazil, and China.
Customer Influencer Data is provided to us by our customers and processed by us on their behalf. This may involve a transfer of such data from the EEA to our group companies in the US where such data will be hosted.
We may share Customer Data with our group companies in the US for managing customer accounts.
We may share Cision Influencer Data, Customer Influencer Data and Customer Data with third party supplier/vendors that we work with (for example email service providers) who process data on our behalf. Details of such vendors are set out in our privacy notices.
5. What is your approved mechanism for international data transfers?
Some countries (such as Canada and the UK) have been deemed by the European Commission to have adequate data protection regimes – for those countries no further protections are necessary.
For countries where there is no adequacy decision we rely on the use of SCCs.
We have never relied on Privacy Shield for Cision intra-group transfers or for transfers to our customers.
We have carried out an audit of our suppliers/vendors to ascertain whether any such suppliers/vendors are relying on Privacy Shield when acting as data processors on our behalf and none are.
6. Is your business subject to US surveillance laws under Section 702 FISA and EO 12333?
Cision is not a 'telecommunications carrier' within the meaning of the relevant legislation.
In respect of some the services it provides (e.g. email services) Cision may be deemed to be provider of 'electronic communications services'. As a result Cision may be in principle subject to the surveillance regime under Section 702 FISA and EO 12333.
7. Is Cision aware of any surveillance being undertaken by law enforcement agencies in the US or elsewhere in relation to its systems and databases?
No, Cision is unaware of any surveillance activities being targeted at Cision's systems and databases.
8. Does Cision receive requests from law enforcement agencies for the disclosure of personal data?
Yes. Cision has received subpoenas and other requests for the disclosure of personal information.
9. What is Cision's approach to requests by government agencies for access to personal data held by Cision?
Cision will comply with its legal obligations.
Cision does not voluntarily cooperate with surveillance authorities and will not release personal data unless required to by law.
Cision will review all law enforcement requests and will only release personal data in response to such requests if it is satisfied that the request has been validly made in the correct form and with requisite authority and will only release personal data that falls within the scope of a lawful request.
10. Does Cision disclose the fact that government agencies have requested access to personal data?
Cision may on request disclose the fact of a request by a government agency if it is permitted to do so by applicable law. By their nature many (if not the majority) of government requests are confidential and Cision is often unable to disclose the fact of the request or the specifics of such requests.
11. How often does Cision receive requests from government agencies for the disclosure of personal information related to Cision's customers or influencers on the Cision platform?
Across all of its related entities, Cision very occasionally receives information requests. Cision has only ever received US agency requests regarding financial announcements made via its wire and distribution service due to the financial impact of them. If these announcements contain any personal information at all, this will only be the name of the contact at the customer making the announcement and it is already in the public domain.
Consequently, Cision has no reason to believe that any problematic legislation will applied to it in practice.
12. What assessment have you made of your international data transfers?
Cision has conducted assessments of data flows within the Cision group and to our suppliers and customers in the US.
Our principal international data transfers are from our entities around the world (including EU, UK and Quebec) to our headquarters and other establishments in the US and to our US customers. For this reason and given that the issues addressed by the European Court related to transfers to the US, this is our area of focus.
Cision and Customer Influencer Data
Given the nature of the data subjects, the personal data that we process, the recipients of that data, and the nature of Cision's business, we do not believe that the transfers outside the EEA of Cision and Customer Influencer Data create any or any material additional risk over and above the risks that already exist as a result of that data being made publicly available by the data subjects (influencers/journalists) prior to its collection, processing and onward transfer by Cision.
The two critical factors in reaching this conclusion are that:
(a) the vast majority of data that is transferred is public domain data (available for example on public social media platforms where it has been posted by the data subjects themselves); and
(b) the nature of the data transferred is low risk. If a government agency wished to access influencer personal data it could access that data by accessing the public domain sources used by Cision Eg Twitter, Facebook, public websites. In our view the risk of the US surveillance mechanisms being applied to Cision is low and if they were applied it would relate to data that is already largely publicly available.
Customer Data
Customer Data is generally limited to the personal contact information of our customer account contacts, activity on customer accounts and influencer/journalists information. We believe that such data is also low risk.
Notwithstanding the above, Cision acknowledges that access by US government agencies to personal data held by Cision is theoretically possible. For this reason Cision will be implementing certain supplemental measures to protect the personal data that it transfers outside the EEA, as below.
13. What if any technical measures are you taking to ensure that personal data transferred outside the EEA is adequately protected?
Cision maintains robust technical and organisational security measures to ensure the adequate protection of personal data. Details of such measures are summarised in our IT Security Policies available here: https://gdpr.cision.com/technicalorgmeasures.
Cision employs strong encryption both in transit (TLS) and at rest and continually works to enhance our abilities to encrypt personal data.
Where we engage processors to act on our behalf, we ensure that they have appropriate security measures.
14. What if any other supplemental measures are you taking to ensure that personal data transferred outside the EEA is adequately protected?
Risk Assessment
We have considered what supplemental measures may be necessary for our various data transfers in the light of all the specific circumstances of these transfers and in consideration of the likelihood and severity of the risks to the rights and freedoms of natural persons and have no reason to believe that we will not be able to comply with commitments under the SCCs.
This is because:
(a) the vast majority of data that is transferred is public domain data (available for example on public social media platforms where it has been posted by the data subjects themselves); and
(b) the nature of the data transferred is low risk. If a government agency wished to access influencer personal data it could access that data by accessing the public domain sources used by Cision Eg Twitter, Facebook, public websites. In our view the risk of the US surveillance mechanisms being applied to Cision is low and if they were applied it would relate to data that is already largely publicly available.
Supplemental Measures
Despite our view of the risks, Cision will implement the below changes to address concerns raised by the EDPB.
Cision will endeavour to notify the relevant data exporter of any access or request for access by a government authority, unless prohibited by law (paragraph 10 above). If prohibited, Cision will use best efforts to get the prohibition waived, review the legality of such request and challenge any unlawful ones (paragraph 9 above). Cision will notify the relevant data exporter if it believes it can no longer comply with the SCCs.
Cision will adopt and regularly review internal policies to assess the suitability of the implemented safeguarding measures and to identify and implement additional or alternative solutions when necessary. Cision aims to ensure that the transferred personal data continues to enjoy an equivalent level of protection as that guaranteed within the EU
15. Are you able to provide services without international transfer of customer data?
At present Cision Influencer Data and Customer Influencer data is hosted on servers based in the US and EU. There is no plan to change that arrangement. As a result it is not possible to provide Cision services to our customers without the transfer of EU personal data to the US.
16. What control does a customer have over the data that is transferred?
Customers may be concerned with Customer Data and Customer Influencer Data.
It is necessary for Cision's international businesses (in particular Cision US Inc.) to have access to Customer Data in order to manage the customer account.
It is within the customer's control what Customer Influencer Data it provides to Cision. If a customer has concerns about the international transfer of Customer Influencer Data then it should not provide such data to Cision or should discuss any concerns with Cision before doing so.
17. Should Cision customers be concerned about any personal data that may have been included in private lists that Cision processes on our behalf?
Customers should carry out their own assessment of whether any personal data they provide to Cision (either Customer Influencer Data or Customer Data) may be particularly sensitive, and, if so, should consider whether to withhold or remove such data from, for example, private influencer/journalist lists.
18. Are you making any changes to the SCCs?
The decision in Schrems II does not mandate changes to the SCCs.
We have implemented the 2021 SCCs via our customer data processing agreement which new customers will sign up to along with any existing customers who wish to. The 2010 SCC’s can be used until January 2023.
19. How will you be addressing transfers to countries other than the US?
Cision is considering assessments of international transfers of personal data to territories other than the US.
Cision's view is that even if those regimes did allow access similar to that afforded to US law enforcement agencies, and even if the redress afforded to data subjects suffered from the same shortfalls as the European Court identified as existing in the US, the public nature of the data and its inherent lack of interest to law enforcement means that the risks involved in transfers to those countries are low.
We will be carefully monitoring any further guidance from the EDPB and national DPAs, and any best practice recommendations. This will be an ongoing process.
20. What steps are you taking to ensure that your third party suppliers/vendors provide an adequate level of protection in relation to data they process on Cision's behalf?
We are conducting audits of our third party suppliers and vendors to ensure that they provide adequate protection for personal data processed on Cision's behalf.
21. How will Cision be addressing transfers to and from the UK in light of Brexit?
Under domestic legislation the UK has adopted GDPR which is now known as UK GDPR. The law related to international data transfers thus continues to apply to transfers to and from the UK, save that the UK is now considered to be a 'third country' so far as GDPR is concerned.
On the 28th June 2021 the European Commission adopted an adequacy decision for the UK as it regards the UK as having an ‘essentially equivalent’ level of protection to that within the EU.
Consequently personal data transfers from the EEA to the UK can continue without any further safeguards.
The UK has agreed to treat the EEA as an 'adequate' jurisdiction of the purposes of the UK GDPR. This means that transfers from the UK to the EU will not require any further safeguards.
Under the UK GDPR transfers from the UK to countries outside the EEA will be subject to the same restrictions as they did when the UK was part of the EU. Cision will continue to rely EU on SCCs in relation to such transfers for now.
The UK’s Information Commissioner’s Office is in the process of consulting industry on the contents of the proposed UK SCCs and Cision will monitor this.
22. What steps has Cision taken to tell influencers of these changes?
Cision has updated its Privacy Notices to alert influencers to the Schrems II decision and its implications, and to remind them of their ability to request amendment/removal of their profiles.
23. What steps can influencers take to protect their personal data if they are concerned about it being transferred outside the EEA?
Influencers should note an update to Cision’s Influencer Privacy Notice which states the following:
"You may be aware of a recent (July 2020) ruling by the European Court of Justice commonly known as "Schrems II" which impacts data transfers to the US and other countries outside the EU. The case arose out of concerns that the US law enforcement authorities may be able to access data that was transferred to the US, and that data subjects like you would not have adequate means objecting to such access or use of your data if you were concerned about it. The ruling affected two common means of ensuring that your data is protected which are known as (a) Privacy Shield and (b) 'Standard Contractual Clauses' (or 'SCCs'). The European Court ruled that Privacy Shield was no longer valid but confirmed that the SCCs were valid though data exporters (like Cision) who were using SCCs should take additional steps to ensure that there were adequate safeguards in place. Cision does not rely on Privacy Shield for its international data transfers. Regarding its use of SCCs, Cision has carefully assessed the transfers it conducts, and has concluded that there are adequate safeguards in place, particularly given that the vast majority of influencer data processed by Cision is public domain and given the nature of services provided by Cision. However, if you are at all concerned by the possibility that your personal data may be accessed by law enforcement agencies in the US (or in any other country) then please let us know by contacting us at privacy@cision.com and we can either amend your profile to remove any data that is of concern, or remove you from our database."
EEA-based Influencers may wish to review their profiles to see whether there is any information in their profile that they would not want to be transferred outside the EEA. Influencers may contact Cision for a copy of their profile at privacy@cision.com.
Cision will amend profiles on request and will remove any influencer from the Cision databases entirely if they no longer wish to be included.
LAST UPDATED MAY 2023