Data Privacy at Zscaler

LATEST DATA PRIVACY UPDATE ON FEBRUARY 29, 2016

On February 29, 2016, the European Commission (EU Commission) unveiled the text of the EU-U.S. Privacy Shield (Privacy Shield).The Privacy Shield is designed to replace the invalidated EU-U.S. Safe Harbor Framework and to provide a new legal framework for data transfers from the EU to the U.S. Although the Privacy Shield is based on the same principles as the Safe Harbor Framework, the Privacy Shield differs significantly in a number of key respects, most notably by creating new redress mechanisms and imposing stricter and more prescriptive obligations for companies.

Although this announcement is a major step towards a new data transfer regime, full adoption still faces review and other hurdles before the Privacy Shield will take effect. Specifically, the Privacy Shield will now be reviewed by the body of EU privacy regulators—the Working Party 29 or WP29—and will have to be formally adopted by the EU Commission before being available as a data transfer solution. The approval process is expected to take many months. If adopted, it will almost certainly face immediate challenges before EU Data Protection Authorities (DPAs) and in the courts.

We will continue to monitor the approval process for the Privacy Shield. 


DATA PRIVACY UPDATE ON FEBRUARY 3, 2016

On February 3, 2016, the body of European data protection regulators called the "Article 29 Working Party" (WP29) issued a statement following the announcement of a political agreement regarding a new transatlantic data transfer scheme – the EU-U.S. Privacy Shield. This is the second guidance document issued by the WP29 following the invalidation of the EU-U.S. Safe Harbor Framework Agreement (Safe Harbor) by the Court of Justice of the European Union (CJEU) on October 6, 2015.

Guidance from the WP29 is a good indication of how EU data protection authorities are likely to interpret the law, but it is not legally binding on national data protection authorities or national courts.

In sum, the WP29 said that it welcomes the announcement of the EU-U.S. Privacy Shield, but it will now review it carefully in light of the CJEU’s decision.  In parallel, the WP29 is reviewing EU Standard Contractual Clauses and Binding Corporate Rules, which are the other legal bases for transferring data from the EU to the U.S.  The WP29 confirmed that data transfers under Safe Harbor are unlawful, but that EU Standard Contractual Clauses and Binding Corporate Rules remain valid.  The WP29 is expected to issue its opinion regarding the validity of the Privacy Shield, EU Standard Contractual Clauses and Binding Corporate Rules by the end of March 2016 at the earliest. 


Data Privacy Update on October 6, 2015

On October 6, 2015, the Court of Justice of the European Union (CJEU) ruled that the EU-US Safe Harbor Framework does not provide a valid legal basis for transfers of personal data from Europe to the U.S. This decision understandably raised many questions and concerns for organizations that process personal data from Europe. We value your trust and share in the same concerns over your privacy and that of your data and want to take this opportunity to address what this ruling means for your continued use of Zscaler’s services.

What is the EU-US Safe Harbor Framework?

The EU-US Safe Harbor Framework was established by the European Commission and the U.S. Department of Commerce in 2000 to facilitate transfers of personal data from the EU to eligible U.S. companies that certify to and comply with the Safe Harbor principles. Additional information about the EU-US Safe Harbor Framework is available at the U.S. Department of Commerce’s website: http://www.export.gov/safeharbor/ 

How does the European Court of Justice's decision affect use of Zscaler?

The CJEU’s decision does not prohibit data transfers to entities in the United States, but instead requires that another method of compliance with EU data protection laws be utilized. To that end, we are pleased to offer our customers the ability to enter into our Data Processing Agreement (“DPA”) which incorporates the European Commission’s standard contractual clauses (“Model Clauses”). Our DPA ensures that our customers can continue to validate transfers of personal data that is processed using Zscaler’s services under EU data protection laws, whether or not the Safe Harbor Framework is ultimately updated or maintained.

What are the Model Clauses?

The Model Clauses are contract templates developed by the European Commission as a mechanism for parties to validly transfer personal data from Europe. Importantly, since the CJEU’s decision on Safe Harbor, the Article 29 Working Party (the primary advisory board for the European Commission on matters of data privacy laws and their application) has confirmed that transfers of data from Europe to the United States based on Model Clauses remain valid.

How can Zscaler customers request a DPA?

If you would like to enter into a DPA with Zscaler, you can download the pre-signed DPA here (Zscaler Data Processing Agreement) or you can email us at contracts@zscaler.com requesting a pre-signed DPA. 

Can Zscaler restrict data transfers from Europe?

Zscaler offers its European customers the ability to request that certain critical data be hosted in Europe. Nevertheless, since the concept of “transfer” under applicable data privacy laws is broadly interpreted to include activities that Zscaler may undertake as a data processor in jurisdictions outside Europe, Zscaler cannot restrict data transfers from Europe. However, Zscaler maintains a comprehensive data security program and utilizes robust standard for the processing of personal data in order to protect your data and our DPA is designed to ensure that any data transfer from Europe is done in strict compliance with applicable data security and privacy laws.

What if I have any additional questions?

Please email contracts@zscaler.com if you have any further questions.

DATA PRIVACY IN AUSTRALIA and NEW ZEALAND

The following is a brief summary of how Zscaler’s privacy policies comply with Data Privacy Laws put forth by the governments of Australia and New Zealand. For purpose of both Australian and New Zealand Privacy Laws, Zscaler acts as the processor, not collector of the data, of its customers’ end users.

 

Compliance with Australian Privacy Laws

In Australia, the key privacy legislation applying to Zscaler is the Privacy Act 1988 (Cth). The Privacy Act applies to most private sector organizations operating in Australia and sets a national standard for the collection, use and disclosure, quality and security of “Personal Information”. In particular, effective March 12, 2014, the Privacy Act establishes the Australian Privacy Principles (APPs) that set out these key obligations.

The APPs regulate the collection, use and disclosure of personal information, and also allow individuals to access their personal information and have it corrected if it is incorrect. Further information regarding the APPs are set out on the Australian Government website at www.oaic.gov.au

Of the 13 APPs, the following are most noteworthy:

• APP 1 (open and transparent management of personal information) provides that entities must take reasonable steps to implement practices, procedures and systems that ensure compliance with the APPs and publish their privacy policy;
• APP 5 (notification of collecting personal information) requires entities to ensure that at before, at the time of, or as soon as practicable after, an entity collects personal information from an individual the entity must take such steps as are reasonable in the circumstances to notify the individual of the collection of the personal information;
• APP 7 (direct marketing) restricts the use or disclosure of personal information for direct marketing unless an exception applies; and
• APP 8 (cross-border disclosure of personal information) requires that before an entity discloses personal information about an individual to a person or entity overseas, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs.

“Personal Information” is defined as any information or an opinion about an identified individual, or an individual who is reasonably identifiable: (i) whether the information or opinion is true or not; and (ii) whether the information or opinion is recorded in a material form or not. This information can include customer name and contact information including postal address, email address and telephone number, billing information, credit or debit card information, and transaction information for any products or services that may have been purchased.

Zscaler adheres to the APPs for all Personal Information that we collect from our customers (i.e., the companies that utilize and pay for our services) and from any other individuals that we may receive or collect personal information from. For example:

• We only collect Personal Information of the individuals who have registered or signed up for our services or who have signed by to receive information regarding our services on our website;
• We only use Personal Information for the purposes set out in our Privacy Policy and we only disclose such personal information to third party agents as outlines in our Privacy Policy.

Compliance with New Zealand Privacy Laws

In New Zealand, the Privacy Act 1993 (the Act) provides the parameters for information privacy, dealing with the collection and disclosure of personal information. Part 2 of the Act sets forth 12 information privacy principles (NZ IPPs) that stipulate how information can be collected and used, the manner for doing so, and individual rights for access to the information and how it can be corrected. These NZ IPPs can be found at http://privacy.org.nz/information-privacy-principles.

Of the 12 principles, the following are most noteworthy:

  • Collection of personal information, including reasons personal information may be collected, from where it may be collected, and how it is collected (Principles 1-4).
  • Restrictions on personal information use or disclosure, including ensuring information is accurate and up-to-date, and that it isn't improperly disclosed (Principles 10 and 11).

 

Zscaler’s handling of personal information under its Privacy Policy is aligned with the 12 NZ IPPs, including those directing that personal information be collected for lawful purposes (e.g., for processing customer service issues), that data should be collected directly from individuals (e.g., end users using our services), that notice of collection of data and purpose of the data collection is provided, or that data be collected in a legal manner.

Complaints

If you wish to make a complaint about the way Zscaler has handled your personal information (including if you think we have breached any applicable privacy laws), you may contact us at contracts@zscaler.com. Please include your full name, contact details and a detailed description of your complaint. We will acknowledge receipt of your complaint and respond to you regarding your complaint within a reasonable period of time.If you consider that we have failed to resolve the complaint satisfactorily, we will provide you with information about the further steps you can take.