Zscaler Transfer Impact Assessment Whitepaper

Introduction

Zscaler is committed to enabling its customers to use all Zscaler products in compliance with data protection regulations, including the General Data Protection Regulation (GDPR). Since the Court of Justice of the European Union’s (CJEU’s) Schrems II ruling, which invalidated the EU-US Privacy Shield as a valid mechanism to transfer personal data from the European Economic Area (EEA) to the United States, the European Data Protection Board (EDPB) has provided recommendations on assessing whether there is an “essentially equivalent” level of protection as is guaranteed within the EEA for data transfers outside the EEA.

This white paper provides information to assist Zscaler customers in conducting data transfer impact assessments in connection with their use of Zscaler products in accordance with the EDPB’s recommendations. In particular, this white paper demonstrates how Zscaler complies with its obligations under applicable data protection laws and Zscaler’s customer agreements when entering into standard contractual clauses (SCCs), the validity of which the CJEU upheld in its Schrems II decision.

EDPB Recommendations

The EDPB recommendations provide guidance for assessing whether there is an essentially equivalent level of protection for data transfers outside the EEA. Specifically, the EDPB recommends that data exporters perform the following six-step data transfer assessment:

  • Step 1: Perform a mapping of international data transfers, and assess whether the data transferred is adequate, relevant, and limited to what is strictly necessary.

  • Step 2: Verify the transfer tool on which the transfer relies (the SCCs).

  • Step 3: Assess the laws or practices of the third countries that may impinge on the effectiveness of the appropriate safeguards of the transfer tool.

  • Step 4: If the data exporter’s assessment is that the use of the transfer tool alone would not provide an essentially equivalent level of protection, identify the supplemental contractual, technical or organizational measures that are necessary to bring the level of protection of the data transferred up to the EEA standard of essential equivalence.

  • Step 5: Take any formal procedural steps that the adoption of supplementary measure(s) may require.

  • Step 6: Re-evaluate, at appropriate intervals, the level of protection afforded to the data that the data exporter transfers to third countries, and monitor if there have been or there will be any developments that may affect it.

    Full text of EDPB’s recommendations can be found at https://edpb.europa.eu/our-work- tools/our-documents/recommendations/recommendations-012020-measures-supplement- transfer_en.

Step 1: Mapping Data Transfers

  1. Zscaler is committed to responsibly and lawfully transferring personal data when providing our products and services from different countries and regions. We process data globally in order to administer our services, such as accessing the nearest data centers, providing assistance from international support teams, and using hosting providers.

    Where Zscaler processes personal data governed by applicable data protection laws, including GDPR, Zscaler complies with its obligations under its Data Processing Agreement (DPA), which is available at https://www.zscaler.com/resources/legal/zscaler- data-processing-agreement.pdf.

    The Zscaler DPA incorporates the SCCs. Exhibit A of the DPA provides information on the nature of Zscaler’s processing activities and the types of customer’s personal data we process in relation to the services provided. Exhibit B of the DPA describes the technical and organizational information security measures implemented by Zscaler.

    Sub-Processors

    Like all SaaS providers, Zscaler uses sub-processors to provide its products and services. We have entered into written agreements with all such sub-processors (with written commitments regarding their security and data protection controls) and we remain liable for the acts and omissions of these sub-processors. We perform due diligence on the security and privacy practices of our sub-processors to ensure that they provide a level of security and privacy appropriate to their access to customer data (which may include personal data) and the scope of the services they are engaged to provide.

    For more information about our sub-processors, please refer to: https://www.zscaler.com/privacy-compliance/subprocessors.

Step 2: Identifying Transfer Tools

Zscaler uses SCCs, incorporated into its DPA, to provide appropriate safeguards for the transfer of personal data originating from the EEA, Switzerland and the United Kingdom. Both the Schrems II ruling and the EDPB recommendations confirm that SCCs are a valid mechanism for transferring personal data subject to the GDPR outside the EEA and Switzerland. The SCCs adopted by the decision (EU) 2021/915 of the European Commission are incorporated in Exhibit C of the Zscaler DPA (EU SCCs).

For data transfers from the United Kingdom, the UK Information Commissioner’s Office continues to recognize SCCs (previous version adopted by the decision 2010/87/EU of the European Commission) as a valid transfer mechanism (UK SCCs) The UK SCCs, as attached to the Zscaler DPA in Exhibit D, remain applicable until the United Kingdom adopts an alternative transfer mechanism.

The Zscaler DPA is available at: https://www.zscaler.com/resources/legal/zscaler-data-processing-agreement.pdf

Step 3: Assessing Laws & Practices of Recipient Countries

In accordance with the recommendations of the EDPB, Zscaler has performed an assessment of whether the laws and/or practices in force in the countries where Zscaler processes customer data may impinge on the effectiveness of the appropriate safeguards of the SCCs.

Specifically, the following overview presents an assessment of jurisdictions where Zscaler’s sub-processors may process customer data, through the use of our products and services:

United States

In its Schrems II decision, the CJEU identified the following U.S. laws as being potential obstacles to ensuring essentially equivalent protection for personal data transferred from the EEA to the United States:

  • FISA Section 702 (“FISA 702”), which allows U.S. government authorities to compel disclosure of information about non-U.S. persons located outside the U.S. for the purposes of foreign intelligence information gathering.
  • Executive Order 12333 ("EO 12333"), which authorizes intelligence agencies (such as the U.S. National Security Agency) to conduct surveillance outside of the United States.

The U.S. government has provided further information about the application of these laws in the following whitepaper: “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II” (the “US White Paper”).

With regard to FISA 702, the US White Paper notes that the concerns about national security access to personal data highlighted by Schrems II as processed by commercial U.S. companies are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies whose EU-U.S. transfers of personal data involve “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”

Furthermore, individuals of any nationality (including EU citizens) can seek redress for violations of FISA 702, including under FISA provisions allowing private actions for compensatory and punitive damages.

With regard to EO 12333, the US White Paper notes that EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Any requirement that a company disclose data to the U.S. government for intelligence purposes under EO 12333 must be authorized by statute (such as FISA 702) and must be targeted at specific persons or identifiers. Moreover, bulk data collection, which is the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.

Taking into account the practices of the U.S. public authorities, and the fact that Zscaler has never been subject to a U.S. government request for access to customer personal data under FISA 702, EO 12333 or any other U.S. law, Zscaler concludes that:

  • While the definition of “electronic communication service” is very broad, Zscaler products and services do not involve the provision of electronic communications that would be within the scope of FISA 702 surveillance authorizations;

  • U.S. surveillance laws and regulations that are potentially applicable to Zscaler’s processing of personal data are unlikely to be applied in practice to customer data processed by Zscaler; and

  • Consequently, Zscaler has no reason to believe that such laws and regulations will prevent Zscaler from fulfilling its obligations under the SCCs.

India

India has two laws that potentially could permit electronic surveillance of personal data:

  • Section 5(2) of the Telegraph Act (1885) allows the Indian government to intercept and disclose electronic or telephonic messages on the occurrence of any public emergency or in the interest of public safety.

  • Section 69 of the Information Technology Act (2000) allows the Indian government to intercept, monitor, or decrypt any information received or stored through any computer resource if such activity is “necessary or expedient to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.”

    The Supreme Court of India has recognized the right to privacy as a fundamental right under the Indian Constitution, which limits the scope of application of these Indian surveillance laws. In particular, under applicable rules, any interception, monitoring or decryption of electronic information by the Indian government must be approved by a competent authority (e.g., the Union Home Secretary), and such approval is subject to mandatory periodic reviews.

    Taking into account the practices of the Indian public authorities, and the fact that Zscaler has never been subject to an Indian government request for access to customer personal data, Zscaler concludes that:

  • India surveillance laws and regulations that are potentially applicable to Zscaler’s processing of personal data are unlikely to be applied in practice to customer data processed by Zscaler; and

  • Consequently, Zscaler has no reason to believe that such laws and regulations will prevent Zscaler from fulfilling its obligations under the SCCs.

Nicaragua

Personal information is protected in Nicaragua under the Law on Personal Data Protection No. 787 dated March 21, 2012 and the Regulation of Law No. 787, Decree No. 36-2012, 

dated October 17, 2012. The Law and the Regulation provide for the creation of a data protection authority within the Ministry of Finance and Public Credit. This data protection authority is intended to be the regulatory entity in charge of (i) registering data files and (ii) determining the correct application of Nicaragua’s data protection laws. To date, this data protection authority has not been established.

In addition, the Nicaraguan constitution contains a general constitutional provision that all individuals are entitled to privacy.

Nicaragua’s data protection law generally requires consent for the gathering and processing of personal data. Consent is not necessary when (i) personal data is processed pursuant to a reasoned order, issued by a competent judicial authority; (ii) processing of personal data is necessary for fulfilling obligations derived from a legal relationship; or (iii) personal data is obtained from sources of unrestricted public access. Consent must be free and specific, and may be tacit or express, whether obtained verbally or in writing.

In December 2020, Nicaragua’s Special Cybercrimes Law came into effect. According to the Nicaraguan Human Rights Center, the law authorizes the Nicaragua government’s telecommunications agency (TELCOR) and the Foreign Ministry to block websites, networks, applications, and other online and communication services. This law describes penalties for offenses such as dissemination of false information, incitement of hatred or violence, and endangerment of national security. In addition, in January 2021, TELCOR published an administrative agreement that requires telecommunications companies to collect and preserve certain data from their users. However, neither the Special Cybercrimes Law nor the TELCOR administrative agreement is directed at or has been used for surveillance purposes with regard to the kinds of commercial information collected and processed by Zscaler.Taking into account the practices of the Nicaraguan public authorities, and the fact that Zscaler has never been subject to a Nicaraguan government request for access to customer personal data, Zscaler concludes that:

  • Nicaragua surveillance laws and regulations that are potentially applicable to Zscaler’s processing of personal data are unlikely to be applied in practice to customer data processed by Zscaler; and

  • Consequently, Zscaler has no reason to believe that such laws and regulations will prevent Zscaler from fulfilling its obligations under the SCCs.

As a global SaaS provider, Zscaler is subject to the laws of multiple jurisdictions.Zscaler is not aware of any applicable laws that would impinge on the effectiveness of the appropriate safeguards of the transfer tools that Zscaler relies on for transfers of personal data to a country outside of the EU/EEA. Considering the practices of the relevant third country’s public authorities, Zscaler is confident that it can ensure, in practice, the effective protection of the personal data transferred.

 

Step 4 & 5: Implementing Supplementary Measures

Technical Measures

As a security-as-a-service provider, data protection and security are core to Zscaler’s business. Below are just some of the safeguards and controls we have in place or make available to our customers:

  • Technical Safeguards. Zscaler makes use of a variety of techniques to protect personal information like tokenization, obfuscation, and encryption. Encryption is used for data storage and during transmission of data via Transport Layer Security (TLS) channels. Please refer to Exhibit B of the DPA for more information on our security measures.

  • Access Control. Zscaler only allows access to customer personal data by personnel who are authorized administrators with appropriate privileges. The only access to these servers and databases is via secure access by the application or via jump servers with access restricted to authorized operations personnel via multi- factor authentication. Our employees are required to sign a non-disclosure agreement or other confidentiality agreement upon employment.

  •  Security Certifications. At Zscaler, we adhere to rigorous security and privacy standards and follow industry best practices. All Zscaler products are certified against internationally recognized government and commercial standards, such as ISO 27701 and SOC 2. For more information regarding the various internationally- recognized certifications and accreditations we hold, please visit: https://www.zscaler.com/privacy-compliance/compliance.

Contractual Measures

Zscaler’s contractual obligations are set out in the DPA, which incorporates the SCCs. Furthermore, Zscaler contractually requires all sub-processors that process personal data on our behalf to abide by rigorous privacy and security standards.

Organizational Measures

Zscaler’s organizational measures to secure customer data include:

  • Policy for Government Access Requests. In compliance with the EU and UK SCCs, Zscaler will promptly notify a customer of any legally binding and valid request for such customer’s data or for direct access to such customer’s data by a law enforcement or other government agency, unless we are explicitly prohibited from doing so by law. When faced with a valid, legal subpoena issued by a court or law enforcement agency seeking information about one or more Internet Protocol (“IP”) transactions associated with one or more Zscaler IP addresses, Zscaler will only identify its customer (i.e., corporate entity) corresponding to that IP address and provide contact information for that customer. Zscaler will not provide a written log of any transaction, or any other customer information associated with any transaction (unless specifically compelled by a court of law to do so, which has never occurred to date).

  •  Employee training. Zscaler provides annual data protection and information security training to all Zscaler employees.

Step 6: Reevaluating When Necessary

Zscaler will regularly review and, if necessary, reconsider the measures it has implemented with respect to data transfers in order to address changing data privacy regulations and risk 

 

Contact Us

For any further questions, please contact us at [email protected].

DISCLAIMER: While this white paper is designed to assist Zscaler customers with data transfer impact assessments in connection with Zscaler's services and products, the information contained herein should not be construed as legal advice. Customers are responsible for making their own independent assessment of the information in this white paper and conducting their own due diligence. Information and views expressed in this white paper, including URL and other internet website references, may be revised without notice.