Zscaler Transfer Impact Assessment White Paper

Introduction

Zscaler is committed to enabling customers to use all Zscaler products in compliance with data protection regulations, including the General Data Protection Regulation (GDPR). Since the Schrems II ruling by the Court of Justice of the European Union (CJEU), which invalidated the EU-US Privacy Shield as a valid mechanism to transfer personal data from the European Economic Area (EEA) to the US, the European Data Protection Board (EDPB) has provided recommendations on assessing whether there is an “essentially equivalent” level of protection as is guaranteed within the EEA for data transfers outside the EEA.

The information in this white paper can help Zscaler customers conduct data transfer impact assessments in connection with their use of Zscaler products in accordance with the EDPB’s recommendations. In particular, this white paper demonstrates how Zscaler complies with its obligations under applicable data protection laws and Zscaler’s customer agreements when entering into standard contractual clauses (SCCs), the validity of which the CJEU upheld in its Schrems II decision.

 

EDPB Recommendations

The EDPB recommendations provide guidance for assessing whether there is an essentially equivalent level of protection for data transfers outside the EEA. Specifically, the EDPB recommends that data exporters perform the following six-step data transfer assessment:

  • Step 1: Map international data transfers, and assess whether the data transferred is adequate, relevant, and limited to what is strictly necessary.
  • Step 2: Verify the transfer tool on which the transfer relies (the SCCs).
  • Step 3: Assess the laws or practices of the third countries that may impinge on the effectiveness of the appropriate safeguards of the transfer tool.
  • Step 4: If the data exporter’s assessment is that the use of the transfer tool alone would not provide “essentially equivalent” protection, identify the supplemental contractual, technical, or organizational measures necessary to bring the level of protection up to the EEA standard of essential equivalence.
  • Step 5: Take any formal procedural steps that the adoption of supplementary measure(s) may require.
  • Step 6: Reevaluate, at appropriate intervals, the level of protection afforded to the data that the data exporter transfers to third countries, and monitor if there have been or will be any developments that may affect it.

For further details, please see the full text of EDPB’s recommendations.

 

Step 1: Mapping Data Transfers

Zscaler is committed to responsibly and lawfully transferring personal data when providing our products and services from different countries and regions. We process data globally to administer our services, such as accessing the nearest data centers, providing assistance from international support teams, and using hosting providers.

Where Zscaler processes personal data governed by applicable data protection laws, including GDPR, Zscaler complies with its obligations under its Data Processing Agreement (DPA).

The Zscaler DPA incorporates the SCCs. Exhibit A of the DPA provides information on the nature of Zscaler’s processing activities and the types of customers’ personal data we process in relation to the services provided. Exhibit B of the DPA describes the technical and organizational information security measures implemented by Zscaler.

 

Sub-Processors

Like all SaaS providers, Zscaler uses sub-processors to provide its products and services. We have entered into written agreements with all such sub-processors (with written commitments regarding their security and data protection controls), and we remain liable for the acts and omissions of these sub-processors. We perform due diligence on the security and privacy practices of our sub-processors to ensure that they provide a level of security and privacy appropriate to their access to customer data (which may include personal data) and the scope of the services they are engaged to provide.

For more information about our sub-processors, please refer to our Sub-Processors overview page.

 

Step 2: Identifying Transfer Tools

Zscaler uses SCCs, incorporated into its DPA, to provide appropriate safeguards for the transfer of personal data originating from the EEA, Switzerland, and the United Kingdom. Both the Schrems II ruling and the EDPB recommendations confirm that SCCs are a valid mechanism for transferring personal data subject to the GDPR outside the EEA and Switzerland. The SCCs adopted by the decision (EU) 2021/915 of the European Commission are incorporated in Exhibit C of the Zscaler DPA (EU SCCs).

For data transfers from the United Kingdom, the UK Information Commissioner’s Office continues to recognize SCCs (previous version adopted by the decision 2010/87/EU of the European Commission) as a valid transfer mechanism (UK SCCs). The UK SCCs, as attached to the Zscaler DPA in Exhibit D, remain applicable until the United Kingdom adopts an alternative transfer mechanism.

Details can be found in the Zscaler DPA.

 

Step 3: Assessing Laws and Practices of Recipient Countries

In accordance with the recommendations of the EDPB, Zscaler has performed an assessment of whether the laws and/or practices in force in the countries where Zscaler processes customer data may impinge on the effectiveness of the appropriate safeguards of the SCCs. 

Specifically, the following overview presents an assessment of jurisdictions where Zscaler’s sub-processors may process customer data, through the use of our products and services:

 

United States

In its Schrems II decision, the CJEU identified the following US laws as potential obstacles to ensuring essentially equivalent protection for personal data transferred from the EEA to the US:

  •  FISA Section 702 (“FISA 702”), which allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering.
  • Executive Order 12333 ("EO 12333"), which authorizes intelligence agencies (such as the US National Security Agency) to conduct surveillance outside of the US.

The US government has provided further information about the application of these laws in Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (the “US White Paper”).

With regard to FISA 702, the US White Paper notes that the concerns about national security access to personal data highlighted by Schrems II as processed by commercial US companies are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies whose EU-US transfers of personal data involve “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”

Furthermore, individuals of any nationality (including EU citizens) can seek redress for violations of FISA 702, including under FISA provisions allowing private actions for compensatory and punitive damages.

With regard to EO 12333, the US White Paper notes that EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Any requirement that a company disclose data to the US government for intelligence purposes under EO 12333 must be authorized by statute (such as FISA 702) and targeted at specific persons or identifiers. Moreover, bulk data collection, which is the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.

Taking into account the practices of the US public authorities, and the fact that Zscaler has never been subject to a US government request for access to customer personal data under FISA 702, EO 12333, or any other US law, Zscaler concludes that:

  • While the definition of “electronic communication service” is very broad, Zscaler products and services do not involve the provision of electronic communications that would be within the scope of FISA 702 surveillance authorizations;
  • US surveillance laws and regulations that are potentially applicable to Zscaler’s processing of personal data are unlikely to be applied in practice to customer data processed by Zscaler; and
  • Consequently, Zscaler has no reason to believe that such laws and regulations will prevent Zscaler from fulfilling its obligations under the SCCs.

 

India

India has two laws that could permit electronic surveillance of personal data:

  • Section 5(2) of the Telegraph Act (1885) allows the Indian government to intercept and disclose electronic or telephonic messages on the occurrence of any public emergency or in the interest of public safety.
  • Section 69 of the Information Technology Act (2000) allows the Indian government to intercept, monitor, or decrypt any information received or stored through any computer resource if such activity is “necessary or expedient to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.”

The Supreme Court of India has recognized the right to privacy as a fundamental right under the Indian Constitution, which limits the scope of application of these Indian surveillance laws. In particular, under applicable rules, any interception, monitoring, or decryption of electronic information by the Indian government must be approved by a competent authority (e.g., the Union Home Secretary), and such approval is subject to mandatory periodic reviews.

Taking into account the practices of the Indian public authorities, and the fact that Zscaler has never been subject to an Indian government request for access to customer personal data, Zscaler concludes that:

  • India surveillance laws and regulations that are potentially applicable to Zscaler’s processing of personal data are unlikely to be applied in practice to customer data processed by Zscaler; and
  • Consequently, Zscaler has no reason to believe that such laws and regulations will prevent Zscaler from fulfilling its obligations under the SCCs.

 

Nicaragua

Personal information is protected in Nicaragua under the Law on Personal Data Protection No. 787 dated March 21, 2012 and the Regulation of Law No. 787, Decree No. 36-2012, dated October 17, 2012. The Law and the Regulation provide for the creation of a data protection authority within the Ministry of Finance and Public Credit. This data protection authority is intended to be the regulatory entity in charge of (i) registering data files and (ii) determining the correct application of Nicaragua’s data protection laws. To date, this data protection authority has not been established.

In addition, the Nicaraguan constitution contains a general constitutional provision that all individuals are entitled to privacy.

Nicaragua’s data protection law generally requires consent for the gathering and processing of personal data. Consent is not necessary when (i) personal data is processed pursuant to a reasoned order, issued by a competent judicial authority; (ii) processing of personal data is necessary for fulfilling obligations derived from a legal relationship; or (iii) personal data is obtained from sources of unrestricted public access. Consent must be free and specific, and may be tacit or express, whether obtained verbally or in writing.

In December 2020, Nicaragua’s Special Cybercrimes Law came into effect. According to the Nicaraguan Human Rights Center, the law authorizes the Nicaraguan government’s telecommunications agency (TELCOR) and the Foreign Ministry to block websites, networks, applications, and other online and communication services. This law describes penalties for offenses such as dissemination of false information, incitement of hatred or violence, and endangerment of national security. In addition, in January 2021, TELCOR published an administrative agreement that requires telecommunications companies to collect and preserve certain data from their users. However, neither the Special Cybercrimes Law nor the TELCOR administrative agreement is directed at or has been used for surveillance purposes with regard to the kinds of commercial information collected and processed by Zscaler.

Taking into account the practices of the Nicaraguan public authorities, and the fact that Zscaler has never been subject to a Nicaraguan government request for access to customer personal data, Zscaler concludes that:

  • Nicaragua surveillance laws and regulations that are potentially applicable to Zscaler’s processing of personal data are unlikely to be applied in practice to customer data processed by Zscaler; and
  • Consequently, Zscaler has no reason to believe that such laws and regulations will prevent Zscaler from fulfilling its obligations under the SCCs.

 


As a global SaaS provider, Zscaler is subject to the laws of multiple jurisdictions. Zscaler is not aware of any applicable laws that would impinge on the effectiveness of the appropriate safeguards of the transfer tools Zscaler relies on for transfers of personal data to a country outside of the EU/EEA. Considering the practices of the relevant third countries’ public authorities, Zscaler is confident that it can ensure, in practice, the effective protection of the personal data transferred.

 

Steps 4 and 5: Implementing Supplementary Measures 

Technical Measures

Data protection and security are core to Zscaler’s business as a security-as-a-service provider. The following are some of the safeguards and controls we have in place or empower our customers to enable.

Zscaler uses a variety of techniques to protect data, including personal information, throughout its life cycle from collection to destruction. Some of the technical measures implemented at Zscaler to ensure security of data include:

  • Safeguards for data storage and transfers: Zscaler uses a variety of techniques to protect personal information, such as tokenization, obfuscation, and encryption. For example, encryption is used for data storage and during transmission of data via Transport Layer Security (TLS) channels.
  • Access control: Zscaler ​​implements logical access control to ensure access to customer personal data is limited to authorized administrators with appropriate privileges. The only access to these servers and databases is via secure access by the application or via jump servers with access restricted to authorized operations personnel via multifactor authentication. Access reviews are performed regularly to verify that only legitimate users have access to applications or infrastructure. Our employees are required to sign a nondisclosure agreement or other confidentiality agreement upon employment.
  • Audit logs: Zscaler maintains audit logs to monitor data access.
  • Security certifications: At Zscaler, we adhere to rigorous security and privacy standards and follow industry best practices. All Zscaler products are certified against internationally recognized government and commercial standards, such as ISO 27701 and SOC 2. For more information regarding the various internationally recognized certifications and accreditations we hold, please visit our Compliance and Security Standards page.

Note: Please refer to Exhibit B of the DPA for more information on our security measures.

 

Contractual Measures

Zscaler’s contractual obligations are set out in the DPA, which incorporates the SCCs. Furthermore, Zscaler contractually requires all sub-processors that process personal data on our behalf to abide by rigorous privacy and security standards.

 

Organizational Measures

Zscaler’s organizational measures to secure customer data include:

  • Policy for government access requests: In compliance with the EU and UK SCCs, Zscaler will promptly notify a customer of any legally binding and valid request for such customer’s data or for direct access to such customer’s data by a law enforcement or other government agency, unless we are explicitly prohibited from doing so by law. When faced with a valid, legal subpoena issued by a court or law enforcement agency seeking information about one or more Internet Protocol (“IP”) transactions associated with one or more Zscaler IP addresses, Zscaler will only identify its customer (i.e., corporate entity) corresponding to that IP address and provide contact information for that customer. Zscaler will not provide a written log of any transaction, or any other customer information associated with any transaction (unless specifically compelled by a court of law to do so, which has never occurred to date).
  • Employee training: All Zscaler employees are required to take mandatory training on data protection and information security during onboarding. Employees are required to refresh this training on an annual basis. 
  • Product due diligence: Zscaler evaluates any changes to our products or services by conducting a privacy impact assessment prior to release.
  • Internal audits: Zscaler performs routine internal audits to ensure that our information security policy and safeguards are being implemented.

 

Step 6: Reevaluating When Necessary

Zscaler will regularly review and, if necessary, reconsider the measures it has implemented with respect to data transfers to address changing data privacy regulations and risk.

 

Contact Us

For any further questions, please contact us at [email protected].

 

DISCLAIMER: While this white paper is designed to assist Zscaler customers with data transfer impact assessments in connection with Zscaler's services and products, the information contained herein should not be construed as legal advice. Customers are responsible for making their own independent assessments of the information in this white paper and conducting their own due diligence. Information and views expressed in this white paper, including URLs and other internet website references, may be revised without notice.