Zscaler Transfer Impact Assessment White Paper

Last updated on June 14, 2023

Contents

Introduction
EDPB Recommendations
Step 1: Mapping Data Transfers
Step 2: Identifying Transfer Tools
Step 3: Assessing Laws and Practices of Recipient Countries
Steps 4 and 5: Implementing Supplementary Measures
Step 6: Re-evaluating When Necessary

Introduction

Zscaler is committed to enabling customers to use all Zscaler products in compliance with data protection regulations, including the General Data Protection Regulation (GDPR). Since the Schrems II ruling by the Court of Justice of the European Union (CJEU), which invalidated the EU-US Privacy Shield as a valid mechanism to transfer personal data from the European Economic Area (EEA) to the US, the European Data Protection Board (EDPB) has provided recommendations on assessing whether there is an “essentially equivalent” level of protection as is guaranteed within the EEA for data transfers outside the EEA.

The information in this white paper can help Zscaler customers conduct data transfer impact assessments in connection with their use of Zscaler products in accordance with the EDPB’s recommendations. In particular, this white paper demonstrates how Zscaler complies with its obligations under applicable data protection laws and Zscaler’s customer agreements when entering into standard contractual clauses (SCCs), the validity of which the CJEU upheld in its Schrems II decision.

EDPB Recommendations

The EDPB recommendations provide guidance for assessing whether there is an essentially equivalent level of protection for data transfers outside the EEA. Specifically, the EDPB recommends that data exporters perform the following six-step data transfer assessment:

• Step 1: Map international data transfers, and assess whether the data transferred is adequate, relevant, and limited to what is strictly necessary.

• Step 2: Verify the transfer tool on which the transfer relies (the SCCs).

• Step 3: Assess the laws or practices of the third countries that may impinge on the effectiveness of the appropriate safeguards of the transfer tool.

• Step 4: If the data exporter’s assessment is that the use of the transfer tool alone would not provide “essentially equivalent” protection, identify the supplemental contractual, technical, or organizational measures necessary to bring the level of protection up to the EEA standard of essential equivalence.

• Step 5: Take any formal procedural steps that the adoption of supplementary measure(s) may require.

• Step 6: Reevaluate, at appropriate intervals, the level of protection afforded to the data that the data exporter transfers to third countries, and monitor if there have been or will be any developments that may affect it.

For further details, please see the full text of EDPB’s recommendations.

Step 1: Mapping Data Transfers

Zscaler is committed to responsibly and lawfully transferring personal data when providing our products and services from different countries and regions. We process data globally to administer our services, such as accessing the nearest data centers, providing assistance from international support teams, and using hosting providers.

Where Zscaler processes personal data governed by applicable data protection laws, including GDPR, Zscaler complies with its obligations under its Data Processing Agreement (DPA).

The Zscaler DPA incorporates the SCCs. Exhibit A of the DPA provides information on the nature of Zscaler’s processing activities and the types of customers’ personal data we process in relation to the services provided. Exhibit B of the DPA describes the technical and organizational information security measures implemented by Zscaler.

Sub-Processors

Like all SaaS providers, Zscaler uses sub-processors to provide its products and services. We have entered into written agreements with all such sub-processors (with written commitments regarding their security and data protection controls), and we remain liable for the acts and omissions of these sub-processors. We perform due diligence on the security and privacy practices of our sub-processors to ensure that they provide a level of security and privacy appropriate to their access to customer data (which may include personal data) and the scope of the services they are engaged to provide.

For more information about our sub-processors, please refer to our Sub-Processors overview page.

Step 2: Identifying Transfer Tools

Zscaler uses SCCs, incorporated into its DPA, to provide appropriate safeguards for the transfer of personal data originating from the EEA, Switzerland, and the United Kingdom. Both the Schrems II ruling and the EDPB recommendations confirm that SCCs are a valid mechanism for transferring personal data subject to the GDPR outside the EEA and Switzerland. The SCCs adopted by the decision (EU) 2021/915 of the European Commission are incorporated in Exhibit C of the Zscaler DPA (EU SCCs).

For data transfers from the United Kingdom, the UK Information Commissioner’s Office issued The UK Addendum to the EU SCCs (also known as UK IDTA) under Section 119A of the Data Protection Act 2018 for international data transfers. The UK IDTA is attached to the Zscaler DPA in Exhibit D.

Details can be found in the Zscaler DPA.

Step 3: Assessing Laws and Practices of Recipient Countries

In accordance with the recommendations of the EDPB, Zscaler has performed an assessment of whether the laws and/or practices in force in the countries where Zscaler processes customer data may impinge on the effectiveness of the appropriate safeguards of the SCCs.

Specifically, the following overview presents an assessment of jurisdictions where Zscaler’s sub-processors may process customer data, through the use of our products and services:

United States

In its Schrems II decision, the CJEU identified the following US laws as potential obstacles to ensuring essentially equivalent protection for personal data transferred from the EEA to the US:

• FISA Section 702 (“FISA 702”), which allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering.

• Executive Order 12333 ("EO 12333"), which authorizes intelligence agencies (such as the US National Security Agency) to conduct surveillance outside of the US.

The US government has provided further information about the application of these laws in Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (the “US White Paper”).

With regard to FISA 702, the US White Paper notes that the concerns about national security access to personal data highlighted by Schrems II as processed by commercial US companies are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies whose EU-US transfers of personal data involve “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”

Furthermore, individuals of any nationality (including EU citizens) can seek redress for violations of FISA 702, including under FISA provisions allowing private actions for compensatory and punitive damages.

With regard to EO 12333, the US White Paper notes that EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Any requirement that a company disclose data to the US government for intelligence purposes under EO 12333 must be authorized by statute (such as FISA 702) and targeted at specific persons or identifiers. Moreover, bulk data collection, which is the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.

Taking into account the practices of the US public authorities, and the fact that Zscaler has never been subject to a US government request for access to customer personal data under FISA 702, EO 12333, or any other US law, Zscaler concludes that:

• While the definition of “electronic communication service” is very broad, Zscaler products and services do not involve the provision of electronic communications that would be within the scope of FISA 702 surveillance authorizations;

• US surveillance laws and regulations that are potentially applicable to Zscaler’s processing of personal data are unlikely to be applied in practice to customer data processed by Zscaler; and

• Consequently, Zscaler has no reason to believe that such laws and regulations will prevent Zscaler from fulfilling its obligations under the SCCs.

India

India has two laws that could permit electronic surveillance of personal data:

• Section 5(2) of the Telegraph Act (1885) allows the Indian government to intercept and disclose electronic or telephonic messages on the occurrence of any public emergency or in the interest of public safety.

• Section 69 of the Information Technology Act (2000) allows the Indian government to intercept, monitor, or decrypt any information received or stored through any computer resource if such activity is “necessary or expedient to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.”

The Supreme Court of India has recognized the right to privacy as a fundamental right under the Indian Constitution, which limits the scope of application of these Indian surveillance laws. In particular, under applicable rules, any interception, monitoring, or decryption of electronic information by the Indian government must be approved by a competent authority (e.g., the Union Home Secretary), and such approval is subject to mandatory periodic reviews.

Taking into account the practices of the Indian public authorities, and the fact that Zscaler has never been subject to an Indian government request for access to customer personal data, Zscaler concludes that:

• India surveillance laws and regulations that are potentially applicable to Zscaler’s processing of personal data are unlikely to be applied in practice to customer data processed by Zscaler; and

• Consequently, Zscaler has no reason to believe that such laws and regulations will prevent Zscaler from fulfilling its obligations under the SCCs.

Australia

Australia’s Telecommunications (Interception and Access) Act 1979 (TIA Act) limits government surveillance by prohibiting interception of communications and access to stored communications. Privacy is also protected by the Telecommunications Act 1997, which prohibits telecommunications service providers from disclosing information about their customers' use of telecommunications services.

The TIA Act sets out certain exceptions to these prohibitions to permit eligible Australian law enforcement and security agencies to (1) obtain warrants to intercept communications, (2) obtain warrants to access stored communications, and (3) authorize the disclosure of data. Such agencies can only obtain warrants or give authorizations for national security or law enforcement purposes set out in the TIA Act.

Australia’s Surveillance Devices Act 2004 (SD Act) governs the use of surveillance devices by law enforcement and security agencies. Under the SD Act, an eligible agency can apply for a warrant to use a surveillance device to investigate a relevant criminal offense.

The Attorney General’s Department of Australia administers both the TIA Act and the SD Act. Neither law has been used to access the kinds of commercial information collected and processed by Zscaler.

Australia's electronic surveillance laws are in the process of being reconsidered and may change in the coming years. The Australian government recently completed a consultation on a discussion paper on the reform of Australia's electronic surveillance framework that recommended updating existing laws.

Taking into account the practices of the Australian public authorities, and the fact that Zscaler has never been subject to an Australia government request for access to customer personal data, Zscaler concludes that:

• Australian surveillance laws and regulations that are potentially applicable to Zscaler’s processing of personal data are unlikely to be applied in practice to customer data processed by Zscaler; and

• Consequently, Zscaler has no reason to believe that such laws and regulations will prevent Zscaler from fulfilling its obligations under the SCCs.

Brazil

Brazil’s comprehensive General Data Protection Law has a provision (Section 4) stating that the law does not apply if the processing of personal information is carried out for the exclusive purposes of public safety, national defense, state security or the investigation and repression of criminal offenses.

Brazil’s Wiretap Act (Law No. 9.296/1996) regulates the right of police authorities and the public prosecutor office to intercept telecommunications. A court order is required, and the interception must satisfy several high standards, including (1) there is reasonable evidence of participation in a criminal offense, (2) there are no other available means of obtaining the additional evidence that interception of telecommunications will provide, and (3) the crime being investigated constitutes an offense punishable with a prison sentence. Furthermore, the court issuing the order continues to be involved, requiring a transcript and report regarding the intercepted communications.

In addition, Brazil’s Civil Rights Framework for the Internet (Law No. 12.965/2014) requires prior judicial authorization to access metadata and communications content. Authorities can also access the stored content of seized devices, provided that the search and seizure procedure was authorized by a judge.

Neither the Wiretap Act nor the Civil Rights Framework for the Internet has been used for surveillance purposes with regard to the kinds of commercial information collected and processed by Zscaler.

Taking into account the practices of the Brazilian public authorities, and the fact that Zscaler has never been subject to a Brazil government request for access to customer personal data, Zscaler concludes that:

• Brazilian surveillance laws and regulations that are potentially applicable to Zscaler’s processing of personal data are unlikely to be applied in practice to customer data processed by Zscaler; and

• Consequently, Zscaler has no reason to believe that such laws and regulations will prevent Zscaler from fulfilling its obligations under the SCCs.

Costa Rica

Personal information is protected in Costa Rica under the Law on the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 and Executive Decree No. 37554-JP of 30 October 2012 Regulating Law No. 8968, as amended by Decree No. 40008-JP.

In addition, the right to data protection has been recognized and protected in Costa Rica by the Constitutional Court since the 1990s, on the basis of Article 24 of the Political Constitution of Costa Rica, which specifically recognizes the right to intimacy, as well as the freedom and secrecy of communications.

As a general principle under Costa Rican law, it is mandatory to obtain informed and express consent from individuals in order to process their information. The consent must be unequivocal, freely given, specific, and delivered by written or digital means.

There is an exception to the consent requirement if there is a reasoned order issued by a competent Costa Rican judicial authority, or an agreement adopted by a special investigative committee of the Legislative Assembly in the exercise of its office. However, Costa Rican courts are very privacy-friendly. In one recent case, Costa Rica’s Supreme Court ruled that government surveillance of a reporter’s phone records was unconstitutional.

Taking into account the practices of the Costa Rican public authorities, and the fact that Zscaler has never been subject to a Costa Rican government request for access to customer personal data, Zscaler concludes that:

• Costa Rica surveillance laws and regulations that are potentially applicable to Zscaler’s processing of personal data are unlikely to be applied in practice to customer data processed by Zscaler; and

• Consequently, Zscaler has no reason to believe that such laws and regulations will prevent Zscaler from fulfilling its obligations under the SCCs.

As a global SaaS provider, Zscaler is subject to the laws of multiple jurisdictions. Zscaler is not aware of any applicable laws that would impinge on the effectiveness of the appropriate safeguards of the transfer tools Zscaler relies on for transfers of personal data to a country outside of the EU/EEA. Considering the practices of the relevant third countries’ public authorities, Zscaler is confident that it can ensure, in practice, the effective protection of the personal data transferred.

Steps 4 and 5: Implementing Supplementary Measures

Technical Measures

Data protection and security are core to Zscaler’s business as a security-as-a-service provider. The following are some of the safeguards and controls we have in place or empower our customers to enable.

Zscaler uses a variety of techniques to protect data, including personal information, throughout its life cycle from collection to destruction. Some of the technical measures implemented at Zscaler to ensure security of data include:

• Safeguards for data storage and transfers: Zscaler uses a variety of techniques to protect personal information, such as tokenization, obfuscation, and encryption. For example, encryption is used for data storage and during transmission of data via Transport Layer Security (TLS) channels.

• Access control: Zscaler implements logical access control to ensure access to customer personal data is limited to authorized administrators with appropriate privileges. The only access to these servers and databases is via secure access by the application or via jump servers with access restricted to authorized operations personnel via multifactor authentication. Access reviews are performed regularly to verify that only legitimate users have access to applications or infrastructure. Our employees are required to sign a nondisclosure agreement or other confidentiality agreement upon employment.

• Audit logs: Zscaler maintains audit logs to monitor data access.

• Aecurity certifications: At Zscaler, we adhere to rigorous security and privacy standards and follow industry best practices. All Zscaler products are certified against internationally recognized government and commercial standards, such as ISO 27701 and SOC 2. For more information regarding the various internationally recognized certifications and accreditations we hold, please visit our Compliance and Security Standards page.

Note: Please refer to Exhibit B of the DPA for more information on our security measures.

Contractual Measures

Zscaler’s contractual obligations are set out in the DPA, which incorporates the SCCs. Furthermore, Zscaler contractually requires all sub-processors that process personal data on our behalf to abide by rigorous privacy and security standards.

Organizational Measures

Zscaler’s organizational measures to secure customer data include:

• Policy for government access requests: In compliance with the EU SCCs and UK IDTA, if Zscaler is legally required to disclose any personal data of a customer´s users, Zscaler will promptly notify the customer before making any such disclosure unless Zscaler is prohibited from doing so by law. When faced with a valid, legal subpoena issued by a court or law enforcement agency seeking information about one or more Internet Protocol (“IP”) transactions associated with one or more Zscaler IP addresses, Zscaler will only identify its customer (i.e., corporate entity) corresponding to that IP address and provide contact information for that customer. Zscaler will not provide a written log of any transaction, or any other customer information associated with any transaction (unless specifically compelled by a court of law to do so, which has never occurred to date). To access our full report on government requests, see our Transparency Report.

• Employee training: All Zscaler employees are required to take mandatory training on data protection and information security during onboarding. Employees are required to refresh this training on an annual basis.

• Product due diligence: Zscaler evaluates any changes to our products or services by conducting a privacy impact assessment prior to release.

• Internal audits: Zscaler performs routine internal audits to ensure that our information security policy and safeguards are being implemented.

Step 6: Re-evaluating When Necessary

Zscaler will regularly review and, if necessary, reconsider the measures it has implemented with respect to data transfers to address changing data privacy regulations and risk.

Contact Us

For any further questions, please contact us at [email protected].

DISCLAIMER: While this white paper is designed to assist Zscaler customers with data transfer impact assessments in connection with Zscaler's services and products, the information contained herein should not be construed as legal advice. Customers are responsible for making their own independent assessments of the information in this white paper and conducting their own due diligence. Information and views expressed in this white paper, including URLs and other internet website references, may be revised without notice.

See our Privacy Overview