Frequently Asked Questions
on Data Transfers
Introduction
This set of Frequently Asked Questions (FAQs) sets out the data protection mechanisms used by Verizon (including the BlueJeans service) when transferring personal data outside of the EEA and the UK and our approach to dealing with government requests for access to data (not only in the U.S.). The Blue Jeans Data Transfer FAQs are available here.
What did the Court of Justice of the European Union (CJEU) rule in the Schrems II judgment?
On July 16, 2020, the CJEU invalidated the EU-US Privacy Shield framework. Other data transfer mechanisms (i.e. Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs)) remain valid.
However, the Court also said that additional safeguards may be required when the legal system around access to data by public authorities in the recipient country does not ensure a level of protection essentially equivalent to that guaranteed within the EEA.
Will data flows from your organization to Verizon in the U.S. be interrupted as a result of the Schrems II judgment?
No, your organization’s data flows from the EEA (and the UK) to Verizon in the U.S. will not be interrupted as a result of the Schrems II judgment. Verizon is taking steps to provide its customers with a legally valid transfer mechanism. BlueJeans customers who had relied on the Privacy Shield can obtain additional information by visiting the Blue Jeans Data Transfer FAQs relating to valid transfer mechanisms.
What data protection mechanisms does Verizon use when transferring personal data outside of the EEA/UK?
Verizon provides customers with different transfer mechanisms for the transfer of data internationally: Binding Corporate Rules (“BCRs”) and SCCs. The transfer mechanism that is applicable to the specific transfer is set out in your agreement with Verizon. BlueJeans customers who had relied on the Privacy Shield can obtain additional information by visiting the Blue Jeans Data Transfer FAQs.
What should I do if my organization is transferring data to Verizon in the U.S. on the basis of SCCs?
To address the CJEU's concerns and facilitate the task placed on our EEA customers to verify the adequacy of the level of protection for their personal data in the U.S., Verizon has enhanced its SCCs by providing additional global safeguards to the guarantees already contained in the SCCs. To determine whether your company is relying on SCCs to transfer data to Verizon, please refer to your agreement with Verizon. Should your agreement include SCCs, please email Verizon at EMEAdataprotection@intl.verizon.com. BlueJeans customers, please see the information available by visiting the Blue Jeans Data Transfer FAQs.
What should I do if my organization is transferring data to Verizon in the U.S. on the basis of BCRs?
Verizon's Binding Corporate Rules contain specific protections around requests for disclosure of personal data by a law enforcement authority or state security body which have been approved by all EU data protection authorities. We refer you to Rule 12B in the Binding Corporate Rules Processor Policy and Rule 15C of the Binding Corporate Rules Controller Policy. In particular, it provides that "Verizon will ensure that any transfers of [customer] personal information under this Policy that it makes to a public authority are not massive, disproportionate or indiscriminate in a manner that would go beyond what is necessary in a democratic society.’ This addresses the core of the issue raised in the CJEU decision and should be satisfactory.
Can my organization continue to use SCCs or Verizon’s BCRs to transfer data to another third country other than the U.S.?
The CJEU has indicated that SCCs can still be used to transfer data to a third country. Controllers and processors must conduct the same inquiry for transfers to the U.S. or to any third country.
As noted above, Verizon has enhanced its SCCs to provide additional safeguards to the commitments already contained in the SCCs for data transfers globally. In addition, Verizon’s BCRs already contain enhanced commitments and therefore, no additional action is required.
How often does Verizon receive requests for data from government bodies?
Verizon’s detailed International and US Transparency Reports provide information about the number of requests Verizon receives.
Will my organization's personal data be subject to government requests to Verizon for data?
Whether your organization’s personal data will be subject to government requests for data will depend on many factors, including the nature of the services and the type of data at issue. We note that Verizon receives relatively few demands regarding our enterprise customers.
What is Verizon's approach to government requests for access to data?
Verizon does not release customer information unless authorized by law, such as a valid law enforcement demand. Verizon has teams that carefully review each demand we receive. We do not produce information in response to all demands we receive.
Are Verizon entities involved in the delivery of services to customers in the EEA/UK subject to U.S. surveillance laws (e.g. FISA, EO 12333)?
FISA
In the U.S., Verizon is generally subject to the provisions of the Foreign Intelligence Surveillance Act (FISA), including the provisions contained in 50 U.S.C. § 1881a (commonly known as “Section 702”). Depending on the services being provided, Verizon may be considered to be an “electronic communication service provider” as specified in 50 U.S.C. 1881(b)(4) and therefore covered by the law. Compelled electronic surveillance under FISA is overseen by the Foreign Intelligence Surveillance Court.
EO 12333
This is an Executive Order relating to the conduct of U.S. intelligence agencies. Outside of FISA, Executive Order 12333 does not provide the U.S. government with any additional authority to compel the production of data from U.S. companies.
Other relevant laws
Other US laws, at both the federal and state level, authorize law enforcement to compel Verizon to produce data through various types of legal process. A general description of the types of legal process and the types of data they can be used to compel Verizon to produce are described in Verizon’s Transparency Report and, notably, were not at issue in the Schrems II decision.
Could Verizon receive a U.S. government request for my organization's personal data in particular?
As noted in Verizon’s United States Transparency Report, Verizon receives relatively few demands relating to our enterprise customers. If Verizon were to receive a Section 702 request specifically seeking the data of an enterprise customer, that request would receive thorough scrutiny in our review process.
Verizon provides cloud computing and data storage services to business customers around the world, including many non-U.S. customers in data centers outside the United States. As we have noted in our Transparency Reports we have not received any demands from the United States government for data stored in other countries for the periods covered in those reports. We do not anticipate that we will receive such a demand going forward.
Does Verizon disclose the requests discussed by the CJEU for data it receives from U.S. government bodies?
Due to the provisions of the FISA, orders of the Foreign Intelligence Surveillance Court, and/or requirements for the handling of classified information, Verizon, if it were to receive a directive under Section 702 or to otherwise be involved in national security surveillance activities described in EO 12333, would not be able to describe such activities.
While Verizon does not disclose the specifics of individual requests, Verizon does report on its responses to both law enforcement and national security requests in its biannual Transparency Report. For national security requests, our Transparency Report includes all the information we are permitted to disclose.
Can Verizon reject requests for data from U.S. government bodies?
Yes. Where appropriate, Verizon can reject U.S. government requests for data based on legal insufficiency or improper form. In such cases, Verizon lawyers would engage in direct conversations with the U.S. government in order to resolve specific issues, and this typically results in the government either modifying or withdrawing the request. In the rare cases when this does not happen, Verizon may raise a formal legal challenge and has done so. Verizon has also participated in public efforts to better define the scope of the government’s surveillance authorities, most recently in a Supreme Court case that enhanced protections for customer location data.
The same process occurs with respect to national security requests. In the U.S., compelled electronic surveillance under FISA is overseen by the Foreign Intelligence Surveillance Court. If Verizon were the recipient of a FISA order (including directives issued under Section 702), Verizon would be able to challenge the validity of the order in that Court. For example, the application of Section 702 is limited by the language of 50 U.S.C. § 1881a(b). If Verizon found that a request apparently violated one of these prohibitions, Verizon would have the option of challenging it.
For national security matters like these, Verizon employs attorneys with appropriate security clearance and sufficient subject matter expertise to fully engage with the government, up to and including litigation in the Foreign Intelligence Surveillance Court.
How does Verizon protect its customers' data when it responds to requests for data from U.S. government bodies?
Verizon has practices and procedures in place to ensure that customer data is only disclosed to U.S. government authorities with appropriate legal access. Verizon’s procedures confirm that the request originates from a government agency that has the appropriate legal authority to make it. Verizon ensures that the government request is in the proper form (i.e. subpoena, search warrant, electronic surveillance order, etc.) for the type of data that is being requested. In addition, Verizon maintains appropriate controls to ensure that only data that is within the scope of the verified legal request is produced to the government. Every government request, whether from law enforcement or national security agencies, goes through this process
Can Verizon take any additional steps to protect data against U.S. government surveillance?
As part of its business, Verizon takes steps to ensure the confidentiality and integrity of its customers’ data. With many Verizon services, customers may have the ability to further enhance security through encryption or other means.
How can I obtain further information?
If you have any questions regarding this document, you can contact Verizon's Director, Privacy Policy & Compliance International at EMEAdataprotection@intl.verizon.com