Frequently Asked Questions
on Data Transfers
This set of Frequently Asked Questions (FAQs) sets out the data protection mechanisms used by Verizon when transferring personal data outside of the EEA and the UK and our approach to dealing with government requests for access to data (in the U.S. and around the world).
FAQs
Verizon holds fully approved Binding Corporate Rules for Processors that protect transfers of personal data from customers in the EU and the UK to Verizon Business Group and Verizon group companies in other countries. Alternatively, if necessary, Verizon is able to enter into Standard Contractual Clauses (“SCCs”). The transfer mechanism that is applicable to the specific transfer is set out in your agreement with Verizon.
The European Commission has determined that safeguards that the United States has put in place (referred to in the adequacy decision for the Data Privacy Framework between the EU and the U.S.) will also facilitate transatlantic data flows more generally. These safeguards also apply when data is transferred using other recognized tools, such as Binding Corporate Rules and SCCs.
Verizon does not anticipate signing up for the EU/US Privacy Framework because Verizon utilizes EU and UK Binding Corporate Rules, an approved adequacy mechanism recognized by the GDPR and UK data protection law. Binding Corporate Rules protect the transfer of personal data from the EU and the UK to Verizon companies in the United States and also in countries around the world, thereby providing more comprehensive protection for Verizon’s customers and their end users. Like Binding Corporate Rules, the Data Privacy Framework is another approved mechanism under the GDPR and UK data protection law, but unlike Binding Corporate Rules, the Data Privacy Framework relates only to the transfer of personal data from the EU to the US.
Verizon’s detailed International and US Transparency Reports provide information about the number of requests Verizon receives.
Whether your organization’s personal data will be subject to government requests for data will depend on many factors, including the nature of the services and the type of data at issue. We note that Verizon receives relatively few demands regarding our enterprise customers.
Verizon does not release personal data unless authorized by law, such as a valid law enforcement demand. Verizon has teams that carefully review each demand we receive. We do not produce information in response to all demands we receive.
FISA
In the U.S., Verizon is generally subject to the provisions of the Foreign Intelligence Surveillance Act (FISA), including the provisions contained in 50 U.S.C. § 1881a (commonly known as “Section 702”). Depending on the services being provided, Verizon may be considered an “electronic communication service provider” as specified in 50 U.S.C. 1881(b)(4) and therefore covered by the law. Compelled electronic surveillance under FISA is overseen by the Foreign Intelligence Surveillance Court.
EO 12333
This is an Executive Order relating to the conduct of U.S. intelligence agencies. Outside of FISA, Executive Order 12333 does not provide the U.S. government with any additional authority to compel the production of data from U.S. companies.
Other relevant laws
Other US laws, at both the federal and state level, authorize law enforcement to compel Verizon to produce data through various types of legal process. A general description of the types of legal process and the types of data they can be used to compel Verizon to produce are described in Verizon’s Transparency Reports.
As noted in Verizon’s Transparency Reports, Verizon receives relatively few demands relating to our enterprise customers. If Verizon were to receive a Section 702 request specifically seeking the personal data of an enterprise customer, that request would receive thorough scrutiny in our review process.
Verizon provides cloud computing and data storage services to business customers around the world (including many non-U.S. customers), supported by data centers outside the United States. As we have noted in our Transparency Reports, we have not received any demands from the United States government for data stored in other countries for the periods covered in those reports.
Due to the restrictions in the FISA, orders of the Foreign Intelligence Surveillance Court, and/or requirements for the handling of classified information, if Verizon were to receive a directive under Section 702 or to otherwise be involved in national security surveillance activities, it would not be able to describe such activities.
While Verizon does not disclose the specifics of individual requests, Verizon does report on its responses to both law enforcement and national security requests in its biannual Transparency Reports. For national security requests, our Transparency Reports include all the information we are permitted to disclose.
Verizon’s Binding Corporate Rules set forth additional safeguards employed by Verizon in connection with legally binding requests from law enforcement agencies or state security bodies for disclosure of personal data of customers transferred to Verizon entities outside the EU/UK. These additional safeguards include, unless prohibited from doing so by the requesting authority, putting the request on hold, and notifying the customer and the supervisory authority competent for each of the customer and the processor. If prohibited from doing so, Verizon will use best efforts to obtain a waiver of this prohibition in order to communicate as much information as it can and as soon as possible to the competent supervisory authorities, and demonstrate to the competent supervisory authorities the steps it followed to deal with the request in accordance with the BCRs. Verizon will provide to the competent supervisory authorities on an annual basis general information about the nature and number of such requests that it receives, type of data requested and the requesting body if possible. In any event, Verizon will ensure that any transfers of customer personal data under the BCRs that it makes to a public authority are not disproportionate or indiscriminate in a manner that would go beyond what is necessary in a democratic society.
Yes. Where appropriate, Verizon can reject U.S. government requests for personal data based on legal insufficiency or improper form. In such cases, Verizon would engage in direct conversations with the U.S. government in order to resolve specific issues, and this typically results in the government either modifying or withdrawing the request. In the rare cases when this does not happen, Verizon may raise a formal legal challenge and has done so. Verizon has also participated in public efforts to better define the scope of the government’s surveillance authorities, most recently in a Supreme Court case that enhanced protections for customer location data.
The same process occurs with respect to national security requests. In the U.S., compelled electronic surveillance under FISA is overseen by the Foreign Intelligence Surveillance Court. If Verizon were the recipient of a FISA order (including directives issued under Section 702), Verizon would be able to challenge the validity of the order in that Court. For example, the application of Section 702 is limited by the language of 50 U.S.C. § 1881a(b). If Verizon found that a request apparently violated one of these prohibitions, Verizon would have the option of challenging it.
For national security matters like these, Verizon employs attorneys with appropriate security clearances and sufficient subject matter expertise to fully engage with the government, up to and including litigation in the Foreign Intelligence Surveillance Court.
Verizon has practices and procedures in place to ensure that customer personal data is only disclosed to U.S. government authorities with appropriate legal access. Verizon’s procedures include confirming that the request originates from a government agency that has the appropriate legal authority to make it. Verizon’s procedures also include confirming that the government request is in the proper form (i.e. subpoena, search warrant, electronic surveillance order, etc.) for the type of data that is being requested. In addition, Verizon maintains appropriate controls to help ensure that only data that is within the scope of the verified legal request is produced to the government. Every government request, whether from law enforcement or national security agencies, goes through this process.
EU/EEA individuals have access to an independent and impartial redress mechanism in the US regarding the collection and use of their personal data by US intelligence agencies, which includes a newly created Data Protection Review Court (DPRC). The Court will independently investigate and resolve complaints, including by adopting binding remedial measures.
As part of its business, Verizon takes steps to ensure the confidentiality and integrity of personal data. With many Verizon services, customers may have the ability to further enhance security through encryption or other means.
If you have any questions regarding this document, you can contact Verizon's Director, Privacy Policy & Compliance International at EMEAdataprotection@verizon.com