International Personal Data
Transfers Post-Schrems II

On 16 July 2020, the Court of Justice of the European Union (“CJEU”) issued a ruling (the “Schrems II” ruling) regarding the transfer of personal data subject to the General Data Protection Regulation (“GDPR”) outside the European Economic Area (“EEA”). In Schrems II, the CJEU ruled that the EU-US and Swiss-U.S. Privacy Shield (“Privacy Shield”) was no longer a valid mechanism to transfer personal data from the EEA to the United States.

However, in the same ruling, the CJEU confirmed that organizations can continue to use Standard Contractual Clauses (“SCCs”) as a valid mechanism for transferring personal data outside the EEA.

In accordance with the decision by the CJEU in Schrems II, on July 16, 2020, we ceased relying on our Privacy Shield certifications as a legal basis for international data transfers from the EEA or Switzerland to the U.S.

We want all ThoughtSpot customers to know that the CJEU’s decision made clear that the SCCs remain a valid mechanism to transfer personal data from the EEA. The SCCs will continue to allow our customers to legally transfer personal data from the EU and UK through ThoughtSpot’s service. Consistent with the ruling in Schrems II and related guidance from EU supervisory authorities, ThoughtSpot couples its use of the SCCs with various technical and organizational safeguards as appropriate to particular transfers, such as encryption in-transit and at-rest, and row-level security. Our comprehensive security program also includes compliance with GDPR and CCPA, as well as standards such as ISO/IEC 27001, SSAE SOC 2 Type II, STAR, HIPAA, and others. ThoughtSpot contractually commits to these technical and organizational safeguards with each customer in the ThoughtSpot Cloud Program Guide found at: www.thoughtspot.com/legal.

ThoughtSpot understands the importance our customers place on safeguarding the limited information stored and transferred using ThoughtSpot, and we work hard to ensure we earn your trust in this regard. As governments and judicial bodies around the world pass new legislation and issue rulings to protect personal data, ThoughtSpot will continue to comply with all privacy laws applicable to our service, monitor changes in the law in an effort to ensure our ongoing compliance, and continually upgrade our information protection program and controls. In addition, we continue to invest in administrative control features so that each customer remains in full control of the scope of analytics performed in the data source, search suggestion indexing, user access and roles, and security rules. ThoughtSpot closely monitors the privacy landscape and the ongoing updates from various EU supervisory authorities, including the release of new SCCs from the European Commission in June 2021.

Please see below for additional answers to how ThoughtSpot remains compliant with GDPR in light of new recommendations stemming from Schrems II ruling.

Frequently asked questions

What did the Court of Justice of the European Union (“CJEU”) rule in the Schrems II judgment?

On July 16, 2020, the CJEU invalidated the EU-US and Swiss-U.S. Privacy Shield framework. The Standard Contractual Clauses remain valid as a data transfer mechanism. However, the CJEU also said that additional safeguards may be required when the legal system around access to data by public authorities in the recipient country does not ensure a level of protection essentially equivalent to that guaranteed within the EEA.

Does ThoughtSpot rely on Privacy Shield for data transfers to the US from the EEA?

No, ThoughtSpot does not rely on the EU-US or Swiss-US Privacy Shield to facilitate the lawful transfer of personal data between the EEA or Switzerland and the US.

What international transfer mechanisms does ThoughtSpot use?

ThoughtSpot uses the SCCs as the mechanism for international transfers of personal data. These provide contractual guarantees that the personal data will be protected to a GDPR standard outside of the EEA.

Why is ThoughtSpot still certified under the Privacy Shield Framework?

The US Department of Commerce issued guidance stating the decisions of the CJEU and the consequent opinion of Switzerland’s Federal Data Protection and Information Commissioner (“FDPIC”) do not relieve participants in the EU-US and Swiss-US Privacy Shields of their obligations to adhere to the principles and requirements of the Privacy Shield Framework. Regardless, the US Department of Commerce continues to administer and enforce the Privacy Shield program. While the Privacy Shield is no longer a valid transfer mechanism, continued participation demonstrates ThoughtSpot’s continued commitment to adhere to the Privacy Shield principles and EU/Swiss standard of care.

Despite the CEJU decision, Privacy Shield and transatlantic data flows are a top priority for the Biden Administration. On March 25, 2021, the U.S. Secretary of Commerce and European Commissioner for Justice issued a joint statement that negotiations had intensified on an enhanced EU-U.S. Privacy Shield framework to comply with the July 16, 2020 judgment of the CJEU in the Schrems II case. These negotiations show that the US and EU remain committed to privacy, data protection, and the rule of law and understand the importance of transatlantic data flows.

Does ThoughtSpot have a Data Processing Addendum?

Yes. The Data Processing Addendum is specific to ThoughtSpot’s services and covers the specific processes and procedures related to the way in which the services and infrastructure work. It also includes the new SCCs and is drafted to be consistent with the customer agreement and other relevant documentation.

A copy of the Data Processing Addendum can be found here in a form pre-signed by ThoughtSpot. To add the obligations of the Data Processing Addendum to your ThoughtSpot Cloud Subscription Agreement, all you need to do is countersign it and return it to your ThoughtSpot Account Executive.

Does the ThoughtSpot Data Processing Addendum incorporate the new Standard Contractual Clauses?

Yes. The ThoughtSpot Data Processing Addendum has been updated to include the new SCCs effective September 27, 2021.

What adequate level of protection does ThoughtSpot offer?

ThoughtSpot maintains administrative, technical, and organizational security measures to protect Personal Data outlined on the ThoughtSpot Trust Center.

ThoughtSpot’s security program includes a range of technical and organizational measures, such as encryption in-transit and at-rest, that address the core deficiencies cited in the Schrems II decision—bulk Interceptions under EO 12333 and bulk surveillance under FISA § 702.

What is meant by FISA 702 and EO 12333? How do they relate to Schrems II?

Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702”) is a US statute establishing a judicial process authorizing a specific type of data acquisition (i.e., foreign intelligence for US national security purposes). Under FISA 702, an independent court may authorize the US government to issue orders requiring US companies to disclose communications data relating to specific non-US persons located outside of the US to obtain specific types of foreign intelligence information. Executive Order 12333 (“EO 12333”) is a general directive organizing US intelligence activities. Unlike FISA 702, EO 12333 does not authorize the US government to require any company to disclose data, though it may be used to authorize clandestine intelligence activities involving overseas access to data without the involvement of the company in question.

The CJEU ruled that where transfers of personal data to the US are subject to FISA 702 and EO 12333, Privacy Shield does not provide an essentially equivalent protection, because these provisions allow for government access beyond what is “necessary and proportionate” for legitimate law enforcement purposes.

Is ThoughtSpot subject to receive a FISA 702 request directive in relation to the Services?

ThoughtSpot has not been found by any court to be the type of entity eligible to receive process issued under FISA 702 (i.e., an "electronic communication service provider" within the meaning of 50 U.S.C § 1881(b)(4) or a member of any of the categories of entities described within that definition).

What about “upstream” or bulk surveillance orders under FISA 702?

Even if ThoughtSpot were deemed an electronic communication service provider as to some of its services, as the U.S. government has interpreted and applied FISA 702, ThoughtSpot is not eligible to receive the type of order that was of principal concern to the CJEU in the Schrems II decision—a 702 order for "upstream" surveillance. As the U.S. Government has applied FISA 702, it uses upstream orders only to target traffic flowing through internet backbone providers that carry traffic for third parties (i.e., telecommunications carriers). ThoughtSpot does not provide such backbone services; instead, it only carries traffic involving its own customers. As a result, it is not eligible to receive the type of order principally addressed in, and deemed problematic by, the Schrems II decision.