On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a landmark decision in the Schrems II case in which it invalidated the EU-US/Swiss-US Privacy Shield Framework (Privacy Shield). In the same decision, the CJEU confirmed that Standard Contractual Clauses (SCCs) remain a valid data transfer mechanism when transferring personal data outside of the European Economic Area (EEA). Given this decision, organizations that rely on Privacy Shield will need to implement an alternative data transfer mechanism to continue transfers of personal data to the United States.
The ruling in the Schrems II case does not affect Box's or our customers' ability to continue using Box in compliance with European law.
Standard Contractual Clauses Have Never Been More Critical
Box has historically offered customers an overlapping set of legal mechanisms and frameworks for data transfers outside of the EEA: (1) Controller and Processor Binding Corporate Rules (BCRs), (2) Privacy Shield, and (3) SCCs.
SCCs are a set of contractual terms and conditions issued by the European Commission that the Controller and Processor of personal data both agree to and provide an appropriate safeguard for data transfers under Article 46 of the General Data Protection Regulation (GDPR). Now that Privacy Shield has been struck down, and in light of the uncertainty around the impact Brexit will have on our ability to rely on BCRs post-December 31, 2020 for data transfers between the United Kingdom, EEA and the US, SCCs have become even more critical for our customers' continued compliance with EU and UK data privacy and data transfer laws.
Take Action Now
To make it easy for our EEA and UK customers to continue to maintain a lawful data transfer mechanism, Box is updating its Data Processing Addendum (DPA) to include SCCs. Whether you're an existing Box customer with a DPA or a new or existing customer without a DPA, Box can provide you with SCCs. With the invalidation of Privacy Shield and the approaching end of the Brexit transition period on December 31, 2020, customers should take action to complete SCCs now.
Customers with a DPA
Impacted customers that have an existing DPA will receive an in-app notification and subsequent reminder to review and execute the SCC addendum. We have also emailed impacted customers directly on July 21, 2020. If you believe you are an impacted customer and have not received such a notice, please email firstname.lastname@example.org.
Customers Without a DPA
Impacted customers without an existing DPA will also receive a direct email and in-app notification to review and execute the DPA. Customers can also review our online self-serve, easy-to-execute DPA by visiting the Box GDPR website. The DPA is available at no cost and comprehensively lists all the approved mechanisms for transfers of personal data. If you have any questions regarding the DPA and/or the SCC addendum, please email email@example.com.
Box is committed to protecting the privacy of personal data. We want to ensure Box offers the most flexible options to customers when it comes to transfers of personal data while maintaining compliance with European data protection law. Customers impacted by the Schrems II decision and Brexit will receive an email communication on July 21, 2020 with the applicable revised DPA or SCC addendum (collectively, "Agreement") attached.
Please review and execute the Agreement by September 21, 2020. If you continue to use the Box services provided under the relevant DPA or other agreement already in place after that date, we will consider you to have consented to the Agreement, and its terms will thereafter apply. Should you have any questions, please email us at firstname.lastname@example.org
To learn more about SCCs as data transfer mechanisms, please refer to the following resources: