An update on the Schrems II Data Transfer decision, Brexit & our continued commitment to safeguarding customer data

Following the Court of Justice of the European Union (CJEU) July 2020 decision to invalidate the adequacy of Privacy Shield in the "Schrems II" case, and in anticipation of the UK's departure from the European Union (Brexit), we shared a blog post explaining why we expected these significant events to have little practical impact on our customers.  Today, we share with you an update on what we've done since July 2020 and discuss the safeguards and transparency measures we have in place.  

In November 2020, data protection authorities in the European Economic Area (EEA) issued draft guidance and the European Commission released a draft version of its updated Standard Contract Clauses (SCCs).  The final version of these SCCs are expected to be adopted in 2021.  Further, as a result of the Brexit deal,  regulators in the UK are expected to issue subsequent guidance and the European Commission's decision to consider adequacy of the UK's data protection regime. While the EU Commission considers UK's adequacy, regulators in the UK have implemented a six-month grace period for personal data transfers from the EEA to the UK.  As Box, our customers and countless other companies prepare for finalized guidance and legal requirements to be issued, we want to recommit to you - our customers - continued dedication to safeguarding your data and our ongoing commitment to data privacy protection.  As the regulatory landscape evolves, we'll be monitoring the situation and will take proactive steps to ensure that we continue to offer best-in-class data protection and security. 

Cross-border data transfer mechanisms we employ 

At Box, the privacy rights of our customers and end-users is fundamental to the services we provide.  That is why, early on, we made a commitment to offer customers a cloud-based content management platform and product offering that not only met, but surpassed, industry standards, and have historically offered customers an overlapping set of legal mechanisms and frameworks for data transfers outside of the EEA.  These mechanisms include (1) Controller and Processor Binding Corporate Rules (BCRs), and (2) SCCs. And, while the CJEU invalidated Privacy Shield as a valid data transfer mechanism, we will continue to adhere to the Privacy Shield principles and the annual independent assessment performed to ensure compliance.  Additionally, while not required under the General Data Protection Regulation (GDPR), we maintain our Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) and the Privacy Recognition for Processors (PRP) certifications as an additional data transfer mechanism among participating countries in the Asia-Pacific region, North America and elsewhere.  Each of our data transfer mechanisms are assessed by internal and/or external independent assessors to ensure our compliance with the respective certifications and commitments made.

A special note about our binding corporate rules (BCRs)

With the end of the Brexit transition period, we have taken every effort to maintain our commitment and adherence to one of the most comprehensive data protection frameworks and transfer mechanisms, BCRs.  Per guidance issued by the U.K.'s Information Commissioner's Office, Box's Processor and Controller BCRs in the UK remain viable, ensuring that customers transferring data from the U.K. may continue to do so in compliance with U.K. data protection laws.  

We took early action to maintain our EU BCRs in the EEA by applying for transfer to a new lead supervisory data protection authority in the EEA.  While we await approval of our EU BCRs, we remain committed to adhering to the principles and obligations set-forth in our BCRs and have made SCCs available to all customers to ensure a lawful data transfer mechanism is in place at all times when transferring personal data from the EEA to outside of the region. In light of Brexit, these SCCs also reflect compliance with UK data protection laws. 

Customers may review our online self-serve, easy-to-execute DPA with SCCs attached by visiting the Box GDPR website. The DPA comprehensively lists all the approved mechanisms for transfers of personal data.

Safeguards and transparency 

We approach security with a unique perspective, matching our seamless end-user experience with an unmatched level of frictionless security, enhanced visibility and meticulous control. We make the security of our customers’ data our number one priority, and we reflect that goal at every point in our solution. We rigorously manage data in a manner that meets business, legal, security and regulatory needs. 

Our commitment to protecting the privacy and security of our corporate and customer data has resulted in Box leading the pack in security and privacy compliance certifications. Our compliance offerings include, but are not limited to the following:

  • ISO 27001
  • ISO 27018
  • ISO 27017
  • Cloud Computing Compliance Control Catalogue (C5)
  • Trusted Cloud Data Protection Profile (TCDP)
  • PCI-DSS 
  • FedRAMP Moderate
  • HIPAA/HITECH Act

Encryption

From a single user with a Box Personal account to our largest Box Enterprise customers, we maintain the strongest encryption cipher suite available. Box’s data encryption strategy is based on requirements from standards such as, HIPAA/HITECH Act, PCI DSS, and ISO 27001 requirements and adherence to NIST recommended algorithms and methods, among others. Content uploaded to Box is encrypted in transit when sent through our website and Box-created applications, using high-strength TLS 1.2 encryption. At rest, our default encryption for customer content is 256-bit AES. 

With regards to encryption key management, we further protect our customers’ content by an encryption key-wrapping strategy that also utilizes 256-bit AES encryption.  Moreover, access to encryption keys is limited to users based on job functionality and the principle of least privileged.  Encrypted DEKs are stored in the production databases.  KEKs are stored in IKS and encrypted with a long, randomly generated passcode.  In order to provide dual control over the passcode, it is encoded using a secret sharing algorithm.  Passcode parts are restricted to Key Custodians who store the passcode parts in a password vault.

We also offers customers control over their data by offering tooling solutions that provide more granular control and access to data, such as KeySafe, Zones, and Shield.  To learn more about these product offerings please visit Zones, Shield, or KeySafe

Transparency: How we handle law enforcement access requests

We are committed to protecting the privacy of customer data and we care deeply about maintaining transparency and the trust of our customers. As part of this commitment, we make every effort to direct law enforcement requests concerning enterprise accounts directly to the customer. 

Box carefully reviews each law enforcement request to determine if it complies with applicable legal requirements. In addition to safeguarding customer personal data, we are also committed to notifying our customers of law enforcement requests. There are limited circumstances in which Box may be expressly prohibited to disclose law enforcement requests, such as when proscribed by law or non-disclosure order (NDO). Such a NDO must be issued by a court and demonstrate that there will be an adverse result if we provide notice. As we are headquartered in the United States, all requests for customer information are subject to the strictest safeguards, and we require that non-US government requests for customer information be submitted via the US mutual legal assistance treaty (MLAT) or letter rogatory process. 

We value you - our customers - entrusting us with your data and we remain vigilant in our commitment to supporting your data privacy protection needs.  To learn more about our data privacy efforts, or to request a Transparency Report, please email privacy@box.com.