Cloudera’s Factsheet on International Transfers of Personal Data
Overview
Cloudera’s Factsheet on International Transfers of Personal Data aims to enable Cloudera Customers, acting as data Controllers, to understand the flows of their data if and when Cloudera processes such data as their data Processor. To help Customers comply with applicable data protection and privacy laws’ requirements for transfers of personal data to third countries, this factsheet provides information based on the European Commission’s Standard contractual clauses for data transfers between EU and non-EU countries and the European Data Protection Board’s Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Supplementary Measures Recommendations”). For more information on Cloudera’s privacy practices, refer to the Cloudera Privacy Statement.
Know Your Transfers & Lawful Transfer Mechanisms
Cloudera, Inc.’s headquarters is in the United States of America (“USA”), where it primarily processes personal data of Customers. Onward transfers of Customers’ personal data may take place between and among Cloudera and its Affiliates (or subsidiaries) for processing necessary to provide Customers with products and/or services in accordance with applicable agreements. Likewise, Cloudera may engage Sub-processors to process personal data on the behalf of Customers in accordance with applicable agreements.
To transfer personal data outside of or otherwise subject to data protection and privacy laws in the European Economic Area (EEA), the European Union (EU), Switzerland, and/or the United Kingdom (UK), Cloudera relies on lawful transfer mechanisms or tools under such laws, rules, or regulations, including the European Commission’s adequacy decisions and Standard contractual clauses (“SCCs”), or similar mechanisms issued by the relevant government authority.
Onward Transfers Between and Among Cloudera Affiliates
To understand the flows of personal data between and among Cloudera and its Affiliates, refer to Cloudera’s Global office locations and to Cloudera’s Authorized Sub-processors and Affiliates webpage. The location of the Cloudera Affiliate participating in the delivery of the Cloudera product(s) and/or service(s) will depend on several factors, including, but not limited to, the terms of the master subscription agreement, terms of service, and/or the data processing addendum (“DPA”) with the Customer, as well as the Customer’s primary business location.
Cloudera’s Sub-processors
To understand the flows of personal data between Cloudera and its Sub-processors, refer to Cloudera’s Authorized Sub-processors and Affiliates webpage. The use of a Sub-processor and its processing location may depend on several factors, including, but not limited to, the terms of the master subscription agreement, terms of service, and/or the DPA in place with the Customer, as well as the Customer’s primary business location.
Third Country Laws and Practices
This section provides Customers with relevant sources of information on the laws and practices in the third countries to, in, or from which Cloudera, its Affiliates, and/or its Sub-processors may transfer or remotely access Customers’ personal data for processing. Customers should use this information to assess whether the lawful transfer tool they are relying on to transfer personal data to Cloudera is effective considering the context of the transfer (i.e., whether the third country laws and/or practices impinge on the effectiveness of the transfer tool). The circumstances of the data transfer will depend on each Customer’s own situation and the agreement(s) in place with Cloudera. Relevant circumstances may include, among others, (1) the purpose(s) of transferring and processing personal data; (2) the categories and nature of the transferred personal data; (3) the economic sector in which the transfer occurs; (4) the format of the data to be transferred; and (5) the specific legislation and practices relevant to the protection of the transferred data.
General Sources of Information
International Association of Privacy Professionals - Global Privacy Law and DPA Directory and Global Comprehensive Privacy Law Mapping Chart
Baker McKenzie - Global Data Privacy & Security Handbook
DLA Piper - Global Data Protection Laws of the World
United Nations Conference on Trade and Development - Data Protection and Privacy Legislation Worldwide
Privacy International - Guide to International Law and Surveillance
World Justice Project - Rule of Law Index
Ranking Digital Rights - Corporate Accountability Index and Big Tech Scorecard
United Nations - Universal Human Rights Index
Freedom House - Freedom in the World report and Freedom on the Net report
USA - Surveillance Laws & Practices Sources of Information
Foreign Intelligence Surveillance Act
The Foreign Intelligence Surveillance Act of 1978 (FISA) - Justice Information Sharing
Statistical Transparency Report Regarding National Security Authorities Calendar Year 2021
U.S. Privacy and Civil Liberties Oversight Board - Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act
Executive Order 12333
Executive Order 12333--United States intelligence activities (OFR)
Executive Order 12333-United States intelligence activities (Defense)
About EO 12333 (NSA)
Civil Liberties and Privacy Information Paper: Description of Civil Liberties and Privacy Protections Incorporated in the 2008 Revision of Executive Order 12333 (Office of the Director of National Intelligence Civil Liberties and Privacy Office)
U.S. Privacy and Civil Liberties Oversight Board - Report on Executive Order 12333
Presidential Policy Directive 28 (PPD-28)
U.S. Privacy and Civil Liberties Oversight Board - Report to the President on the Implementation of Presidential Policy Directive 28: Signals Intelligence Activities
CLOUD Act
Other Sources of Information
U.S. Privacy and Civil Liberties Oversight Board - Oversight Reports
Expert Opinion on the Current State of U.S. Surveillance Law and Authorities from Prof. Stephen I. Vladeck, University of Texas School of Law from 15 November 2021 (Berlin Commissioner for Data Protection and Freedom of Information on behalf of the Conference of Independent Data Protection Supervisors of the Federal Government and the Länder (Data Protection Conference))
Transfer Impact Assessment
Based on a reasonable assessment of the third country laws and practices and Cloudera’s lack of experience with data requests from public authorities (as set forth in its Transparency Report), Cloudera has no reason to believe that any relevant and problematic legislation 1 will be applied, in practice, to Cloudera and Customers’ transferred personal data. Consequently, any such legislation should not prevent Cloudera from fulfilling its obligations under the lawful transfer mechanisms, such as EU SCCs, because the transferred personal data is unlikely to be of any interest to public authorities.
With respect to U.S. laws and practices, Cloudera’s conclusion is supported by the U.S. government’s Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II:
“Most U.S. companies do not deal in data that is of any interest to U.S. intelligence agencies, and have no grounds to believe they do. They are not engaged in data transfers that present the type of risks to privacy that appear to have concerned the ECJ in Schrems II.”
“As a practical matter, for many companies the issues of national security data access that appear to have concerned the ECJ in Schrems II are unlikely to arise because the data they handle is of no interest to the U.S. intelligence community”
“Indeed, the overwhelming majority of companies have never received orders to disclose data under FISA 702 and have never otherwise provided personal data to U.S. intelligence agencies. Neither would such companies have any indication that a U.S. intelligence agency has sought to obtain their data unilaterally outside the United States under the authority of EO 12333.”
PaaS, On-Premises Software, Technical Support, and Professional Services Offerings
With respect to Cloudera’s Platform as a Service (“PaaS”), on-premises software, technical support, and professional services offerings, Cloudera provides the following responses to questions based on the “Model request to US data importers if you still use SCCs ("case by case" analysis)” published by the noyb – European Center for Digital Rights.
Direct Application of 50 U.S.C. § 1881a (= FISA 702)
Cloudera’s PaaS, on-premises software, technical support services, or professional services offerings, on an individual or a group basis, do not fall under any of the definitions in 50 U.S.C. § 1881(b)(4) that could render it directly subject to 50 U.S.C. § 1881a (= FISA 702).
Cloudera is not a telecommunications carrier, as that term is defined in section 153 of title 47 U.S.C.
Cloudera is not a provider of electronic communication service, as that term is defined in section 2510 of title 18 U.S.C.
Cloudera is not a provider of a remote computing service, as that term is defined in section 2711 of title 18 U.S.C.
Cloudera is not any other communication service provider that has access to wire or electronic communications either as such communications are transmitted or as such communications are stored.
Cloudera is not an officer, employee, or agent of an entity described in the preceding responses.
Processing under EO 12.333
Cloudera does not cooperate in any respect with US authorities conducting surveillance of communications under EO 12333, should this be mandatory or voluntary.
Other relevant Laws
Cloudera is not subject to any other law that could be seen as undermining the protection of personal data under the GDPR (Article 44 GDPR).
Measures against Mass and Indiscriminate Processing in Transit (FISA 702 and EO 12.333)
To determine whether Cloudera has implemented appropriate technical and organisational measures (see Article 32 GDPR) for every step of the processing operations which ensure that mass and indiscriminate processing of personal data by or on behalf of authorities in transit (such as under the “Upstream” program in the US) is made impossible, please refer to the contractual agreements, including any DPA, in place with Cloudera.
Cloudera Technical & Organizational Measures
For a list of Cloudera’s technical and organizational data security measures applicable to the transfer of a Customer’s personal data, the Customer must refer to the Data Processing Addendum (“DPA”) in place with Cloudera.
Cloudera Supplementary Measures
According to the EDPB, Supplementary Measures are necessary where the third country legislation and/or practices impinge on the effectiveness of the data transfer tool, as such measures help ensure that the transferred personal data is afforded an essentially equivalent level of data protection as that guaranteed within the EEA/EU (as well as the UK or Switzerland).
To determine the Supplementary Measures, if any, that are applicable to a Customer’s agreement with Cloudera, the Customer must refer to the DPA in place with Cloudera.
Transparency Report
For information on Cloudera’s relevant and documented experience with prior instances of requests for disclosure from public authorities, if any, refer to Cloudera’s Transparency Report.
Procedural Steps to Implement Supplementary Measures
If applicable, the Supplementary Measures listed in the DPA between Cloudera and the Customer should not contradict, directly or indirectly, the SCCs based on a reasonable assessment and should be sufficient to ensure that the level of protection for the transferred personal data guaranteed by the EEA, EU, UK, and/or Switzerland is not undermined.
Re-evaluation of Transfer Policies and Procedures
Where appropriate, Cloudera will monitor, on an ongoing basis, developments in the third country/ies to which it makes onward transfers of personal data that could affect the initial assessment of the level of protection and the decisions we may have taken initially. In addition, Cloudera has implemented mechanisms to ensure that we can promptly suspend or end transfers where a Sub-processor has breached or is unable to honor its commitments set forth in the lawful transfer mechanism or the adopted Supplementary Measures, if any, are no longer effective in a particular third country.
Legal Disclaimer Notice
The information provided in this document does not, and is not intended to, constitute legal advice. All information, content, and materials available in this document are for general informational purposes only. Information in this document may not constitute the most up-to-date legal or information, and Cloudera does not make any claims, promises, or guarantees about the accuracy, completeness, currency, or adequacy of the contents or information contained herein. Customers are responsible for making their own independent assessment of the information in this document. Customers should contact their attorney or legal counsel to obtain advice with respect to any particular legal matter. No Customer should act or refrain from acting on the basis of information in this document without first seeking professional legal advice from a licensed counsel in the relevant jurisdiction. Only the Customer’s attorney or counsel can provide assurances that the information contained herein – and the interpretation of it – is applicable or appropriate to the Customer’s particular situation. Customers, as the data controllers, are responsible for conducting their own data transfer impact assessments. This document: (a) is for informational purposes only, (b) represents current Cloudera product and service offerings, which are subject to change without notice, (c) represents current laws and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from Cloudera and its affiliates, vendors, distributors, partners, resellers, or licensors. The responsibilities and liabilities of Cloudera to Customers are controlled by Cloudera agreements, and this document is not part of, nor does it modify, any agreement between Cloudera and Customers.
1 ‘“Problematic legislation” is understood as legislation that 1) imposes on the recipient of personal data from the European Union obligations and/or affect the data transferred in a manner that may impinge on the transfer tools’ contractual guarantee of an essentially equivalent level of protection and 2) does not respect the essence of the fundamental rights and freedoms recognised by the EU Charter of Fundamental Rights or exceeds what is necessary and proportionate in a democratic society to safeguard one of the important objectives as also recognised in Union or EU Member States’ law, such as those listed in Article 23 (1) GDPR.’ European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0 Adopted on 18 June 2021), at p. 17, fn. 50 and p. 22, fn. 63.