This assessment has been created to assist our customers and influencers with enquiries related to how Brandwatch has risk assessed the transfer of personal data outside the EEA. In particular it addresses questions related to:
This is a developing area of law, therefore Brandwatch’s approach will be kept under review, in light of regulatory guidance from the European Data Protection Board (EDPB), any applicable national Data Protection Authorities and any decisions of relevant Courts. Brandwatch is committed to working with its customers and suppliers to ensure adequate protection of the personal data which it handles.
Standard Contractual Clauses (SCCs) are terms and conditions that organisations sending EU personal data from within the EU must have in place with organisations outside the EU that they are sending it to.
These are published by the European Commission and are therefore the same for all organisations.
Brandwatch has these SCCs in place with its customers and vendors.
On 4th June 2021 a new set of SCCs was published by the European Commission but the existing 2010 SCCs can continue to be used for existing data transfers for up to 18 months — giving organizations until the start of 2023.
Under European and UK data protection law (GDPR/UKGDPR) personal data cannot be transferred outside the EEA unless the exporter uses one of the approved mechanisms to make that transfer lawful. Two such mechanisms were Privacy Shield (only for transfers to the US) and EU Standard Contractual Clauses (SCCs) (for transfers anywhere outside the EEA).
The case was brought in the Irish Court by the privacy activist Mr Schrems against Facebook Ireland, and the Irish Court referred a number of questions to the European Court for determination. The European Court’s decision concerned the potential (even where approved mechanisms are used) for US law enforcement and intelligence agencies to gain access to personal data transferred to the US, and what the European Court saw as being a lack of adequate redress in the US for EU citizens concerned about such use of their personal data.
The European Court ruled that Privacy Shield was no longer a valid mechanism but said that other transfer mechanisms (including SCCs) remained valid. In relation to SCCs, the European Court said that data exporters would need to carry out an assessment of its transfers to determine whether or not supplemental measures (over and above the terms of the SCCs) were necessary to ensure the adequate protection of personal data being transferred outside the EEA.
Yes, we transfer personal data outside the EEA, including the US.
The personal data we transfer is set out in the relevant privacy statements at https://www.brandwatch.com/legal-documents/privacy/
Broadly speaking we transfer four different sets of personal data:
We share Brandwatch Online Content Author Data – data that Brandwatch has gathered globally from public sources – with our customers (including customers outside the EEA) and with our group companies in the United States, Canada, India, Brazil, and China.
Customer Data is provided to us by our customers and processed by us on their behalf. This may involve a transfer of such data from the EEA to our group companies in the US where such data will be hosted.
We may share User Data with our group companies in the US for managing customer accounts.
We may share all of the above data with third party supplier/vendors that we work with (for example email service providers) who process data on our behalf. Details of such vendors are set out in our privacy notices and on our subprocessors page.
Some countries (such as Canada and the UK) have been deemed by the European Commission to have adequate data protection regimes – for those countries no further protections are necessary. In the United States, an adequacy decision exists for companies participating in the Data Privacy Framework.
For countries where there is no adequacy decision we rely on the use of SCCs.
Brandwatch is not a ‘telecommunications carrier’ within the meaning of the relevant legislation.
In respect of some the services it provides (e.g. email services) Brandwatch may be deemed to be provider of ‘electronic communications services’. As a result Brandwatch may be, in principle, subject to the surveillance regime under Section 702 FISA and EO 12333.
No, Brandwatch is unaware of any surveillance activities being targeted at Brandwatch’s systems and databases.
Yes. Brandwatch has received subpoenas and other requests for the disclosure of personal information.
Brandwatch will comply with its legal obligations.
Brandwatch does not voluntarily cooperate with surveillance authorities and will not release personal data unless required to by law.
Brandwatch will review all law enforcement requests and will only release personal data in response to such requests if it is satisfied that the request has been validly made in the correct form and with requisite authority and will only release personal data that falls within the scope of a lawful request.
Brandwatch may, on request, disclose the fact of a request by a government agency if it is permitted to do so by applicable law. By their nature, many (if not the majority) of government requests are confidential and Brandwatch is often unable to disclose the fact of the request or the specifics of such requests.
Brandwatch has conducted assessments of data flows within the Brandwatch group and to our suppliers and customers in the US.
Our principal international data transfers are from our EU entities to our headquarters in the UK, other offices located in the US, sub-processors in the US, and to our US customers. For this reason and given that the issues addressed by the European Court related to transfers to the US, this is our area of focus.
Given the nature of the data subjects, the personal data that we process, the recipients of that data, and the nature of Brandwatch’s business, we do not believe that the transfers outside the EEA of Brandwatch and Online Content Author Data create any material or additional risk over and above the risks that already exist as a result of that data being made publicly available by the data subjects (influencers/journalists) prior to its collection, processing and onward transfer by Brandwatch.
The two critical factors in reaching this conclusion are that:
(a) the vast majority of data that is transferred is public domain data (available for example on public social media platforms where it has been posted by the data subjects themselves); and
(b) the nature of the data transferred is low risk. If a government agency wished to access Online Content Author personal data it could access that data by accessing the public domain sources used by Brandwatch (Eg. Twitter, Facebook, public websites). In our view, the risk of US surveillance mechanisms being applied to Brandwatch is low and if they were applied it would relate to data that is already publicly available.
User Data is generally limited to the personal contact information of our customer account contacts, activity on customer accounts and influencer information. We believe that such data is also low risk.
Notwithstanding the above, Brandwatch acknowledges that access by US government agencies to personal data held by Brandwatch is theoretically possible. For this reason, Brandwatch will be implementing certain supplemental measures to protect the personal data that it transfers outside the EEA, as below.
Brandwatch maintains robust technical and organisational security measures to ensure the adequate protection of personal data. Details of such measures are summarised in The Brandwatch Security Programme.
Brandwatch employs strong encryption both in transit (TLS) and at rest and continually works to enhance our abilities to encrypt personal data.
Where we engage processors to act on our behalf, we ensure that they have appropriate security measures.
We have considered what supplemental measures may be necessary for our various data transfers and in consideration of the likelihood and severity of the risks to the rights and freedoms of natural persons and have no reason to believe that we will not be able to comply with commitments under the SCCs.
This is because:
(a) the vast majority of data that is transferred is public domain data (available for example on public social media platforms where it has been posted by the data subjects themselves); and
(b) the nature of the data transferred is low risk. If a government agency wished to access Online Content Author personal data it could access that data by accessing the public domain sources used by Brandwatch (Eg. Twitter, Facebook, public websites). In our view, the risk of US surveillance mechanisms being applied to Brandwatch is low and if they were applied it would relate to data that is already publicly available.
Despite our view of the risks, Brandwatch will implement the below changes to address concerns raised by the EDPB.
Brandwatch will endeavour to notify the relevant data exporter of any access or request for access by a government authority, unless prohibited by law. If prohibited, Brandwatch will use best efforts to get the prohibition waived, review the legality of such request, and challenge any unlawful ones. Brandwatch will notify the relevant data exporter if it believes it can no longer comply with the SCCs.
Brandwatch will adopt and regularly review internal policies to assess the suitability of the implemented safeguarding measures and to identify and implement additional or alternative solutions when necessary. Brandwatch aims to ensure that the transferred personal data continues to enjoy an equivalent level of protection as that guaranteed within the EU.
At present, Brandwatch Influencer Data and Customer Influencer data is hosted on servers based in the US, UK and EU. There is no plan to change that arrangement. As a result, it is not possible to provide Brandwatch services to our customers without the transfer of EU personal data to the US.
Customers may be concerned with User Data and Customer Data.
It is necessary for Brandwatch’s international entities to have access to User Data in order to manage the customer account.
It is within the customer’s control what Customer Data it provides to Brandwatch. If a customer has concerns about the international transfer of Customer Data, then it should not provide such data to Brandwatch or should discuss any concerns with Brandwatch before doing so.
Customers should carry out their own assessment of whether any personal data they provide to Brandwatch (either Customer Data or User Data) may be particularly sensitive, and, if so, should consider whether to withhold or remove such data from, for example, the Content Upload API or Vizia.
Brandwatch is considering assessments of international transfers of personal data to territories other than the US.
Brandwatch’s view is that even if those regimes did allow access similar to that afforded to US law enforcement agencies, and even if the redress afforded to data subjects suffered from the same shortfalls as the European Court identified as existing in the US, the public nature of the data and its inherent lack of interest to law enforcement means that the risks involved in transfers to those countries are low.
We will be carefully monitoring any further guidance from the EDPB and national DPAs, and any best practice recommendations. This will be an ongoing process.
We conduct regular audits of our third party suppliers and vendors to ensure that they provide adequate protection for personal data processed on Brandwatch’s behalf.
Under domestic legislation, the UK has adopted GDPR which is now known as UK GDPR. The law related to international data transfers thus continues to apply to transfers to and from the UK, save that the UK is now considered to be a ‘third country’ so far as GDPR is concerned.
On the 28th June 2021, the European Commission adopted an adequacy decision for the UK as it regards the UK as having an ‘essentially equivalent’ level of protection to that within the EU.
Consequently, personal data transfers from the EEA to the UK can continue without any further safeguards.
The UK has agreed to treat the EEA as an ‘adequate’ jurisdiction for the purposes of the UK GDPR. This means that transfers from the UK to the EU will not require any further safeguards.
Under the UK GDPR, transfers from the UK to countries outside the EEA will be subject to the same restrictions as they did when the UK was part of the EU. Brandwatch will continue to rely on SCCs in relation to such transfers for now.
The UK’s Information Commissioner’s Office is in the process of consulting the industry on the contents of the proposed UK SCCs and Brandwatch will monitor this.
Existing customer?Log in to access your existing Falcon products and data via the login menu on the top right of the page.New customer?You'll find the former Falcon products under 'Social Media Management' if you go to 'Our Suite' in the navigation.
Brandwatch acquired Paladin in March 2022. It's now called Influence, which is part of Brandwatch's Social Media Management solution.Want to access your Paladin account?Use the login menu at the top right corner.
