Adobe Transfer Impact Assessment
Adobe Data Transfers to Third Countries – Customer Guide
Adobe has prepared this guide to provide information for its business customers in Europe that may be performing a data ‘transfer impact assessment’ (“TIA”) as part of their due diligence process in contemplation of using Adobe products and services.
This guide has been developed in consultation with specialist data protection and privacy lawyers in each of the countries below regarding the laws and practices in those countries in relation to government and law enforcement access to personal data. This guide is based on Adobe’s own analysis and takes into consideration relevant decisions by the Court of Justice of the European Union ("CJEU") including the recent ‘Schrems II’ decision, as well as guidance from data protection authorities such as the European Data Protection Board ("EDPB"). The information is supplied here in a summary form.
Why is this necessary?
European data protection laws restrict the transfer of personal data to ‘third countries’ unless the recipient country has been deemed ‘adequate’, or the data exporter has ensured there are appropriate safeguards in place to provide the personal data with an adequate level of protection. One of those safeguards, which Adobe relies upon, is to use ‘standard contractual clauses’ ("SCCs") as follows:
- in respect of EU personal data, the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”);
- in respect of UK personal data, the International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022; and
- in respect of Swiss personal data, the EU SCCs as amended to comply with Swiss law requirements.
After a court decision in the EU known as ‘Schrems II’, the CJEU decided that, before using SCCs, companies should assess the risk of government access to personal data in the recipient country and implement additional safeguards as needed.
Adobe transfers personal data to third countries as set out in the description of transfers sections below. Adobe has evaluated the impact of the ‘Schrems II’ decision and has taken necessary steps, aligning its data protection processes and standards to address compliance. This guide summarizes the information from Adobe’s transfer impact assessments and describes the additional safeguards which Adobe has implemented.
Important:
This document is (1) intended to support the business customer with conducting its own TIA; and (2) states Adobe’s summary and conclusion of its own TIA which it has conducted as a data exporter.
It is not provided as legal advice. The third countries covered by this guide are:
A. Armenia
B. Australia
C. India
D. Serbia
E. United States
A. ARMENIA
DESCRIPTION OF TRANSFERS
I. Summary
Personal data in the form of Business Contact Data/Customer Content Data as described further below will be accessed by Adobe Development ARM LLC in Armenia - this entity performs customer support functions on behalf of Adobe affiliates based in the European Economic Area ("EEA").
The level of rule of law and respect for human rights in Armenia is intermediate: whilst basic rights and freedoms (such as right to a fair trial, right to protection of personal data etc.) are recognized under the Armenian Constitution and laws, the Armenian judiciary does not enforce these rights at an appropriate level due to e.g. inconsistent legal interpretation, overburdened courts, long duration of court cases and alleged cases of corruption. The independence of Armenian courts and judges is guaranteed under the Armenian Constitution and the Judicial Code of Armenia, but in practice the Armenian courts do not always exhibit independence.
Armenia has data protection legislation which includes various protections as well as rights for individuals. There is independent oversight in the form of a national data protection supervisory authority. Individuals also have limited rights to compensation in the form of damages for breach of their data protection rights via the Armenian courts; however, in practice this may not be an effective remedy for the reasons stated above.
Armenian legislation sets out specific legal bases authorizing investigative authorities to access personal data pursuant to statutory procedural requirements in case of any type of criminal investigation although the new Armenian Criminal Procedure Code specifies new categories of secret investigative actions (such as surveillance, wiretapping, supervision of financial transactions etc.) which may only be conducted where crimes involving corruption and other serious crimes are involved.
There are restrictions on requirements to notify affected individuals of access to their personal data in some cases e.g. if there is a lawful request from Armenian authorities to access personal data (i.e. in performance of their administrative functions), notification to the data subject is not required. The Armenian Criminal Procedure Code also prohibits notification in certain circumstances. Requests by authorities to access certain types of personal data are subject to judicial warrants.
Adobe has concluded that the relevant laws in Armenia that may permit government access to personal data offer a lower level of protection than that guaranteed within the EU and cause risks for the exported data that cannot be fully accounted for by the SCCs, particularly with regard to the lack of a fully independent oversight mechanism and of remedies available for affected individuals. However, the risk of the personal data in question being accessed by public authorities in Armenia is theoretical rather that practical and indeed Adobe Development ARM LLC has never received a request from Armenian authorities seeking access to user data. To further address the residual risks, Adobe has implemented additional technical, organizational, and contractual supplementary measures to ensure that the data accessed from Armenia benefits from a level of protection that is adequate in relation to that of the EU..
II. Personal Data Affected
The personal data transferred to Armenia is as follows:
Business Contact Data:
Contact details provided in the customer support request handled by the data importer and other details accessed by the data importer for verification and support purposes including:
- Name, contact details, organizational name and contact details.
- Details of customer support provided (e.g. details of raising and responding to customer support cases).
Customer Content Data:
Customer or end user content which may contain some personal data which may be incidentally accessed when the data importer’s staff are granted access by the end user so that 3rd tier support services can be provided for their use of Workfront, a work management tool that includes projects, tasks, documentation, reports team information etc. Access is limited to customer and any end user data that is stored in the Workfront product environment, and the environment accessed will be specific to the product to which the support request relates e.g. Fusion, Proof etc. Such access is time-limited.
LEGAL ASSESSMENT
I. General Approach to the Rule of Law and Human Rights
In general, the level of rule of law and respect for human rights in Armenia is intermediate. While basic rights and freedoms (such as property ownership, respect for human life, right to a fair and public trial, right to protection of personal data etc.) are recognized under the Armenian Constitution and laws, the judiciary does not enforce these rights at an appropriate level due to e.g. inconsistent interpretation of the law, Armenian courts being overburdened, the length of time it takes for court cases to reach a conclusion and alleged cases of corruption.
The National Assembly of Armenia (legislature) has ratified a number of international treaties aiming at protection of human rights. Armenia is a party to the Convention for the Protection of Human Rights and Fundamental Freedoms and to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. Armenia also ratified the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows (ETS No. 181) and the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 223).
Armenian courts adhere to European Court of Human Rights (“ECtHR”) case law. Under Art. 6(2) of the Judicial Code of Armenia, the courts must consider the practice of the bodies operating on the basis of international human rights treaties ratified by the Republic of Armenia (including the ECHR) when interpreting the provisions of fundamental rights and freedoms under the Constitution. It is customary for local courts to rely on ECHR case law when administering justice and to refer to ECHR decisions. However, the ECHR has found against decisions of the Armenian courts.
II. National Data Protection Law and Independent Supervisory Authority
The Armenian Constitution adopted on 6 December 2015 expressly ensures the right of any individual to the protection of his/her personal data. Armenia also adopted its Law “On Personal Data Protection” (“PDP Law”) in 2015. Personal data processing includes, inter alia, access to personal data. Provision of access to personal data is permissible if a data subject gives their consent to data processing or if processing of (access to) personal data takes place by virtue of law.
In 2015, the Armenian Government established an authority within the Armenian Ministry of Justice, called the Personal Data Protection Agency of Armenia (the “Agency”), to supervise compliance with personal data protection legislation. It is an independent body, acting based on the PDP Law and the structure defined by the Armenian Government. Among other functions, the Agency is authorized to verify the compliance of personal data processing with the requirements of the data protection law, either on its own initiative or based on a relevant application, and to apply administrative sanctions in case of breach of such data protection law.
III. Identification of the Laws that Allow Government Access to Personal Data
Armenian legislation sets out specific legal bases authorizing investigative authorities to access personal data pursuant to statutory procedural requirements in case of criminal investigations. Such legal bases are incorporated in:
- Law of Armenia “On Operational Intelligence Activity” (“OIA Law”);
- Criminal Procedure Code of Armenia (“Criminal Procedure Code”)
- Law of Armenia “On Electronic Communications”
- Law of Armenia “On the Legal Regime of the State of Emergency”
- Law of Armenia “On Combating Money Laundering and Terrorism Financing” (“AMLTF”); and
- The new Criminal Procedure Code of Armenia entering into force in July 2022.
The above laws allowing Armenian authorities to access personal data in Armenia cover all individuals, irrespective of their citizenship or resident status (including non-Armenian residents whose data is processed by an Armenian organisation).
The above laws are generally adhered to in practice. Although illegal access to personal data by investigative and law enforcement authorities is not common in Armenia, it cannot be ruled out that authorities occasionally access personal data without satisfying the relevant legal requirements.
IV. Proportionality Assessment of Rights to Access
The Criminal Procedure Code currently in force in Armenia treats all types of crimes (whether minor or serious) in the same way in terms of access to personal data. However, the new Criminal Procedure Code defines a new category of secret investigative actions (such as internal and external surveillance, digital supervision, supervision of correspondence, wiretapping, supervision of financial transactions etc.) which may be conducted only where crimes involving corruption or other serious or particularly serious crimes are being investigated, and also provides guarantees to ensure the lawfulness of the secret investigative actions.
V. Limitations to Right of Access
In practice, public authorities in Armenia access personal data required for implementation of their administrative functions pursuant to PDP Law provisions. Although the PDP Law sets out that during investigations, national security and AMLTF operations, personal data processing matters are regulated by other laws, the law enforcement authorities and national security agencies are not excluded from the scope of regulation of the PDP Law and therefore must comply with the PDP Law to the extent it does not contradict any relevant Armenian sectorial laws (e.g. OIA Law, Criminal Procedure Code etc.).
VI. Independent Oversight and Prior Approval
The supervision of the protection of personal data in Armenia is carried out by the Agency, which is appointed as the Armenian data protection authority. It is an independent body, acting based on Armenian data protection laws and the structure defined by the Government of the Republic of Armenia. Disputes arising out of violations of data protection laws are not common in Armenia and there is no well-developed and established case law with respect to such disputes. No significant cases of data breach by Armenian authorities have been reported.
Another form of independent supervision and oversight is judicial supervision i.e. by the courts. Access to correspondence, emails and other means of communication (electronic communication systems) of an individual, access to data representing medical, notarial, insurance or banking secrets, and the wiretapping of phone calls are only possible upon prior authorization by the court. Access to these types of data by law enforcement bodies/national security agencies therefore requires prior court approval; otherwise, they do not have to seek prior court approval. There are no specific rules in Armenia for ex-post supervision or similar review of law enforcement bodies’/national security agencies’ use of their powers to access personal data in the course of investigations.
The independence of Armenian courts and judges is guaranteed under the Armenian Constitution and the Judicial Code of Armenia, but the courts do not always exhibit independence. The Report of the former Human Rights Defender of the Republic of Armenia on the Right to Fair Trial dated December 9, 2013 cited numerous cases where pressure was exerted on judges and also corruption schemes involving judges from the Armenian courts of first instance, and from the Armenian Court of Appeals and Court of Cassation. There has been improvement, relatively speaking, in the level of independence of the judiciary over recent years but Armenia does not yet have a fully independent judiciary.
VII. Transparency
Armenian law does not require an organisation to notify an individual if it receives a lawful request from Armenian authorities to be given access to that individual’s personal data. If the request is unlawful, the data subject’s prior consent is required. An organisation which receives a request from authorities to provide access to an individual’s personal data may disclose the fact of receiving the request to third parties including to the individual concerned, except where such disclosure is prohibited For example, as regards conducting investigative actions of a secret nature (e.g. wiretapping, supervision of correspondence), neither the general public, nor affected data subjects are notified of investigative bodies accessing personal data under the OIA Law or Criminal Procedure Code - control over the lawfulness of access to personal data during these investigations is maintained by prosecutors and courts.
Information on how often authorities use access powers does not appear to be publicly available.
VIII. Individual Remedies for Breach of laws
According to Article 17 of the PDP Law, if a data subject finds that the processing of his/her personal data is carried out in breach of the PDP Law or otherwise violates his/her rights and freedoms (e.g. because there has been unauthorised access to the personal data by Armenian authorities), he/she has the right to challenge the actions (or omission to act) of the processor before the Agency or through the courts.
Data subjects have a right to compensation in the form of damages in civil litigation as well. However, court remedies are not always effective for the reasons stated above. Also, under Armenian law, compensation for non-monetary damages/losses as a result of violation of data protection or other rights is not available. Under the Armenian Civil Code, only compensation for monetary damages may be awarded.
The Armenian Code on Administrative Offences (the “Administrative Code”) provides sanctions for illegal processing of personal data (including but not limited to sanctions for data breaches by state officers).
SAFEGUARDS
I. Technical & Organizational Safeguards
Adobe’s relevant Technical Measures are as follows:
- The Technical and Organizational Measures for Adobe Cloud Services here: https://www.adobe.com/go/CloudSvcsTOSM.
These measures include encryption of restricted data sets over public networks based on the specification HTTPS TLS v1.2, and at rest encrypted to specification AES-256 bit. Key management measures differ depending on the Adobe product.
Adobe's Organisational Measures include those set out in its Transparency Report and Law Enforcement Guidelines, which describe Adobe’s approach to access requests from government and law enforcement and its notice policies. Unless legally prohibited from doing so, Adobe commits to redirect requests to business customers and gives notice (enclosing a redacted copy of the request) whenever a government agency seeks access to their information. Adobe also has comprehensive internal data protection policies which address broader data protection principles such as data minimisation.
II. Contractual Safeguards
Adobe relies on the SCCs for transferring European personal data out of Europe – the modules selected by Adobe include provisions designed to address ‘Schrems II’ concerns (i.e. Clauses 14 and 15 of the EU SCCs).
Adobe requires all those who process European personal information on its behalf to execute a data processing agreement that is no less protective than that which it signs with its business customers, and which includes additional supplementary measures.
B. AUSTRALIA
DESCRIPTION OF TRANSFERS
I. Summary
Customer personal data will be transferred to Adobe Systems Pty Ltd in Australia as follows:
- Business Contact Data are transferred because the Adobe affiliate in Australia performs customer support functions on behalf of Adobe affiliates based in the European Economic Area (EEA).
- Personal data contained in Customer Content may be accessed when Adobe affiliates in Australia provide customer support on behalf of Adobe affiliates based in the European Economic Area (EEA).
Please see our Transparency Report for details of requests from Australian authorities seeking access to user data.
Australia has privacy legislation at both a federal, and State and Territory level, which is applicable to both state as well as non-state actors and includes a number of protections as well as rights for individuals. However, this is subject to certain exemptions for law enforcement, including restrictions on the requirement to notify affected individuals of access to their personal data.
Typically, access and surveillance requests are subject to judicial warrants or judicial authority and are subject to considerations of proportionality and the impact on individuals’ privacy.
The Australian constitution establishes the rule of law and provides checks and balances on the executive, including independent judicial oversight. Australia also has independent oversight in the form of a federal privacy regulator, as well as regulators responsible for information and privacy at a State and Territory level.
In conclusion, in practice personal data transferred to Australia is adequately protected for the following reasons:
- as described above and below, Australia’s legal system strongly recognises and is built upon the rule of law, and Australia has ratified a number of relevant UN treaties as well as being an OECD member bound by OECD data protection principles;
- Australia has a strong privacy law regime which binds public and private sector organisations and offers rights of appeal via an independent appeal system and (including via freedom of information laws) rights of data access and has significant oversight laws when it comes to public authority access to personal data as well as transparency regarding access.
- the historic number of public authority access requests made under Australian laws is relatively low as disclosed in publicly available reports and this is reflected in Adobe’s practical experience as revealed in our Transparency Report.
- we have contractual, technical and organisational security measures, including the publication of the Adobe Transparency Report and Law Enforcement Guidelines, that adequately compensate for any failure (if any) of the rights of public authorities to access personal data to fully meet EEA requirements.
II. Personal Data Affected
The personal data transferred to Australia is contained in the following data categories:
Business Contact Data (user related)
- Name, contact details, organisational name and contact details, credentials received from social networking sites.
- Information processed to deliver services (e.g., IP address, device and browser type, account ID information) or about a user’s interaction with Adobe online.
- Details of the marketing promotions which have been sent to, or viewed by, the recipient and how the recipient interacted with these.
- For users who are individuals: date of birth, details of services supplied and eligibility for discounted services, billing and payment information.
Customer Content as defined in the Adobe General Terms and Terms of Use:
- Personal details and contact information including name, address, email address, title, position, contact information, social profile information, IP address, unique user IDs (such as cookie IDs) and marketing profiles.
- Documents and Content: Documents, images, and content uploaded to the Adobe Cloud services in electronic form which may contain any type of personal data.
Customer Data as defined in the General Terms (enterprise customers only).
LEGAL ASSESSMENT
I. General Approach to the Rule of Law and Human Rights
Australia is a constitutional monarchy based on the English Westminster system. Its constitution codifies a rule of law under which the judiciary, legislature and executive are independent (i.e. there is a separation of powers) which allows for checks and balances on the use of power and ensures the courts remain independent. Australia’s constitution provides for certain fundamental rights and freedoms, and the protection of personal information is acknowledged in the Privacy Act 1988 (Privacy Act).
Administrative decisions of the executive authorities can be judicially reviewed through the courts, a mechanism which also allows individuals to seek the enforcement and protection of their rights.
Australia is a signatory to various relevant international commitments, including the Universal Declaration of Human Rights 1948.
II. National Data Protection Law and Independent Supervisory Authority
At a national level, Australia’s Privacy Act and Australian Privacy Principles regulate the collection, use and disclosure of personal information by Commonwealth government agencies (as well as private sector organisations that meet a financial threshold criteria).
Although the Privacy Act does not apply to State and Territory governments, similar protections are provided in State and Territory laws (described below).
The Office of the Australian Information Commissioner (OAIC) is the independent national privacy regulator responsible for regulating compliance with the Privacy Act by Commonwealth government agencies and organisations. The OAIC can conduct investigations, handle complaints and take enforcement action. States and Territories also have information or privacy commissioners that administer State and Territory privacy laws.
III. Identification of the Laws that Allow Government Access to Personal Data
The main laws that authorize law enforcement or national security agencies to access data are:
- The Privacy Act and the Australian Privacy Principles ("APPs");
- Relevant State and Territory privacy laws including the Information Privacy Act 2014 (ACT), Privacy and Personal Information Protection Act 1998 (NSW), Privacy and Personal Information Protection Act 1998 (NSW), Information Act 2002 (NT), Information Privacy Act 2009 (Qld), Personal Information Protection Act 2004 (Tas), Privacy and Data Protection Act 2014 (Vic), Freedom of Information Act 1992 (WA) and the South Australian Information Privacy Principles;
- The Surveillance Devices Act 2004 (and relevant State and Territory acts);
- Australian Security Intelligence Organisation Act 1979;
- Crimes Act 1914;
- ASIC Act 2001;
- Telecommunications (Interception and Access) Act 1979;
- Telecommunications Act 1997 (in particular Part 15);
- Security of Critical Infrastructure Act 2018;
- Mutual Assistance in Criminal Matters Act 1987.
IV. Proportionality Assessment of Rights to Access
Public authorities do not have a general discretion to access data. Access generally requires the issue of a warrant or authorization which will only be granted if the information sought is required to prevent or investigate and offence or is a national security matter.
The relevant legislation provides considerations that must be taken into account when a warrant or authorization is considered, and typically this includes consideration of the potential interference with individuals’ right to privacy, the gravity of the conduct being investigated, likelihood of information furthering the investigation and whether there is an alternative method of obtaining the evidence and whether doing so would be detrimental to the investigation.
V. Limitations to Right of Access
The Privacy Act imposes a number of exceptions to normal privacy rules in respect of certain ‘enforcement bodies’, including exempting certain bodies from parts of the rules when they reasonably believe that the use or disclosure of personal data is reasonably necessary for certain enforcement related activities. There are similarly exceptions for cross-border disclosures where the disclosing entity is an agency (including government agencies and public bodies).
Outside of these exemptions and exceptions, the following rules generally apply:
- APP 3 requires that entities and agencies only collect personal data (other than sensitive data) where it is reasonably necessary for or (in the case of agencies) directly related to, one or more of the entity’s functions or activities.
- APP 5 requires the entity to take reasonable steps to notify the individual of certain matters, including, where the collection is required or authorised by or under an Australian law or a court order—the fact that the collection is so required or authorised (including the name of the Australian law or details of the order that requires or authorises the collection).
- Limitations on the use or disclosure of personal data for a secondary purpose.
- APP 11 requires entities and agencies to take reasonable steps to protect personal data it holds from misuse, interference and loss, unauthorised access, modification or disclosure.
The entities may also be subject to other mandated privacy rules, for example those required to be imposed by the responsible Minister in relation to the Australian Secret Intelligence Service, the Australian Geospatial-Intelligence Organisation and the Australian Signals Directorate, or internal guidelines developed relating to privacy, for example the NSW Police Force Privacy Management Plan.
State and Territory police are subject to state and territory legislation, which generally contains broad law enforcement exemptions. For example NSW Police are subject to the Privacy and Personal Information Protection Act 1998 (NSW), which contains an exemption in relation to activities other than its educative and administrative functions.
VI. Independent Oversight and Prior Approval
As the laws governing access vary by state and territory, there are various bodies and mechanism that provide oversight – but there are certain safeguards, controls and reporting requirements in each case. In general, the use of surveillance, access or coercive powers is subject to the issue of a warrant by a judicial officer or is subject to judicial review if issued by the executive – in each case providing court oversight.
The Office of the Australian Information Commissioner (OAIC) is the independent national privacy regulator responsible for regulating compliance with the Privacy Act by Commonwealth government agencies and organisations. The OAIC can conduct investigations, handle complaints and take enforcement action. States and Territories also have information or privacy commissioners that administer State and Territory privacy laws.
VII. Transparency
The level of transparency will depend on the circumstances – for example, covert search warrants can be exercised without notice to the individual. However, Adobe understands that in most cases the individual will not be informed prior to the search, and that after a search has been conducted, it is common for there to be restrictions on the giving of notice to the individuals affected.
Typically, organisations (including Adobe) that receive requests to provide personal data to authorities publish details about the frequency and volume of receipt of such requests.
VIII. Individual Remedies for Breach of Laws
Individuals can lodge complaints with the OAIC for breaches of the Privacy Act, and seek remedies including compensation.
The TIA Act and Surveillance Devices Act set out civil remedies for individuals where there has been unlawful access to their personal data causing loss.
Individuals may also have a right to judicial review of a decision relating to surveillance and data access, and can make complaints directly to the relevant body or commission, or they can seek civil compensation via the courts.
IX. Data Subjects Right to Access, Erase or Correct Personal Data
APP 12 gives individuals a right of access from Commonwealth agencies and organisations (and tis right is also reflected in State and Territory laws). APP 13 gives individuals the right to request correction of their personal data. There is no right under the APPs to request erasure, but under APP 11 Commonwealth agencies and organisations are required to delete or de-identify personal data once it is no longer needed for a permitted purpose.
SAFEGUARDS
I. Technical & Organisational Safeguards
Adobe’s relevant Technical Measures are as follows:
- The Technical and Organisational Measures for Adobe Cloud Services here: www.adobe.com/go/CloudSvcsTOSM.
- Adobe Certifications and Security White Papers.
These measures include encryption of restricted data sets over public networks typically based on the specification HTTPS TLS v1.2, and at rest encrypted to specification AES-256 bit. Key management measures differ depending on the Adobe product.
Adobe’s Organisational Measures include those set out in its Transparency Report and Law Enforcement Guidelines, which describe Adobe’s approach to access requests from government and law enforcement and its user notice policies. Unless legally prohibited from doing so, Adobe commits to redirect requests pertaining to business customers and gives notice (enclosing a redacted copy of the request) whenever a government agency seeks access to their information.
Adobe also has comprehensive internal data protection policies which address broader data protection principles such as data minimisation.
II. Contractual Safeguards
Adobe relies on the SCCs for transferring European personal data out of Europe.
Adobe requires all its vendors who process European personal information on its behalf to execute a data processing agreement that is no less protective than that which it signs with its business customers, and which includes additional supplementary measures.
C. INDIA
DESCRIPTION OF TRANSFERS
I. Summary
Customer personal data will be transferred to Adobe Systems India Private Ltd in India as follows:
- Business Contact Data are transferred because Adobe affiliates in India perform customer support functions on behalf of Adobe affiliates based in the EEA.
- Personal data contained in Customer Content may be accessed when Adobe affiliates in India provide customer support on behalf of Adobe affiliates based in the EEA).
Please see our Transparency Report for details of requests from Indian authorities seeking access to user data.
India is developing a new, comprehensive data protection law (currently in the form of a Bill), which will be applicable to both state as well as non-state actors and will replace existing privacy rules. However, this new Bill confers powers on the Central Government to exempt any agency of the Government from the application of its provisions.
Fundamentally, the Indian Constitution establishes the rule of law and protects various fundamental rights of individuals, including the right to privacy and the right to constitutional remedies to enforce fundamental rights.
The rights of access, including intercepting and monitoring of communications, by government agencies/bodies are generally authorized by the agency/body itself and not by an independent judicial body. There are limits on the exercise of such interception powers, including that such powers may be deployed only in certain circumstances, such as the occurrence of any public emergency or in the interest of public safety.
Adobe has concluded that the relevant laws in India that may permit government access to personal data offer lower levels of protection than what is guaranteed within the EU and causes risks for the exported data that cannot be fully accounted for by the SCCs. To further address the residual risks, Adobe has implemented additional technical, organisational, and contractual supplementary measures to ensure that the data benefits from a level of protection that is adequate in relation to that of the EU.
II. Personal Data Affected
The personal data transferred to India is contained in the following data categories:
Business Contact Data (user related)
- Name, contact details, organisational name and contact details, credentials received from social networking sites.
- Information processed to deliver services (e.g., IP address, device and browser type, account ID.
- information) or about a user’s interaction with Adobe online.
- Details of the marketing promotions which have been sent to, or viewed by, the recipient and how the recipient interacted with these.
- For users who are individuals: date of birth, details of services supplied and eligibility for discounted services, billing and payment information.
Customer Content as defined in the Adobe General Terms and Terms of Use:
- Personal details and contact information including name, address, email address, title, position, contact information, social profile information, IP address, unique user IDs (such as cookie IDs) and marketing profiles.
- Documents and Content: Documents, images, and content uploaded to the Adobe Cloud services in electronic form which may contain any type of personal data.
Customer Data as defined in the General Terms (enterprise customers only).
LEGAL ASSESSMENT
I. General Approach to the Rule of Law and Human Rights
The Indian Constitution establishes the rule of law and protects various fundamental rights of individuals, including the right to privacy and the right to constitutional remedies to enforce fundamental rights. It also provides for the legislative oversight over executive action by recognizing a bicameral national legislature and state legislatures, and an independent judiciary with the power of judicial review of executive action.
II. National Data Protection Law and Independent Supervisory Authority
The 2019 Personal Data Protection Bill (PDP Bill), which provides for the establishment of a Data Protection Authority, is currently under review by a Joint Parliamentary Committee, and yet to be tabled before Parliament.
The current applicable privacy framework in India is contained in the Information Technology (Reasonable security practices and procedures and sensitive data or information) Rules, 2011 framed under the Information Technology Act 2000. There is no single independent data protection supervisory authority in India as at the date of this guide.
III. Identification of the Laws that Allow Government Access to Personal Data
The main laws that authorize the Government of India and/ or State Government(s) to access data are:
a. The Information Technology Act 2000 (“IT Act”);
b. The Information Technology (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (“Interception Rules”);
c. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”); and the Personal Data Protection Bill, 2019 (PDP Bill) after it replaces the SPDI Rules;
d. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Rules”);
e. The Indian Telegraph Act, 1885 (“Telegraph Act”);
f. The Indian Telegraph Rules, 1951 (“Telegraph Rules”);
g. The Criminal Procedure Code, 1973 (“CrPC”).
IV. Proportionality Assessment of Rights to Access
The conditions for access to data under the IT Act and the Telegraph Act are predominantly limited to public interest grounds such as the maintenance of public safety, national security, prevention of offences, friendly relations with other countries, or for preventing incitement to the commission of an offence. However, there is no statutory mandate to restrict/limit the amount of data sought to be accessed, only to what is strictly necessary to achieve the stated public interest objectives.
V. Limitations to Right of Access
All directions and orders for the exercise of such rights should be issued only by designated authorities under the applicable laws, recorded in writing, and accompanied by reasons to be recorded in writing. As a rule, directions or orders for the interception, monitoring, or decryption of information under the IT Act should only be issued by the designated authority when it is not possible to acquire the information by any other reasonable means. The laws also require that all records pertaining to directions for interception, monitoring, or decryption and the information obtained through such requests, shall be destroyed by the security agency every six months except where likely to be required for functional purposes.
The Indian Constitution also offers a general overarching protection that any restriction of the constitutional right to privacy must be made only in accordance with the procedure established by law.
VI. Independent Oversight and Prior Approval
Only a competent authority (usually a high-ranking civil servant) may issue an order for access under the IT Act and Telegraph Act. There is also provision for a review committee to review authorizations granted by the competent authority. However, neither the competent authority nor the review committee are independent of the government.
VII. Transparency
Typically, all interception requests made by government agencies are confidential. However, organisations that receive a request to provide personal data from government agencies have been known to publish details about the frequency and volume of receipt of such requests. Adobe does this as well.
VIII. Individual Remedies for Breach of Laws
Availability of redress from an independent court/tribunal is available but limited in scope. Individuals (including non-citizens) have the right to appear before a Court to challenge an order for data access to the extent that it implicates their personal data, by asserting their constitutional right to privacy. However, judicial review in such cases is limited to a review as to whether due process was followed in making the order for access.
Additionally, the PDP Bill envisages the setting up of an Indian Data Protection Authority, which shall have the powers to monitor and enforce compliance with the provisions of the PDP Bill.
IX. Data Subjects Right to Access, Erase or Correct Personal Data
The PDP Bill will provide individuals with the right to request access, correction and restriction from the continued disclosure of their personal data and will apply to both state as well as non-state actors.
Currently, the framework under the SPDI Rules only provides rights against private corporations.
SAFEGUARDS
I. Technical & Organisational Safeguards
Adobe’s relevant Technical Measures are as follows:
- The Technical and Organisational Measures for Adobe Cloud Services here: www.adobe.com/go/CloudSvcsTOSM.
- Adobe Certifications and Security White Papers.
These measures include encryption of restricted data sets over public networks typically based on the specification HTTPS TLS v1.2, and at rest encrypted to specification AES-256 bit. Key management measures differ depending on the Adobe product.
Adobe’s Organizational Measures include those set out in its Transparency Report and Law Enforcement Guidelines, which describe Adobe’s approach to access requests from government and law enforcement and its user notice policies. Unless legally prohibited from doing so, Adobe commits to redirect requests pertaining to business customers and gives notice (enclosing a redacted copy of the request) whenever a government agency seeks access to their information.
Adobe also has comprehensive internal data protection policies which address broader data protection principles such as data minimisation.
II. Contractual Safeguards
Adobe relies on the SCCs for transferring European personal data out of Europe.
Adobe requires all its vendors who process European personal information on its behalf to execute a data processing agreement that is no less protective than that which it signs with its business customers, and which includes additional supplementary measures.
D. Serbia
DESCRIPTION OF TRANSFERS
I. Summary
Adobe’s Customer Contact Data (i.e. contact details for Adobe customers) and Business Contact Data (i.e. contact details for those providing goods/services to Adobe) will be transferred to two third-party suppliers with operations in Serbia to enable them to provide mobile communication services to Adobe including the provision of identity and SMS authentication services for certain Adobe products.
Serbia has ratified most international conventions regulating protection of the rule of law and human rights, including in relation to the protection of personal data. Serbia’s new data protection law is largely aligned with the General Data Protection Regulation ("GDPR"). However, certain other Serbian laws allow broad powers for certain authorities to require disclosure of, or obtain direct access to, personal data in the possession of private parties, some of which laws are yet to be fully aligned with Serbian data protection law. However, these powers are conditional upon the authorities following strict procedures, with several layers of oversight and control including data subjects being entitled to challenge the legality of the authorities’ activities via the Serbian data protection authority and the courts.
Serbia recognises the rule of law as a basic principle of the Serbian Constitution and the Serbian legal system. However, in practice, some concerns remain regarding the appropriate implementation of the rule of law and the level of judicial independence and protection of fundamental human rights in Serbia.
II. Personal Data Affected
The personal data involved are name, mobile phone number, SMS delivery date and status in the following data categories:
Customer Contact Data (i.e. contact details for Adobe customers which includes consumer clients, employees of enterprise customers and other signers of documents); and
Business Contact Data (i.e. contact details for those providing goods/services to Adobe)
LEGAL ASSESSMENT
I. General Approach to the Rule of Law and Respect for Human Rights
The Serbian Constitution expressly states that the rule of law is a "basic precondition" of the Constitution and that the rule of law shall be achieved through free and direct elections, constitutional guarantees of human and minority rights, separation of powers, an independent judiciary and compliance with the Constitution and law. However, in practice, the rule of law is not strong in Serbia - the Serbian judicial system can often be put under political pressure by other (executive and legislative) branches of government.
Serbia has ratified the ECHR and any decision of the Serbian courts having reviewed an act of the executive may be challenged before the ECtHR. The ECtHR does not frequently overturn the decisions of the Serbian courts and such ECtHR rulings rarely find any violation of the right to fair trial in Serbia (i.e. the right which corresponds to the ECHR principle of judicial independence).
Serbia is an EU candidate country but Serbian law is not yet harmonised with EU law and standards. The Serbian government has initiated the harmonisation process and is required to complete it by 9 February 2023 but there is some doubt as whether this will occur.
II. National Data Protection Law and Independent Supervisory Authority
Processing of personal data in Serbia is mainly regulated by the Personal Data Protection Law ("DP Law") which came into force on 21 August 2019 and follows the GDPR to a large extent. Serbia also has independent oversight in the form of a national data protection authority, the Commissioner for Information of Public Importance and Personal Data Protection) ("DPA").
III. Identification of the Laws that Allow Government Access to Personal Data
The key Serbian laws that empower law enforcement authorities and national security authorities to demand disclosure of or obtain direct access to personal data in the possession of private parties are the Criminal Procedure Code ("CP Code"), the Electronic Communications Law ("EC Law") and the national security laws (i.e the Law on Security Information Agency ("SIA Law") and the Law on Military Security Agency and Military Intelligence Agency ("MSA/MIA Law")). These laws provide the authorities with broad investigative powers, but these powers are conditional upon them following strict material and procedural rules, and several layers of oversight and control are also introduced over these activities.
1. EC Law: The EC Law enables law enforcement authorities (i.e. the courts, public prosecutors and the police) and national security agencies (the Security Information Agency ("SIA") and the Military Security Agency ("MSA")) to request "Retained Metadata" from electronic communications providers and/or to perform lawful interception of electronic communications that reveals the contents of communications, if such provision/access/interception is necessary for conducting criminal proceedings or the protection of national security.
2. CP Code: The CP Code is the key law regulating the conditions and procedure under which Serbian law enforcement authorities may compel the disclosure of personal data from private parties for the purposes of criminal investigations and the conduct of criminal proceedings. It contains the provisions regulating authorities’ access to the Retained Metadata and performance of lawful interception of electronic communications (which apply together with the provisions of the EC Law noted above). It also regulates how other surveillance-related "special evidentiary actions" are to be performed (including e.g. surveillance of the electronic address of a suspect etc.). Special evidentiary actions can only be ordered by a court in very limited circumstances in respect of a person suspected of the preparation or commission of a "particularly dangerous criminal offence" (e.g. organized crime, terrorism, offences against national security etc.).
3. SIA Law: SIA’s primary mission is to protect national security, detect and prevent activities aimed at undermining or disrupting the constitutionally defined order, and to research, process and assess the security-intelligence data and information significant for national security. In order to request access to Retained Metadata or perform lawful interception of electronic communications (or perform other so-called secret/special measures which might include data access), SIA must obtain a court order.
While the conditions for the court to order the disclosure of/access to Retained Metadata are the same as under the EC Law, the lawful interception of electronic communications (and other secret/special measures) may only be ordered if:
a) there are grounds for suspicion that an individual, group or organization is conducting or preparing actions directed against national security; and
b) the circumstances of the case indicate that these actions could not otherwise be detected, prevented or proven, or that this would cause disproportionate difficulty or great danger.
4. MSA/MIA Law: The MSA/MIA Law introduces a general requirement for all state authorities and legal entities (including private entities) to provide any necessary help to MSA/MIA’s officials for the performance of tasks within their competence (namely for the MSA, to ensure security and counterintelligence protection of the Ministry of Defence and the Serbian Army, and for the Military Intelligence Agency ("MIA") to conduct important defence intelligence activities related to foreign countries and their armed forces, international organizations, groups and individuals).
The MSA may also collect information from natural persons but only with their prior consent, while state authorities and legal entities (including private entities) are required to give access to their databases and other documentation as necessary. However, in order to request access to Retained Metadata or perform lawful interception of electronic communications (or other secret/special measures which may include access to data), MSA needs to obtain a court order. The MSA would only be authorised by a court to apply these special measures only where data cannot be collected in any other way or their collection would otherwise involve disproportionate risk to life and health of people and property, or disproportionate costs. The MIA is not authorized either to access Retained Metadata held by operators or to perform lawful interception of electronic communications; however, it can conduct other secret/special measures (such as secret acquisition of documents and objects), although these other secret/special measures should not generally include direct access to data.
There is no reason to believe that the laws listed at 1-4 above are not adhered to in practice. The legality of actions of law enforcement authorities is, in practice, often tested in court during criminal proceedings, as defendants tend to challenge the legality of such actions.
IV. Proportionality Assessment of Rights to Access
The laws listed above contain relatively clear rules as to when the data can be accessed by competent authorities and provide certain proportionality safeguards (e.g. the setting of specific time limits and the requirement to keep appropriate records referencing the document permitting such access and the relevant date and time of such access).
V. Limitations to Right of Access
Access to personal data by law enforcement authorities and/or national security agencies in Serbia under the laws described above can generally be said to be targeted (i.e. it must relate to specific individuals and not be on a scale that could be considered to be bulk/massive and disproportionate).
From a practical standpoint, the courts do appear to take care to limit their orders to data which are relevant for the specific individual/group/organization or the criminal offence/action of interest in question, and bulk data demands are generally considered disproportionate.
VI. Independent Oversight and Prior Approval
Although the laws described under V. above provide the authorities with broad investigative powers, they also introduce several layers of oversight and supervision over the authorities’ activities, such as by the courts. Court orders are often required before the authorities can proceed. The Serbian DPA also plays an important role. Under Serbian law, both the DPA and the Serbian courts are formally independent state authorities, although in practice this depends on the actual individuals assuming key positions within them.
The DPA has the general power to obtain any information in possession of the state authorities and other entities, issue warnings where their processing operations are infringing the DP Law, order the authority/entity to bring these operations into compliance with the DP Law, as well as impose a temporary or definitive limitation or ban on data processing. The only exception concerns the courts, as the DPA is not authorized to supervise the processing operations of courts when they are acting in their judicial capacity.
There are also some mechanisms in place for high-level review of the legitimacy of the actions of Serbian law enforcement authorities and national security agencies. However, these mechanisms do not focus specifically on whether authorities' powers to access personal data have been exceeded.
VII. Transparency
The CP Code, EC Law, SIA Law and MSA/MIA Law are all publicly available.
No official information is publicly available on the frequency/number of access requests and/or type of access requests for disclosure of or direct access to data by Serbian law enforcement authorities or national security agencies.
It depends on the circumstances whether a data importer in Serbia which receives a request from law enforcement authorities or national security agencies to provide access to personal data is permitted to disclose the fact/scope of that request (a) to the individual to whom the data relates; and/or (b) to the relevant data exporters (including factors such as the purpose(s) of the processing and legal ground(s) of the authorities requesting the access to the data). Secrecy is often expressly required because of the nature of the activities.
VIII. Individual Remedies for Breach of Laws
If their data have been accessed contrary to the law, data subjects (including both Serbian residents/citizens and foreign citizens) are entitled to:
- file a complaint with the Serbian DPA (including in relation to public disclosure/surveillance activities);
- file a complaint against any authority issuing a problematic demand/order, to be submitted to its superior or other competent person (i.e. to the president of the relevant court/the Public Prosecutor’s office/Ministry of Interior Affairs, or director(s) of the national security authority/ies), which are then required to investigate the matter and take the requisite action to bring the authority’s activities in line with the law; and/or
- go to court for an order that any authority accessing personal data contrary to law cease any such access, as well as to claim for compensation for any losses incurred.
Under the DP Law, data subjects may request access to, and deletion or correction of, personal data held about them by law enforcement/national security authorities, as well as to ask for information about whether any processing is performed by those authorities. However, such rights can be restricted or denied under certain circumstances expressly provided by law (for example, if necessary to avoid the obstruction of an investigation or on national security grounds etc.).
SAFEGUARDS
I. Technical & Organisational Safeguards
Adobe’s relevant Technical Measures are as follows:
- The Technical and Organisational Measures for Adobe Cloud Services here: www.adobe.com/go/CloudSvcsTOSM.
- Adobe Certifications and Security White Papers.
These measures include encryption of restricted data sets over public networks typically based on the specification HTTPS TLS v1.2, and at rest encrypted to specification AES-256 bit. Key management measures differ depending on the Adobe product.
Adobe’s Organizational Measures include those set out in its Transparency Report and Law Enforcement Guidelines, which describe Adobe’s approach to access requests from government and law enforcement and its user notice policies. Unless legally prohibited from doing so, Adobe commits to redirect requests pertaining to business customers and gives notice (enclosing a redacted copy of the request) whenever a government agency seeks access to their information.
Adobe also has comprehensive internal data protection policies which address broader data protection principles such as data minimisation.
II. Contractual Safeguards
Adobe requires all those who process European personal information on its behalf to execute a data processing agreement that is no less protective than that which it signs with its business customers.
The P-P SCCs have been incorporated into the relevant service providers’ data processing agreements with Adobe, including appropriate supplementary measures.
E. UNITED STATES
DESCRIPTION OF TRANSFERS
I. Summary
Customer personal data will be transferred to Adobe affiliates in the U.S as follows:
- Business Contact Data is transferred because Adobe uses common systems (including for customer management purposes), and these systems are procured by Adobe Inc. Adobe affiliates in the U.S. use these systems to perform customer support functions on behalf of Adobe affiliates based in the EEA.
- Personal data contained in Customer Content and Customer Data may be accessed when Adobe affiliates in the U.S. provide customer support on behalf of Adobe affiliates based in the EEA.
- Customer Content and Customer Data is transferred when Adobe hosts products and services in the U.S. as listed on Adobe's List of Sub-Processors.
Please see our Transparency Report for details of requests from U.S. authorities seeking access to user data.
The ‘Schrems II’ decision focused on an assessment of a number of US national security laws and determined that certain aspects of these laws provide broad powers to access data, but that the SCCs may enable adequate protection, provided that data exporters take steps to assess risks and mitigate any such identified risks with appropriate safeguards. The updated SCCs published in the Annex to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 provide a basis for transfers that appropriately address the enumerated transfer risks.
Adobe has concluded that the relevant laws that may permit government access to personal data processed by Adobe in the U.S. are subject to clear, publicly available legal rules, adhere to principles of necessity and proportionality, and contain significant safeguards, protections, and remedies for data subjects.
These laws are part of an established system of rule of law based upon a constitutional framework of checks and balances and recognizes fundamental privacy rights. However, acknowledging the Schrems II decision and to address any residual risks, Adobe has implemented various contractual, organisational, and technical safeguards and measures – including, among other things, robust policies for vetting and challenging government requests, and various encryption protocols.
II. Personal Data Affected
The personal data transferred to the U.S. is contained in the following data categories:
Business Contact Data (user related)
- Name, contact details, organisational name and contact details, credentials received from social networking sites.
- Information processed to deliver services (e.g., IP address, device and browser type, account ID information) or about a user’s interaction with Adobe online.
- Details of the marketing promotions which have been sent to, or viewed by, the recipient and how the recipient interacted with these.
- For users who are individuals: date of birth, details of services supplied and eligibility for discounted services, billing, and payment information.
Customer Content as defined in the Adobe General Terms and Terms of Use:
- Personal details and contact information including name, address, email address, title, position, contact information, social profile information, IP address, unique user IDs (such as cookie IDs) and marketing profiles.
- Documents and Content: Documents, images, and content uploaded to the Adobe Cloud services in electronic form which may contain any type of personal data.
Customer Data as defined in the General Terms (enterprise customers only).
LEGAL ASSESSMENT
I. General Approach to the Rule of Law and Respect for Human Rights
The U.S. Constitution and its amendments provide broad privacy and civil rights protections and establishes the basis for a strong rule of law with separate branches of government: the legislative, the executive and an independent judiciary. Privacy rights are enshrined in various constitutional amendments, including: the First Amendment, which among other things, protects the right to free speech and peaceful assembly and protects privacy against certain forms of governmental intrusion; the Fourth Amendment, which protects against unreasonable searches and seizures by the government; and the Fifth Amendment, which provides the right to due process of law and the right not to be compelled to incriminate oneself. As over 100 years of constitutional jurisprudence make clear, the protection of privacy rights is fundamental to U.S. law, and governmental interference with those rights must be strongly restricted. The U.S. Congress has also passed many sectoral laws that protect privacy rights and the other fundamental freedoms, some of which, noted below, specifically impose limitations on government interference with or access to personal data.
The U.S. federal system of government further enables the states to go above and beyond the protections for fundamental privacy at the federal level. Numerous states explicitly recognize the right to privacy in their state constitutions and several states have enacted comprehensive data protection laws designed to protect the fundamental right to privacy. For example, California – a state that is home to a large number of U.S. providers (including Adobe) – has enacted a sweeping data protection law that contains many similarities to the GDPR.
Additionally, U.S. courts have recognized certain fundamental common-law privacy rights which are enforceable against private persons and entities.
II. National Data Protection Law and Independent Supervisory Authority
The U.S. does not have a general, federal data protection law. However, as noted above, some states such as California have introduced comprehensive data privacy laws that offer similar protections to the GDPR.
The U.S. court system is the primary mechanism for oversight of privacy protections, including in the criminal and national security contexts.
III. Identification of the Laws that Allow Government Access to Personal Data
The mechanisms that may authorize the U.S. government to obtain data from service providers are found in the following laws:
- The Electronic Communications Privacy Act, 1986 (“ECPA”), which is compromised of the Stored Communications Act, the Pen Register and Trap and Trace Act, and the Wiretap Act (18 U.S.C. § 2510 et seq.)
- The Foreign Intelligence Surveillance Act (“FISA”) (50 U.S.C. § 1801 et seq.), and
- Any authority applicable to national security letters (“NSLs”) (18 U.S.C. § 2709).
Although it was discussed in the CJEU’s Schrems II decision, Executive Order 12333 (“EO 12333”) does not authorize the U.S. government to compel companies like Adobe to produce any data or information. Instead, EO 12333 is a “general organizing directive” that places restrictions on the activities of U.S. intelligence agencies and spells out those agencies’ roles and responsibilities. See U.S. Dep’t of Commerce, U.S. Dep’t of Justice, and ODNI, Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (“Joint White Paper”), at 16 (Sept. 2020). Additionally, EO 12333 is primarily relevant for U.S. intelligence operations outside of the U.S., meaning that EO 12333 has virtually no practical importance for Adobe’s processing of data within the U.S. Adobe utilizes various encryption protocols to shield data against access while in transit, thereby minimizing any theoretical risks posed by EO 12333 to customer data in transit from Europe to the U.S.
IV. Proportionality Assessment of Rights to Access
The laws permitting the U.S. government to obtain data from providers like Adobe are justified by legitimate objectives, and serious forms of interference are generally restricted to serious objectives. Furthermore, the exact legal standards that the U.S. government must satisfy for each request effectively require necessity and proportionality.
Access in the criminal context pursuant to the authorities within ECPA must be justified by the need to investigate and counter crime and requires heightened levels of protection the more serious the interference with privacy. Surveillance under FISA is restricted to serious objectives and specific types of targets to avoid overbroad collection and requiring minimization. FISA requests—including requests issued under FISA Section 702—must generally be targeted to individual data subjects, meaning that surveillance should not occur in a massive or disproportionate fashion. Minimization rules applicable to FISA surveillance serve to further prevent disproportionate collection. In the Schrems II decision, based on the record before it, the CJEU questioned whether the U.S. government’s powers under FISA Section 702 are sufficiently proportionate. However, based on Adobe’s in-depth assessment of the laws and practices applicable to the U.S. government's use of FISA Section 702 (which includes extensive information declassified following the issuance of the Schrems II decision), we have concluded that the government’s use of FISA Section 702 is subject to numerous controls that are adhered to in practice, including various encryption protocols.
V. Independent Oversight and Prior Approval
Most of the powers above require prior approval by a court, with highly limited exceptions:
- Under ECPA, requests for basic subscriber information (“BSI”) – a highly limited subset of less-sensitive personal data – can proceed without prior judicial authorization (but are subject to ongoing supervision and ex-post challenge before independent courts).
- NSL requests can be authorized by a high-ranking official within the FBI. However, the types of personal data available through an NSL request are extremely limited and not particularly sensitive.
- Individual targeting decisions under FISA Section 702 can proceed without prior court authorization. However, the government’s use of FISA Section 702 is subject to robust review and oversight, which includes concurrent Department of Justice review for each individual targeting decision in accordance with a certification approved by the independent Foreign Intelligence Surveillance Court (“FISC”), and subsequent oversight and monitoring by the FISC, various congressional authorities, and by an independent expert body, the Privacy and Civil Liberties Oversight Board (“PCLOB”).
VI. Transparency
Typically, providers may notify individuals of requests for their personal data. However, there are exceptions where notice could lead to certain harms or to the effectiveness of an investigative tool.
For the most serious interferences, applicable law and guidance limit the extent to which notice may be withheld and, absent exceptional circumstances, places limits on the duration of the prohibition on user notice. Additionally, providers are able to publish robust statistical reports on the requests that they receive, as Adobe does on an annual basis. If an ECPA request seeks the data of a business customer, Adobe also seeks to redirect the request to the business customer.
As is common for countries’ intelligence-gathering authorities globally, FISA requests are classified for national security reasons and ordinarily cannot be disclosed unless they are declassified – on the basis of national security. However, if government intends to use any information collected under FISA authority in a criminal proceeding, it must notify the data subject and give the data subject an opportunity to bring a challenge. To the extent they receive such requests, providers are also legally entitled to publish regular aggregate reporting on their receipt of FISA Orders, Directives, or NSLs. The government also releases robust reporting on its use of surveillance authorities, which includes aggregate metrics for each type of legal process. As noted in Adobe’s most recent Transparency Report to date, Adobe has not received any form of national-security request, including any requests issued pursuant to FISA.
VII. Individual Remedies for Breach of Laws
Data subjects have a variety of remedies available to them via the courts if their personal data is improperly collected, including through civil actions seeking monetary damages. Providers, data subjects and civil society organisations also frequently challenge the government’s use of various authorities to access data and information, both in the criminal context and national security context. Providers frequently engage in “representational redress” on behalf of their users and can challenge both criminal and national security requests that do not comply with constitutional or statutory protections. In the criminal context, many of these provider-initiated challenges are a matter of public record. Because FISA requests are generally classified, challenges to these requests are less frequently a matter of public record. However, publicly available court decisions – including declassified opinions of the FISC – demonstrate that data subjects, providers, and others do challenge the government’s use of FISA authorities.
Based on the record before it, the CJEU held in its Schrems II decision that data subjects lack an adequate remedy in connection with data accessed by the U.S. government under FISA 702.
VIII. Data Subjects Right to Access, Erase or Correct Personal Data
The relevant U.S. laws discussed above do not contain express, free-standing rights permitting data subjects to access, erase, or correct personal data held about them by law enforcement or national security agencies. However, if the U.S. government seeks to introduce such data in proceedings against the data subject, the data subject will have an opportunity to review the data, contest its accuracy, and challenge its collection. Furthermore, providers like Adobe are entitled to notify data subjects of most government requests (with narrow exceptions for circumstances such as where the request is classified for reasons of national security). Consequently, barring exceptional circumstances, data subjects have the means to know what data is being processed and why.
SAFEGUARDS
I. Technical & Organisational Safeguards
Adobe’s relevant Technical Measures are as follows:
- The Technical and Organisational Measures for Adobe Cloud Services here: www.adobe.com/go/CloudSvcsTOSM.
- Adobe Certifications and Security White Papers.
These measures include encryption of restricted data sets over public networks typically based on the specification HTTPS TLS v1.2, and at rest encrypted to specification AES-256 bit. Key management measures differ depending on the Adobe product.
Adobe’s Organisational Measures include those set out in its Transparency Report and Law Enforcement Guidelines, which describe Adobe’s approach to access requests from government and law enforcement and its user notice policies. Unless legally prohibited from doing so, Adobe commits to redirect requests pertaining to business customers and gives notice (enclosing a redacted copy of the request) whenever a government agency seeks access to their information.
II. Contractual Safeguards
Adobe relies on the SCCs for transferring European personal data out of Europe.
Adobe requires all its vendors who process European personal information on its behalf to execute a data processing agreement that is no less protective than that which it signs with its business customers, and which includes additional supplementary measures.