Earlier this month, the European Commission issued its long-awaited, updated ‘Standard Contractual Clauses’ (SCCs). The clauses represent the most frequently used mechanism to transfer personal data from the EU abroad, including to the US.
However, organisations can’t rely on SCCs alone, they must carry out a case by case risk assessment when exporting personal data outside the EU.
How does this impact customers?
The European Commission’s announcement doesn’t change the commitment we have to our customers’ data privacy and security. We are continuously looking for opportunities to update our practices in line with government and industry standards in Europe.
What additional safeguards are available to customers?
Here are some of the initiatives we are working on right now:
Data transfer from the EU
We rely on the new EU Standard Contractual Clauses (SCC) as a data transfer mechanism, and we offer customers additional contractual safeguards in line with the EU Commission’s recommendation; this includes protection for data exporters and redress for data subjects. We are also rolling out such safeguards to our sub-processors.
Every request for disclosure is reviewed by our legal team. These rigorous reviews verify that all requests are legal and within the powers of the requesting public authority.
If, after a careful assessment, we conclude that there are grounds under the law to challenge the request, we exhaust all available remedies to do so. In any event, we are fully committed to inform our customers, unless prohibited by law, of any government request for disclosure of personal data. On top of this, we would use every reasonable effort to redirect the requesting third party to ask for the data directly from our customers.
Finally, we always seek to provide the minimum amount of information permissible when responding to a request for disclosure.
We also protect customer data with the following additional safeguards:
All customer data is encrypted while in transit and at rest.
- Enterprise-grade security protocols provide additional security for IP phone calls.
- All internet facing portals have https (e.g.,https:// service.ringcentral.com).
- All non-voice customer data is TLS encrypted.
- Hard phones use digital certificates to establish secure connections to download their provisioning data
- Audit logging
This ensures generation of audit logs for all systems, devices or applications associated with the access, processing, storage, communication and/or transmission of customer data.
- User authentication
All users have individual accounts for unique traceability; shared accounts are not typically permitted. User passwords are configured to align with NIST guidance. RingCentral requires multi-factor authentication or two-factor authentication.
- Customer account control
This enables customers to manage account policies including the below:
- Role-based access controls can be customised, or customers can use one of our standard, ready-to-use roles.
- Audit trails to track configuration changes, login attempts, phone number changes, admin/employee settings and permissions.
- Single Sign-On (SSO): customer admins can define policies to enforce unique controls for each individual SSO application.
- Toll fraud mitigation control
Access control, detection controls and usage throttling prevents toll fraud. Customers also have granular control over who gets to make international calls and to where.
- Multi-tenancy model
Our multi-tenant ensures a high degree of security so that one customer’s data is never available to another customer. We use this type of architecture and dynamic database views to form application layer boundaries between customer instances.
What can customers expect next?
We’ve reviewed our law enforcement access policy and will be publishing the first transparency report in the coming weeks. The report will clearly state how many law enforcement requests we received in the previous year, from which countries, and which type of data we provided.
RingCentral continues to prioritise European data centre infrastructure. Our European data centres allow European agencies and governments to move faster and embrace cloud technology.
We hope to enable more organisations to take advantage of cloud communications to enhance the customer experience while controlling their data. Our data centres in Germany, the Netherlands, the UK and Switzerland remove barriers to innovation for industries with high data security requirements and provide in-Europe failover. This includes the same 99.999% uptime trusted service level agreement that customers expect.
The promise of a new framework
This time last year, the EU Court of Justice declared the EU-US Privacy Shield invalid, meaning it was no longer possible to rely on the Privacy Shield framework to transfer personal data to the USA. A year on, it’s encouraging to see ongoing discussions between the European Commission and US government to build a new framework for personal data that is transferred across the Atlantic.
While we are optimistic for a government resolution in the near future, we will not become complacent.
As a provider of cloud services for the European market, we align our practices with the requirements of the EU General Data Protection Regulation (GDPR). RingCentral also continues to strengthen its European footprint and proudly follows the lead in understanding how to service EU residents – we will remain firmly on this path.
Originally published Jun 11, 2021, updated Jun 15, 2021