Lytics new government data requests policy keeps customer data ownership where it belongs: With our customers

The 2020 holding in Schrems II and requests from our customers created a need for Lytics to directly state how we respond to law enforcement or other government authority requests to disclose any personal information processed by Lytics. This resulted in a new Lytics policy against disclosing customer data to government authorities, whether inside or outside the EU.

Lytics’ newest information security policy, the Lytics Government Data Requests Policy, states how we respond to government requests to disclose any personal information processed by Lytics. The short answer: Lytics has never been asked to disclose data to government authorities, but if we were, we would say that data is not ours to disclose and would oppose disclosure every step of the way.

Our customer’s data is owned by our customer, not by Lytics

Lytics supports our customers in accordance with the contracts we make, and the Lytics Master Subscription Agreement states that our customers are the controllers and owners of their data at all times, where the “Customer shall retain all right, title and interest.”

If a disclosure request ever occurred, Lytics would ask the requesting authority to make the data disclosure request directly to the customer or allow us to contact the customer directly to notify them that a request has been made.

As a general principle, Lytics does not disclose personal information unless we are either under a compelling legal obligation to make such disclosure or there is an imminent risk of serious harm that merits compliance with a disclosure request. And in no event will Lytics transfer personal information to a government authority in a “massive, disproportionate, indiscriminate manner that goes beyond what is necessary in a democratic society.”

You might think Lytics’ Government Data Requests policy came about due to our customers’ concern with various international “bad actors,” and the policy does cover any government data requests from anywhere in the world. But it also applies to requests made by government authorities within the United States..

Currently the United States does not have adequacy under the GDPR

Data originating from the European Union is governed by the General Data Protection Regulation (GDPR), the toughest privacy and security law in the world. The GDPR provides that the transfer of data to a “third country” may take place only if the third country ensures an “adequate” level of data protection (GDPR Article 45). 

Under the GDPR, “third country” means basically any country outside the 30 countries in the European Economic Area that have adopted the GDPR, and a third country has an “adequate” level of data protection if the EU Commission has issued an adequacy decision saying it does. 

As of March 2021, the Republic of Korea was the latest country to receive an adequacy decision, joining Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, Japan, and the United Kingdom. The United States is noticeably not on that list.

How did “Schrems II” complicate the issue?

Max Schrems is an Austrian national who was a Facebook user. As with other EU Facebook users, Mr. Schrems’ personal data had been transferred for processing from Austria to servers belonging to Facebook Inc. located in the United States (the “third country” in this case).

In 2013, Mr. Schrems lodged a complaint to prohibit those transfers, claiming that the United States government did not offer adequate protection against access by U.S. government authorities. Mr. Schrems wanted a prohibition of future transfers of his personal data from the EU to the United States, especially considering the expanded national security, mass surveillance, and counter-terrorism programs arising in the U.S. in the decade before Mr. Schrems filed his suit. (After all, Mr. Schrems was not just any Facebook customer; he was a law student at the time and is now a lawyer and activist for privacy rights.)

Mr. Schrems’ complaint was at first rejected by the Court of Justice of the European Union on the grounds that the EU Commission had previously found that the United States ensured an adequate level of protection (Decision 2000/5205, “the Safe Harbour Decision”). But the court felt that things had changed considerably in the U.S. since 2000, and, in a judgment delivered on October 6, 2015, known as “Schrems I,” the Court of Justice declared that the “Safe Harbour Decision” concerning the adequacy of the protection provided by U.S., including the EU-U.S. Privacy Shield, was now invalid.

Schrems I put U.S. data protection adequacy into question, and Mr. Schrems’ was allowed to reformulate a second complaint, which led to a second decision in 2020 by the Court of Justice, known as “Schrems II”. 

In Schrems II, the EU Court of Justice:

1. shot down a decision from 2016, now saying that the EU-US “Privacy Shield” could no longer be used to ensure adequacy of data protection (EU Decision 2016/1250), and
2. upheld a decision from 2010, saying that data controllers and processors, as contracting parties, could still use “standard contractual clauses” to ensure the adequacy of data protection consistent with GDPR requirements (EU Decision 2010/87).

This is where the new Lytics policy comes in

Schrems II suggested that the U.S. government had too much power to bypass the GDPR with claims of U.S. national security and public interest in law enforcement, “thus condoning interference with the fundamental rights of persons whose data are transferred to that third country [the U.S.]” (See Press Release from the Court of Justice on the case Data Protection Commissioner v Facebook Ireland and Maximillian Schrems).

But without the Privacy Shield in place and without an adequacy decision for the U.S. as a whole, the court held that EU data controllers and third-country processors could still rely on standard contractual clauses between parties to meet the adequacy requirements of the GDPR.

The Lytics Government Data Requests Policy is therefore part of our contractual obligation with our customers to ensure that the adequacy of data protection for our customers’ data is met, and our policy applies to data requests under the GDPR as well as for data requests for customers outside the EU.

Get more information at the Lytics trust center

Lytics believes trust is built on transparency and earned with experience. Since our founding in 2012 we have provided digital marketing solutions based on the thoughtful use of first party data. We focus on securing customer data, while providing service features to help our customers better meet consumer privacy expectations and comply with applicable law. 

To read the new Lytics Government Data Requests Policy, and to read all of our public policies, please visit the Lytics Trust Center, where we highlight some of our data protection safeguards and compliance-enabling service features, including how we meet the sometimes confusing and detailed requirements brought on by the 2020 decision, now known famously and simply as “Schrems II.”