NetApp and Schrems II: Our Approach Under the Recent CJEU Holding

NetApp knows that the power of data lies in how easily it can be accessed across an organization. We also know how important it is that data availability does not come at the expense of privacy rights. A recent Court of Justice for the European Union (CJEU) decision, referred to as Schrems II, invalidates the EU-U.S. Privacy Shield, raising good questions about how privacy will be protected in our global, data-based economy. This decision has caused some concern with our customers and partners in the EU about how NetApp handles their personal information in light of the General Data Protection Regulation (GDPR) and this new ruling.

NetApp has long been committed to principle-based privacy practices. We were an early adopter of Binding Corporate Rules as a means of creating enforceable rules for the transfer of personal information from the EU to the United States. These Binding Corporate Rules were approved by our supervisor authority in the Netherlands, and we continue to keep them up to date as our business evolves and transforms. We also offer Standard Contractual Clauses (SCCs) in our Customer Data Processing Addendum. Even before the Schrems II decision, we made this information available online so that our customers and partners could examine our privacy commitments as they made sourcing and partnership decisions.

Although it invalidated the EU-U.S. Privacy Shield, the Schrems II decision upheld the suitability of the SCCs for cross-border data transfers and provided additional information to consider when the SCCs are used. The CJEU particularly addressed whether the SCCs adequately protected the privacy rights of EU data subjects might vary according to the jurisdiction of the parties to the SCCs. Despite invalidating the EU-U.S. Privacy Shield on the basis of inadequate judicial protections for EU data subjects under certain national security laws and surveillance programs, the court did not hold that the United States was wholly unsuitable for processing personal data of EU data subjects. Instead, the court provided guidance that entities should assess adequacy according to individual, sector, and regional risks associated with data transfers.

When addressing how the SCCs might be used, the court held that if the European Commission has not made an adequacy decision with regards to a given country – the onus of evaluating adequacy lies with the controllers and processors of personal information in light of the terms of the SCCs. Furthermore, the CJEU recognized that in evaluating adequacy, the parties to the SCC may consider their business operations, the sector they operate in, and the risk of information processing to data subjects. This evaluation, of course, is not possible unless the parties have transparent access to information about data location, cross-border data transfers, data processing terms, and other information regarding each party’s processing of personal information. NetApp’s approach to earning our customers’ trust through transparent communications will enable these assessments.

Overall, NetApp believes that this is the right direction for personal information processing under SCCs. The CJEU recognizes that digital transformation applies differently to different businesses, and the risk to the rights and freedoms of individuals can vary significantly under different business models. Because NetApp has customers and partners who operate a wide range of business models, each with different risk profiles, we are approaching this new guidance from the CJEU with a growth mindset and as an opportunity to engage with our customers in discussions of privacy best practices. We continually seek to improve access to information and resources relevant to NetApp’s processing of personal data, so that we can move at the speed of global business while still respecting privacy rights. This decision presents us with another opportunity to demonstrate our commitment to our core values of trust and integrity in our handling of customer and employee personal information.

For more information about NetApp's approach to data privacy, visit our Trust Center.