You may have heard or read that the European Court of Justice recently issued a ruling invalidating the EU-U.S. Privacy Shield. Not surprisingly, this has caused concern on both sides of the Atlantic. Despite the decision, however, Twilio customers can continue to use all of our services in full compliance with European law.
The Court’s decision means that one safeguard under which companies were allowed to transfer personal data from the EU to the United States — the EU-U.S. Privacy Shield — no longer exists. However, the Court left the other two available for companies to use.
Twilio has prepared for this scenario well in advance of today’s ruling. Twilio’s Data Protection Addendum anticipated the possibility that Privacy Shield could be struck down and relies on overlapping data transfer safeguards. The Court’s ruling does not nullify Twilio’s primary data transfer mechanisms, Binding Corporate Rules and Standard Contractual Clauses. As a result, Twilio’s ability to do business with European customers or for Twilio customers to process EU personal data remains intact.
Our Binding Corporate Rules are our primary safeguard for data transfers. Twilio’s Binding Corporate Rules have been approved and reaffirmed by European data protection authorities and were not affected by the court ruling. In cases where these rules do not apply, our Data Protection Addendum automatically falls back to Standard Contractual Clauses. Today’s ruling confirms that Standard Contractual Clauses remain a viable transfer safeguard.
Twilio is closely watching for further guidance from EU data protection authorities in light of this decision regarding how to best provide service to customers impacted by it. Further, we are watching closely for any possible changes to any other transnational arrangement in light of the European Court of Justice decision. Nonetheless, as with the EU-U.S. Privacy Shield, Twilio will rely on its already available alternative transfer safeguards, such as its Binding Corporate Rules.
The digital economy is a crucial driver of global economic growth, especially with the recent wave of digital transformation in response to the impact of COVID-19. International transfers of personal data are a key part of the global digital economy. Twilio understands the critical importance of privacy and data protection when it comes to retaining trust in international data transfers.
Trust is a fundamental value for Twilio. To demonstrate our commitment to trust, we extend GDPR-level protections to the personal data we process all over the world. We work tirelessly to deliver a trusted telecommunications ecosystem and support a stable framework for international data transfers. We encourage the continuing efforts of U.S. and EU policymakers to develop such a stable framework for trans-Atlantic personal data transfers. Twilio will always seek to use data transfer mechanisms that guarantee the highest possible level of privacy and data protection.
For additional information, please see our customer support article for more information on the measures that Twilio takes to safeguard customer personal data.
Sheila Jambekar is Vice President and Deputy General Counsel, Privacy and Product for Twilio
Sanford Reback is Vice President, Global Public Policy & Government Affairs for Twilio