Transfers of EU personal data to the US and other third countries have long been an area of concern for privacy-conscious EU customers and EU data protection authorities. On July 16, 2020, these concerns came to the fore again when the Court of Justice for the European Union (CJEU) ruled on Schrems II . While Twilio has already taken significant steps to ensure data we process is adequately safeguarded wherever in the world we process it (including, among other things, our Binding Corporate Rules and issuing semi-annual transparency reports), we know that this ruling raises important questions about the impact they may have on your business.
We’re excited to share the following details for how Twilio is taking further action to give customers greater control over personal data transfers, and we’re committed to providing updates on a quarterly basis.
As regions, like Europe, continue to lead in the development of comprehensive privacy and data protection regulation, we continue to anticipate that similar privacy and data protection regulations will soon become more common around the world. The CJEU decisions have only accelerated Twilio’s work. Our teams are actively working on a broad regional strategy that will expand our global infrastructure into EU data centers and update internal processes to further mitigate the concerns raised by the CJEU in relation to cross-border data flows as well as other limitations customers may face in relation to transferring personal data out of the EU.
This will be an iterative process, but there are three core efforts actively underway:
- We’re enabling you to keep user EU personal data in the European Union.
Twilio customers will have control over where their data is physically stored, enabling them to keep EU personal data entirely within the EU region, both at rest and in transit.
- We’re implementing additional security controls, restricting Twilio personnel from accessing EU personal data without appropriate permissions.
Non-EU employees of Twilio will be unable to access EU personal data without explicit permission from an EU entity. This includes implementing controls ensuring that only pseudonymized data is transferred to Twilio systems within the US, while also further expanding our enterprise access control system to enhance oversight and control over access to EU personal data.
- We’re implementing additional legal safeguards for EU customers who contract with Twilio.
Twilio will be updating our contracts to ensure that new EU customers are contracted through our entity in the EU by default. We will also be providing ways for current EU customers to contract through our EU entity upon request.
What we’re delivering in 2021
What we plan to deliver on this year represents a significant stride towards helping address customer concerns associated with cross border transfers of EU personal data; however, we plan to address this process in stages.
Throughout the first half of 2021, Twilio is piloting our initial regional offering, beginning with our Voice and Messaging products. The Messaging channels that will be supported as part of this initial offering are SMS and Chat. In the second half of 2021, we intend to enable these channels within our regional Ireland entity. Following this, we will continue work to incorporate additional Twilio products in 2022.
It's important to note that during 2021, our primary focus for our initial channel offering will be to isolate customers' end user data, such as message details records or call detail records and audio recordings - data for which we act primarily as a processor under GDPR. We will continue to work towards regionalization of other non-end user operational data, such as billing and invoicing, support, regulatory compliance, and business analytics information, in 2022.
We’re dedicated to keeping you informed
Transparency is core to Twilio’s mission of being the world’s most trusted customer communications platform. We are committed to providing additional updates on a quarterly basis as we continue to work aggressively towards the delivery of a broad, regional infrastructure.