Security—July 21, 2020

Cross-border data flows and Privacy Shield

On July 16, 2020, the Court of Justice of the European Union issued a ruling that declared Privacy Shield invalid. Privacy Shield was a program administered by the US Department of Commerce that enabled mParticle and other Privacy Shield participants to transfer EU personal data into the US. This is important, because many software companies, including mParticle, may operate some or all of their core infrastructure in data centers hosted within the geographical boundaries of the US. Privacy Shield was one of a few mechanisms available to businesses with EU data to ensure the transfer of data to the US for processing and storage in a privacy-compliant manner. We appreciate that mParticle customers who process EU data may have important questions about the impact of this ruling.

At mParticle, we recognize privacy as a fundamental human right. Since our inception, we have had a strong and continuous commitment towards evolving data protection and supporting privacy legislation and have invested heavily in product features and capabilities that enable our customers to do the same. We believe that this is inherent to the nature of a customer data platform - and it is also deeply rooted in our core values as a company.

Prior to the Court of Justice of the European Union‘s ruling, we have offered our customers the option of using either Standard Contractual Clauses (SCCs) and/or Privacy Shield frameworks for EU data transfers. Although the July 16th ruling invalidated Privacy Shield, SCCs remain valid. The SCCs are an alternative cross-border data transfer mechanism that we already have in place with some customers.

For our customers whose EU data transfers were already covered by SCCs, nothing needs to be done. For those that were previously covered by Privacy Shield, adopting the EU standard contractual clauses (SCCs) is a prudent path forward.

If you are an mParticle customer looking to incorporate SCCs, your mParticle Customer Success Manager will be in contact with you very shortly to begin the process of incorporating the Standard Contractual Clauses into our current agreement(s) with you. We recognize the possibility that authorities within the EEA may impose additional rules and restrictions with regard to cross-border data transfers, so our privacy team will continue to closely monitor any changes as well as the evolving discussions following the ruling in light of requirements with respect to Standard Contractual Clauses, adequate safeguards, and potentially codes of conduct and/or certifications.

mParticle thanks you for your business, and your trust! If you have any questions regarding this ruling and mParticle’s commitment towards evolving data protection and supporting privacy legislation, please get in touch via email.