How the demise of Privacy Shield affects your New Relic Account

New Relic is here to deliver data for engineers. In doing so, we want you to have every confidence that your data will be processed by New Relic securely and in accordance with best practices globally. The 2020 Schrems II decision invalidated the Privacy Shield that had long been relied on as the basis for compliance in transfer of personal data from the EU to the United States. We have prepared this post to provide you with information on Schrems II and later developments and how these might affect your use of New Relic services. We also are taking this opportunity to provide details on how New Relic promotes continued compliance with data protection practices to serve our thousands of customers worldwide. If you have further questions, contact your account team, or privacy@newrelic.com.

On July 16, 2020, the Court of Justice of the European Union (CJEU) ruled that, under the General Data Protection Regulation (GDPR), transfer of personal data from the EU to the US would no longer be authorized under Privacy Shield. This Schrems II decision sent powerful ripples through the business community. Many companies relied on Privacy Shield to transfer data between the EU and the United States. Further complicating the response to Schrems II, the US Department of Commerce has announced that the CJEU decision does not relieve organizations of their Privacy Shield obligations. Today, New Relic continues to comply with its Privacy Shield obligations, which include compliance with regulatory activity of the Federal Trade Commission (FTC). Additionally, New Relic is tracking developments following the March 2022 US announcement of a proposed renewal of Privacy Shield authorization. We are committed to maintaining our services and documentation to meet our customers’ evolving global data transfer needs.

Despite the far-reaching impact of Schrems II, the decision did not invalidate the EU Standard Contractual Clauses ​(SCCs) as approved by the European Commission in decision 2010/87/EU for transfer of data outside the EU. Post-Schrems II, the SCCs maintained their status as a valid mechanism for transfer of personal and other data, with some limitations. On June 4, 2021, the European Commission issued a new set of Standard Contractual Clauses (2021 SCCs) for the processing of personal information between data controllers and data processors who are subject to the GDPR.

The updated 2021 SCCs  take into account complex data processing operations that have developed since publication of the 2010 SCCs. The 2021 SCCs contain four different modules so the SCCs can be tailored specifically to reflect the type of transfer being made. For example, the 2021 SCCs address situations where processing involves a transfer of personal data from a processor (as New Relic typically acts) to a (sub)processor.

The 2010 SCCs are valid under existing contracts until December 27, 2022, but they won't be valid for new contracts signed on or after September 27, 2021. All contracts from September 27, 2021 forward must use the new 2021 SCCs as their data transfer mechanism. New Relic has moved to update our DPA and apply the 2021 SCCs to meet our customers’ needs (including those of customers subject to the post-Brexit UK SCCs. If you have questions about how we apply SCCs, please reach out to your account executive (for existing customers) or privacy@newrelic.com (for prospective customers).

Personal data transfer in the context of our focus on telemetry data

New Relic operates in a data- and industry-agnostic B2B environment in which companies send telemetry data about technologies to New Relic. The data we process is typically relevant to assessing technical performance. New Relic services are secure, and New Relic has obtained certifications from independent, third-party auditing organizations, such as SOC2, ISO27001 and HITRUST. New Relic services are designed to receive and process telemetry data on the performance of applications, systems, networks, and infrastructure, and are designed to evaluate the performance of software—not humans. For these reasons, New Relic processes limited personal data, and Schrems II concerns should be evaluated with this context in mind.

All New Relic customers have access to the New Relic platform which is built around the four fundamental telemetry data types necessary for complete and effective system monitoring: metrics, events, logs, and traces ("MELT" data). Our platform and systems ensure secure storage of all customer data for any of these data types. New Relic employs strong technical and administrative security measures to protect customers’ data including, as applicable: encryption in transit, at rest, and at the application level; and FIPS 140-2 encryption for DC to DC connectivity. Our security measures are proportionate to the risks associated with this type of data as required under Article 25 and 32 of GDPR.

Why focus on these four types of data? MELT data helps customers form a fundamental, working knowledge of the relationships and dependencies within their systems—as well as producing detailed reporting on performance and health of their software environments. In the normal course of using New Relic, customers send MELT data. New Relic then works with the customers to reduce risk by providing tools to appropriately limit the data sent to New Relic and to secure the data during and after its transmission.

New Relic browser monitoring and mobile monitoring temporarily process IP addresses for the purpose of deriving a city and state and are then subsequently discarded. With those two limited exceptions, by default, New Relic’s agents for metrics, events and traces do not collect any personal data.

Logs are treated differently due to the nature of their content. Unlike metrics, events and traces, logs consist of unstructured data generated by the customer’s various systems and largely from and about those systems. Systems that are designed to process personal data are likely generating logs that will contain personal data. Monitoring those systems with New Relic may cause New Relic to collect such personal data in logs on your behalf. Our log management service employs automatic obfuscation for certain data elements, such as credit card numbers and social security numbers as described on our security page. You can configure drop filters to prevent sensitive or personal data from being stored in New Relic.

We have also made it easy to cease the transmission of personal data through logs. If you prefer not to have your logs processed by default, New Relic makes it easy to quickly turn off logs from the APM agents at the New Relic account level through a toggle switch in the New Relic user interface (UI) available to all customers.  With this control enabled, no personal data will be transmitted through logs.

Is your data of interest to surveillance agencies?

Schrems II has raised many data privacy questions. We would encourage our customers to ask themselves: Is the FBI or NSA likely to be interested in data about the performance of my software or hardware? While data surveillance defense may be fundamentally important, not all data is useful (or even readable) to intelligence agencies. We encourage our customers to evaluate the nature and format of the telemetry data they choose to send to New Relic for processing, and to make any needed adjustments. The New Relic platform allows you to transmit whichever data you choose, but this will always be within your control. If that data is likely to be of interest to national surveillance agencies, would the data also be within the realm of the personal data implicated in Schrems II? If you have any concerns about a particular subset of data that you transmit or intend to transmit to our service, then you can cease the transmission of that subset of data. 

The white paper published by the US Dept. of Commerce addresses these threshold issues.

What would New Relic do in response to the type of surveillance request anticipated by Schrems? As documented in the CJEU abstract, the core of the original Schrems complaint was a challenge to national surveillance agency access to personal data of EU residents for US surveillance purposes. As a US-based company, New Relic is subject to US laws, but we have never received a request for customer data from a national surveillance agency. Section 14 of our pre-signed DPA explains how New Relic would process law enforcement requests pertaining to personal data should a national security agency contact us seeking customer data.

Our pre-signed DPA commits New Relic to certain processes if this type of request should ever occur. Under our DPA terms, New Relic will redirect the surveillance agency to request that data directly from the relevant New Relic customer. If New Relic is ultimately compelled to disclose personal data to that surveillance agency, New Relic will provide the customer with notice of the request to allow the customer to seek a protective order or other appropriate remedy unless (and only as long as) New Relic is legally prohibited from notifying the customer.

These issues are critical to consider and to manage, but are balanced by the fact that the telemetry data our customers rely on to optimize observability is generally irrelevant to surveillance agencies. Most personal data processed by New Relic is only ancillary to its primary purpose, and we do not maintain personal records that would be of interest to surveillance agencies.  Finally, the highly customizable nature of the New Relic software allows customers to control at all times whether or not they transmit personal data to New Relic and to cease or adjust transmission of data if their analysis indicates valid surveillance concerns.

How do we meet our obligations to you and your customers under GDPR?

The security of your data is of the utmost importance to us. Our dedicated security and privacy teams are passionate about delivering and maintaining a world class security/privacy program. We constantly build on our programs to protect customer data and ensure we are GDPR compliant in the face of evolving security threats and legal obligations.

●  Our compliance programs are independently assessed to confirm that you are choosing a GDPR-compliant service provider: New Relic has obtained certifications from independent, third-party auditing organizations, such as SOC2, ISO27001, and HITRUST. These independent, third-party organizations have reviewed New Relic’s security program against their stringent requirements, and we are proud to list the certifications on our security page. We work with our customers and their procurement teams to answer information security and audit questionnaires that confirm our compliance with its obligations as a data processor.

●  We have implemented robust technical and organizational measures to assist our customers in meeting their compliance needs: Many of our customers are subject to compliance obligations under GDPR, including responding to data subject requests and developing data protection impact assessments. As a data processor, New Relic supports our customers in meeting their data controller (or processor) obligations efficiently and effectively. Customers may submit data subject requests to PersonalDataRequests@NewRelic.com​. For more information see New Relic personal data requests.

●  We adapt to anticipate your unique needs: New Relic has restructured our security exhibit to align with the 18 categories in the 2021 Standard Contractual Clauses to make your review of our safeguards easier. New Relic provides security in accordance with industry-accepted standards described here and security for the personal data it processes as described in the data processing addendum. Additionally, New Relic makes an EU-based data center available to customers that require their data be stored in the EU.

●  Each of us commits to keeping your data confidential: Our information security team continues to ensure that we are in line with industry standards and best practices for secure and confidential data processing.  This commitment to confidentiality applies throughout New Relic. All of our employees are committed to confidentiality of customer data as a critical condition of their employment with New Relic. Additionally, all of our staff who have access to customer and account data are subject to pre-hire and ongoing background checks.

●  We use only reputable and approved sub-processors: Our sub-processors all undergo rigorous security and privacy assessment from New Relic’s internal security and privacy staff. We conduct thorough due diligence prior to onboarding and ensure that we have the appropriate contractual provisions in place.  We will provide you with advance notification when we plan to add a new sub-processor. At all times New Relic takes responsibility for the work of our sub-processors.

●  We are with you in the event of a data breach: We hold ourselves to the highest standards not only for security to prevent breaches but for compliance in response to a breach. In the event a data breach occurs and your data is affected, we will notify you of the breach in time for you to meet your notification obligations to the supervisory authorities. We will provide you with details of the breach for you to assess the impact it may have upon your organization.

Learn more about our compliance programs and certifications.

Should you sign a DPA when using New Relic?

New Relic is here to deliver data for engineers. You should feel confident in sending us the data you need to achieve full-stack observability. If your particular need requires that you send ancillary personal data to the New Relic platform, you can download New Relic pre-signed DPA with integrated SCCs and consult the Data Processing Addendum FAQ.