On July 16, 2020, the Court of Justice of the European Union (CJEU) ruled that, under GDPR, transfer of personal data from the EU to the United States will no longer be authorized under Privacy Shield. This decision, called the Schrems II decision, sent powerful ripples through the business community as many companies relied on Privacy Shield to transfer data between the EU and the United States. Of additional note is the fact that, according to the US Department of Commerce, the CJEU decision does not relieve organizations such as New Relic of their Privacy Shield obligations. New Relic still complies with its Privacy Shield obligations, and individuals may therefore continue to file complaints with the Federal Trade Commission (FTC) and/or their local supervisory authorities.
It’s also notable that, at that time, the CJEU did not invalidate the EU Standard Contractual Clauses as approved by the European Commission in decision 2010/87/EU (SCCs) for transfer of data outside the EU. Rather, it reaffirmed them with some caveats. On June 4, 2021, the European Commission issued a new set of Standard Contractual Clauses (2021 SCCs) for the processing of personal information between data controllers and data processors who are subject to the GDPR. The 2010 SCCs will remain valid under existing contracts until December 27, 2022 but will not be valid for new contracts after September 27, 2021. This means that all new contracts from September 27, 2021 must contain the new 2021 SCCs as the data transfer mechanism. It’s also important to remember that, as documented in the CJEU abstract, the Schrems complaint was about access to personal data of EU residents for US surveillance purposes. As a US company, New Relic is subject to US laws, but we have not yet received any requests from government surveillance or law enforcement agencies. You can read about how we would process law enforcement requests pertaining to personal data in Section 14 of of our pre-signed DPA.
New Relic services are designed to receive and process telemetry data on the performance of applications, systems, and infrastructure, which typically do not contain any personal data. Customers generally send very little additional personal data to our platform, and New Relic acts as a data processor with regards to any personal data in the customer data received on behalf of its customers.
Personal data in New Relic
Most personal data in New Relic is only ancillary to its primary purpose, and we do not maintain personal records that would be of interest to surveillance agencies. Customers can use the suggested responder feature in New Relic AI to send limited employee personal data to New Relic so the service performs its alert and recommendations functionality. But, in all cases, customers control whether personal data is sent to New Relic services.
But in the context of our service, we want to encourage our customers to evaluate the nature of the telemetry data they choose to send to New Relic and ask themselves: Is the FBI or NSA likely to be interested in data about the performance of your software or hardware? And, if they cared, would that data even be within the realm of the personal data implicated in Schrems? We encourage customers to read the recent white paper published by the U.S. Dept. of Commerce to address these issues.
Furthermore, New Relic employs strong technical and administrative security measures to protect customers’ data—including encryption in transit, at rest, and at the application level; FIPS 140-2 encryption for DC to DC connectivity—all of which are proportionate to the risks associated with this type of data as required under Article 25 and 32 of GDPR. Additionally, New Relic makes an EU-based data center available to customers that require their data be stored in the EU.
Data protection laws and regulations have very important functions, but they are by nature also very broadly written and need to be assessed and interpreted in the context of respect for individuals’ rights. New Relic is here to help you create more perfect software. And, if your particular need requires that you send ancillary personal data to the New Relic platform, you can download New Relic pre-signed DPA with integrated SCCs and consult the Data Processing Addendum FAQ.
If New Relic receives requests from law enforcement agencies, New Relic will redirect the law enforcement agency to request that data directly from the relevant New Relic customer. If New Relic is compelled to disclose personal data to that law enforcement agency, New Relic will provide the customer with notice of the request to allow the customer to seek a protective order or other appropriate remedy unless New Relic is legally prohibited from doing so.
The views expressed on this blog are those of the author and do not necessarily reflect the views of New Relic. Any solutions offered by the author are environment-specific and not part of the commercial solutions or support offered by New Relic. Please join us exclusively at the Explorers Hub (discuss.newrelic.com) for questions and support related to this blog post. This blog may contain links to content on third-party sites. By providing such links, New Relic does not adopt, guarantee, approve or endorse the information, views or products available on such sites.