EU- U.S. Data Privacy Framework (DPF) & International Data Transfers

Update: As of October 12, 2023 the New Relic certification under the EU-U.S. Data Privacy Framework (including the Swiss- U.S. Privacy Framework and the UK Extension to the DPF) has been formally approved by the United States Department of Commerce. This means that personal data from the EU, the UK and Switzerland can be transferred from those locations by New Relic customers to New Relic in the U.S. The DPF replaces the Privacy Shield and like Privacy Shield, personal data can be transferred to companies in the U.S. without the need to enter into additional data transfer mechanisms such as the Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

Background to Schrems II

New Relic is here to deliver data for engineers. In doing so, we want you to have every confidence that your data will be processed by New Relic securely and in accordance with best practices globally. The 2020 Schrems II decision invalidated the Privacy Shield that had long been relied on as the basis for compliance in transfer of personal data from the EU to the United States. We have prepared this post to provide you with information on Schrems II and the EU Commission approved EU- U.S. Data Privacy Framework (for U.S. transfers) and the Standard Contractual Clauses (2021 SCCs) for all international transfers. We also are taking this opportunity to provide details on how New Relic promotes continued compliance with data protection practices to serve our thousands of customers worldwide. If you have further questions, you may contact your account team, or privacy@newrelic.com.

On July 16, 2020, the Court of Justice of the European Union (CJEU) ruled that, under the General Data Protection Regulation (GDPR), transfer of personal data from the EU to the US would no longer be authorized under Privacy Shield. This Schrems II decision sent powerful ripples through the business community. Many companies relied on Privacy Shield to transfer data between the EU and the United States. We are committed to maintaining our services and documentation to meet our customers’ evolving global data transfer needs.

Despite the far-reaching impact of Schrems II, the decision did not invalidate the EU Standard Contractual Clauses ​(SCCs) as approved by the European Commission in decision 2010/87/EU for transfer of data outside the EU. Post-Schrems II, the SCCs maintained their status as a valid mechanism for transfer of personal and other data, with some limitations. On June 4, 2021, the European Commission issued a new set of Standard Contractual Clauses (2021 SCCs) for the processing of personal information between data controllers and data processors who are subject to the GDPR.

The updated 2021 SCCs  take into account complex data processing operations that have developed since publication of the 2010 SCCs. The 2021 SCCs contain four different modules so the SCCs can be tailored specifically to reflect the type of transfer being made. For example, the 2021 SCCs address situations where processing involves a transfer of personal data from a processor (as New Relic typically acts) to a (sub)processor.

All contracts from September 27, 2021 forward had to utilize the new 2021 SCCs as their data transfer mechanism. New Relic updated our DPA and applied the 2021 SCCs to meet our customers’ needs (including those of customers subject to the post-Brexit UK SCCs). Our DPA has been updated as of October 2023 to include the new DPF as the transfer mechanism for personal data from the EU, the UK and Switzerland to the United States. Our DPA also utilizes the 2021 SCCs for international data transfers to countries other than the U.S. The updated New Relic DPA has been created in such a way to automatically apply the 2021 SCCs to international transfers to the U.S., should the DPF cease to apply. This means that data transfers to the U.S. would immediately fall back to the 2021 SCCs without our customers needing to sign a new DPA.

Personal data transfer in the context of our focus on telemetry data

New Relic operates in a data- and industry-agnostic B2B environment in which companies send telemetry data about technologies to New Relic. The data we process is typically relevant to assessing technical performance. New Relic services are secure, and New Relic has obtained certifications from independent, third-party auditing organizations, such as SOC2, ISO27001 and HITRUST. New Relic services are designed to receive and process telemetry data on the performance of applications, systems, networks, and infrastructure, and are designed to evaluate the performance of software—not humans. For these reasons, New Relic processes limited personal data, and Schrems II concerns should be evaluated with this context in mind.

All New Relic customers have access to the New Relic platform which is built around the four fundamental telemetry data types necessary for complete and effective system monitoring: metrics, events, logs, and traces ("MELT" data). Our platform and systems ensure secure storage of all customer data for any of these data types. New Relic employs strong technical and administrative security measures to protect customers’ data including, as applicable: encryption in transit, at rest, and at the application level; and FIPS 140-2 encryption for DC to DC connectivity. Our security measures are proportionate to the risks associated with this type of data as required under Article 25 and 32 of GDPR.

Why focus on these four types of data? MELT data helps customers form a fundamental, working knowledge of the relationships and dependencies within their systems—as well as producing detailed reporting on performance and health of their software environments. In the normal course of using New Relic, customers send MELT data. New Relic then works with the customers to reduce risk by providing tools to appropriately limit the data sent to New Relic and to secure the data during and after its transmission.

New Relic browser monitoring and mobile monitoring temporarily process IP addresses for the purpose of deriving a city and state and are then subsequently discarded. With those two limited exceptions, by default, New Relic’s agents for metrics, events and traces do not collect any personal data.

Logs are treated differently due to the nature of their content. Unlike metrics, events and traces, logs consist of unstructured data generated by the customer’s various systems and largely from and about those systems. Systems that are designed to process personal data are likely generating logs that will contain personal data. Monitoring those systems with New Relic may cause New Relic to collect such personal data in logs on your behalf. Our log management service employs automatic obfuscation for certain data elements, such as credit card numbers and social security numbers as described on our security page. You can configure drop filters to prevent sensitive or personal data from being stored in New Relic.

We have also made it easy to cease the transmission of personal data through logs. If you prefer not to have your logs processed by default, New Relic makes it easy to quickly turn off logs from the APM agents at the New Relic account level through a toggle switch in the New Relic user interface (UI) available to all customers.  With this control enabled, no personal data will be transmitted through logs.

Is your data of interest to surveillance agencies?

Schrems II raised many data privacy questions. We would encourage our customers to ask themselves: Are surveillance agencies likely to be interested in data about the performance of my software or hardware? While data surveillance defense may be fundamentally important, not all data is useful (or even readable) to intelligence agencies. We encourage our customers to evaluate the nature and format of the telemetry data they choose to send to New Relic for processing, and to make any needed adjustments. The New Relic platform allows you to transmit whichever data you choose, but this will always be within your control. If that data is likely to be of interest to national surveillance agencies, would the data also be within the realm of the personal data implicated in Schrems II? If you have any concerns about a particular subset of data that you transmit or intend to transmit to our service, then you can cease the transmission of that subset of data. However, the recent granting by the EU Commission of an adequacy decision in respect of the EU-U.S. DPF means that some of the Schrems II concerns about the United States as a data transfer destination have been alleviated.

Key Points of the DPF

The DPF introduces new binding safeguards to address all the concerns raised by the CJEU, including limiting access to EU data by U.S. intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access. The new framework introduces significant improvements compared to the mechanism that existed under the Privacy Shield. For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data. The new safeguards in the area of government access to data will complement the obligations that U.S. companies importing data from the EU will have to subscribe to. EU individuals will benefit from several redress avenues in case their data is wrongly handled by U.S. companies. This includes free of charge independent dispute resolution mechanisms as well as an arbitration panel. These new safeguards put in place by the U.S. will also facilitate transatlantic data flows in the broader sense, since they also apply when data is transferred by using other tools, such as the 2021 SCCs and binding corporate rules (BCRs). New Relic’s DPF certification under the EU-U.S. DPF also incorporates the Swiss- U.S DPF and the UK Extension to the DPF to facilitate transfers to the U.S. from Switzerland and the UK respectively.

What would New Relic do in response to the type of surveillance request anticipated by Schrems?

As documented in the CJEU abstract, the core of the original Schrems complaint was a challenge to national surveillance agency access to personal data of EU residents for US surveillance purposes. As a US-based company, New Relic is subject to US laws, but we have never received a request for customer data from a national surveillance agency. Section 14 of our pre-signed DPA explains how New Relic would process law enforcement requests pertaining to personal data should a national security agency contact us seeking customer data.

Our pre-signed DPA commits New Relic to certain processes if this type of request should ever occur. Under our DPA terms, New Relic will redirect the surveillance agency to request that data directly from the relevant New Relic customer. If New Relic is ultimately compelled to disclose personal data to that surveillance agency, New Relic will provide the customer with notice of the request to allow the customer to seek a protective order or other appropriate remedy unless (and only as long as) New Relic is legally prohibited from notifying the customer.

These issues are critical to consider and to manage, but are balanced by the fact that the telemetry data our customers rely on to optimize observability is generally irrelevant to surveillance agencies. Most personal data processed by New Relic is only ancillary to its primary purpose, and we do not maintain personal records that would be of interest to surveillance agencies.  Finally, the highly customizable nature of the New Relic software allows customers to control at all times whether or not they transmit personal data to New Relic and to cease or adjust transmission of data if their analysis indicates valid surveillance concerns.

How do we meet our obligations to you and your customers under GDPR?

The security of your data is of the utmost importance to us. Our dedicated security and privacy teams are passionate about delivering and maintaining a world class security/privacy program. We constantly build on our programs to protect customer data and ensure we are GDPR compliant in the face of evolving security threats and legal obligations.

●  Our compliance programs are independently assessed to confirm that you are choosing a GDPR-compliant service provider: New Relic has obtained certifications from independent, third-party auditing organizations, such as SOC2, ISO27001, and HITRUST. These independent, third-party organizations have reviewed New Relic’s security program against their stringent requirements, and we are proud to list the certifications on our security page. We work with our customers and their procurement teams to answer information security and audit questionnaires that confirm our compliance with its obligations as a data processor.

●  We have implemented robust technical and organizational measures to assist our customers in meeting their compliance needs: Many of our customers are subject to compliance obligations under GDPR, including responding to data subject requests and developing data protection impact assessments. As a data processor, New Relic supports our customers in meeting their data controller (or processor) obligations efficiently and effectively. Customers may submit data subject requests to PersonalDataRequests@NewRelic.com​ or via this form. For more information see New Relic personal data requests.

●  We adapt to anticipate your unique needs: New Relic has restructured our security exhibit to align with the 18 categories in the 2021 Standard Contractual Clauses to make your review of our safeguards easier. New Relic provides security in accordance with industry-accepted standards described here and security for the personal data it processes as described in the data processing addendum. Additionally, New Relic makes an EU-based data center available to customers that require their data be stored in the EU.

●  Each of us commits to keeping your data confidential: Our information security team continues to ensure that we are in line with industry standards and best practices for secure and confidential data processing.  This commitment to confidentiality applies throughout New Relic. All of our employees are committed to confidentiality of customer data as a critical condition of their employment with New Relic. Additionally, all of our staff who have access to customer and account data are subject to pre-hire and ongoing background checks.

●  We use only reputable and approved sub-processors: Our sub-processors all undergo rigorous security and privacy assessment from New Relic’s internal security and privacy staff. We conduct thorough due diligence prior to onboarding and ensure that we have the appropriate contractual provisions in place.  We will provide you with advance notification when we plan to add a new sub-processor. At all times New Relic takes responsibility for the work of our sub-processors.

●  We are with you in the event of a data breach: We hold ourselves to the highest standards not only for security to prevent breaches but for compliance in response to a breach. In the event a data breach occurs and your data is affected, we will notify you of the breach in time for you to meet your notification obligations to the supervisory authorities. We will provide you with details of the breach for you to assess the impact it may have upon your organization.

Learn more about our compliance programs and certifications.

Should you sign a DPA when using New Relic?

New Relic is here to deliver data for engineers. You should feel confident in sending us the data you need to achieve full-stack observability. If your particular need requires that you send ancillary personal data to the New Relic platform, you can download New Relic pre-signed DPA with integrated SCCs and consult the Data Processing Addendum FAQ.