On July 16, 2020, the Court of Justice of the European Union (CJEU) ruled that, under GDPR, transfer of personal data from the EU to the United States will no longer be authorized under Privacy Shield. This decision, called the Schrems II decision, has already sent powerful ripples through the business community as many companies relied on Privacy Shield to transfer data between the EU and the United States. Of additional note is the fact that, according to the US Department of Commerce, the CJEU decision does not relieve organizations such as New Relic of their Privacy Shield obligations. Individuals may therefore continue to file complaints with the Federal Trade Commission (FTC) and/or their local supervisory authorities.
It’s also notable that the CJEU did not invalidate the EU Standard Contractual Clauses (SCC) for transfer of data outside the EU; rather, it reaffirmed them with some caveats. Before anyone succumbs to worries about the impact of these caveats, let’s remember that, as documented in the CJEU abstract, the Schrems complaint was about access to personal data of EU residents for US surveillance purposes. As a US company, New Relic is subject to US laws, but we have not yet received any requests from government surveillance or law enforcement agencies. You can read about how we would process law enforcement requests pertaining to personal data in Section 14 of our pre-signed DPA.
New Relic services are designed to receive and process telemetry data on the performance of applications, systems, and infrastructure, which typically do not contain any personal data. Customers generally send very little additional personal data to our platform, and New Relic acts as a data processor with regards to any data received on behalf of its customers.
Personal data in New Relic
Most personal data in New Relic is only ancillary to its primary purpose, and we do not maintain personal records that would be of interest to surveillance agencies. Customers can use the suggested responder feature in New Relic AI to send limited employee personal data to New Relic so the service performs its alert and recommendations functionality. But, in all cases, customers control whether personal data is sent to New Relic services.
In the broadest context, EU regulators seem to be placing a heavy burden on businesses’ shoulders. But in the context of our service, we want to encourage our customers to evaluate the nature of the telemetry data they choose to send to New Relic and ask themselves: Is the FBI or NSA likely to be interested in data about the performance of your software or hardware? And, if they cared, would that data even be within the realm of the personal data implicated in Schrems? We encourage customers to read the recent white paper published by the U.S. Dept. of Commerce to address these issues.
Furthermore, New Relic employs strong technical and administrative security measures to protect customers’ data—including encryption in transit, at rest, and at the application level; FIPS 140-2 encryption for DC to DC connectivity—all of which are proportionate to the risks associated with this type of data as required under Article 25 and 32 of GDPR. Additionally, New Relic makes an EU-based data center available to customers that require their data be stored in the EU.
Data protection laws and regulations have very important functions, but they are by nature also very broadly written and need to be assessed and interpreted in the context of respect for individuals’ rights. New Relic is here to help you create more perfect software. And, if your particular need requires that you send ancillary personal data to the New Relic platform, you can download New Relic pre-signed DPA with integrated SCCs and consult the Data Processing Addendum FAQ.
If New Relic receives requests from law enforcement agencies, New Relic will redirect the law enforcement agency to request that data directly from the relevant New Relic customer. If New Relic is compelled to disclose personal data to that law enforcement agency, New Relic will provide the customer with notice of the request to allow the customer to seek a protective order or other appropriate remedy unless New Relic is legally prohibited from doing so.