Schrems 2 Ruling
The European Court of Justice (ECJ) ruled on July 16, 2020, that the EU-US Privacy Shield framework is no longer valid as a means of ensuring adequate protection for transfers of personal data from the European Union to the United States, on the basis that US national security requirements do not meet EU privacy standards.
Importantly, the ECJ also decided that the Standard Contract Contractual Clauses (SCCs) are a valid transfer mechanism.
The ECJ deferred to national EU data protection supervisory authorities to determine the lawfulness of transfers to countries such as the US where the ECJ has determined there is a conflict between national laws and EU data protection laws.
This post advises Auth0 customers who process EU personal data of the likely immediate effects of the Schrems 2 decision on their use of the Auth0 Platform.
European Customer Data is Stored in the EU
Unless a European customer has opted to establish its Auth0 tenant(s) in an AWS region outside the EU, the data of Auth0's European customers is stored on AWS infrastructure located in the AWS EU region (Germany, with failover to the Republic of Ireland). This means that this data is not transferred out of the EU – in other words, the Schrems 2 decision has no effect on this data, and customers will not need to make any changes. This applies both to Auth0's public cloud customers and private cloud customers.
As disclosed in our contracts with our customers, Auth0 conducts some limited processing of personal data outside the EU. This involves:
Management dashboard: For public cloud customers, Auth0 may temporarily process tenant data in the US for display on the Auth0 Management Dashboard. Dashboard web servers are located in the US. This data is not automatically transferred but is only served up when a tenant dashboard administrator requests it for viewing. When this occurs, the data itself is ephemeral, is not permanently stored on these systems, is fully encrypted during transit, and is only used to display information on the dashboard to the requesting administrator. This data can include any information that can be viewed through the Auth0 Management Dashboard, which typically includes the user's e-mail address or other UID and basic metadata about that user, such as creation date, last login time, user agent, and the identity provider used. Note that this dashboard processing occurs within the AWS region the customer has selected for its tenant for private cloud customers.
Support tickets and logs: If a customer includes personal data in a support ticket, then this may be viewed by Auth0 support personnel outside the EU. In order to resolve the ticket, Auth0 personnel may review activity logs to help understand the underlying error. Personal data in those logs typically consists of a user ID (e.g., e-mail) and IP addresses.
Auth0's DPA has Triggered the SCCs
For transfers of personal data from the EU to the US, the SCCs will now apply.
Auth0's form of Data Processing Addendum (DPA) anticipates the invalidation of the EU-US Privacy Shield framework as a transfer mechanism. Under Section 6.1 of the Auth0 DPA, Auth0 and customers who are a party to the DPA have agreed that the SCCs will apply in these circumstances. Thus, although Privacy Shield has been invalidated, transfers by Auth0 of European customer personal data are now subject to the SCCs.
Although the DPA contemplates that no further action should be required for the SCCs to apply, we expect to post a pre-signed set of SCCs for customers to countersign early next week. Auth0 customers looking for additional assurance beyond the DPA may use this method to apply the SCCs to transfer their data.
This is an evolving situation, and we will be monitoring developments closely. In particular, we expect the cloud service provider sector to consolidate on an approach to the invalidation of the EU-US Privacy Shield framework over the coming weeks. We expect national EU data protection supervisory authorities to begin to communicate their position on determining the lawfulness of transfers to countries such as the US, where the ECJ has determined there is a conflict between national laws and EU data protection laws.
We will update this blog to reflect key developments – please check in regularly.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding billions of login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.