NetApp Schrems II Approach

NetApp knows that the power of data lies in how easily it can be accessed across an organization. We also know how important it is that data availability does not come at the expense of privacy rights. A recent Court of Justice for the European Union (CJEU) decision, referred to as Schrems II, invalidates the EU-U.S. Privacy Shield, raising good questions about how privacy will be protected in our global, data-based economy. This decision has caused some concern with our customers and partners in the EU about how NetApp handles their personal information in light of the General Data Protection Regulation (GDPR) and this new ruling.


NetApp has long been committed to principle-based privacy practices. We were an early adopter of Binding Corporate Rules as a means of creating enforceable rules for the transfer of personal information from the EU to the United States. These Binding Corporate Rules were approved by our supervisor authority in the Netherlands, and we continue to keep them up to date as our business evolves and transforms. We also offer Standard Contractual Clauses (SCCs) in our Customer Data Processing Addendum. Even before the Schrems II decision, we made this information available online so that our customers and partners could examine our privacy commitments as they made sourcing and partnership decisions.


Although it invalidated the EU-U.S. Privacy Shield, the Schrems II decision upheld the suitability of the SCCs for cross-border data transfers and provided additional information to consider when the SCCs are used. The CJEU particularly addressed whether the SCCs adequately protected the privacy rights of EU data subjects might vary according to the jurisdiction of the parties to the SCCs. Despite invalidating the EU-U.S. Privacy Shield on the basis of inadequate judicial protections for EU data subjects under certain national security laws and surveillance programs, the court did not hold that the United States was wholly unsuitable for processing personal data of EU data subjects. Instead, the court provided guidance that entities should assess adequacy according to individual, sector, and regional risks associated with data transfers.


When addressing how the SCCs might be used, the court held that if the European Commission has not made an adequacy decision with regards to a given country – the onus of evaluating adequacy lies with the controllers and processors of personal information in light of the terms of the SCCs. Furthermore, the CJEU recognized that in evaluating adequacy, the parties to the SCC may consider their business operations, the sector they operate in, and the risk of information processing to data subjects. This evaluation, of course, is not possible unless the parties have transparent access to information about data location, cross-border data transfers, data processing terms, and other information regarding each party’s processing of personal information. NetApp’s approach to earning our customers’ trust through transparent communications will enable these assessments.


Overall, NetApp believes that this is the right direction for personal information processing under SCCs. The CJEU recognizes that digital transformation applies differently to different businesses, and the risk to the rights and freedoms of individuals can vary significantly under different business models. Because NetApp has customers and partners who operate a wide range of business models, each with different risk profiles, we are approaching this new guidance from the CJEU with a growth mindset and as an opportunity to engage with our customers in discussions of privacy best practices. We continually seek to improve access to information and resources relevant to NetApp’s processing of personal data, so that we can move at the speed of global business while still respecting privacy rights. This decision presents us with another opportunity to demonstrate our commitment to our core values of trust and integrity in our handling of customer and employee personal information.


For more information about NetApp’s approach to data privacy, visit our Trust Center.

Beth O'Callahan

Elizabeth O’Callahan is the Deputy General Counsel and Chief Privacy Officer at NetApp. She is responsible for advising the NetApp board and management and overseeing all legal matters related to corporate and securities, M&A, intellectual property, data privacy, corporate compliance, executive compensation, and employment. O’Callahan has been recognized at NetApp and in the legal community for her enterprise mindset, outstanding results achieved in complex litigation and disputes, relentless execution of in pursuit of corporate objectives, commitment to diversity and allyship, and effective use of technology in the provision of legal services. Before joining NetApp, O’Callahan served in senior corporate counsel roles, and began her legal career in private practice in Silicon Valley specializing in corporate law and business litigation. She is the recipient of professional awards including the National Diversity Council’s 2020 Leadership Excellence in Technology Award, Corporate Counsel Women of Power and Influence in Law, The Irish Voice 2019 Irish Legal 100, The Silicon Valley Business Journal Women of Influence, The Recorder Women Leaders in Tech Law, Inside Counsel Poised for Prominence, and the YWCA Tribute to Women & Industry Award. O’Callahan serves on the Board of Directors of Bay Scholars, a non-profit organization dedicated to providing educational opportunities and scholarships to low income students. She lives in the San Francisco Bay Area with her husband and son.

Add comment