At Cisco Meraki, fostering relationships with our customers and partners based on trust is of the utmost importance. We believe privacy is a fundamental right, and the privacy and security of our customers and partners is always Cisco Meraki’s top priority.
On July 16, 2020, in what has come to be known as the “Schrems II decision,” the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield framework as a valid mechanism to transfer personal data from the EU to the USA in compliance with EU data protection laws. Cisco Meraki has implemented substantial additional safeguards to protect customer and partner data and enable seamless, cross-border data transfers in accordance with current EU privacy requirements.
Background on Privacy Shield and other approved data transfer mechanisms
Prior to this ruling, there were three approved mechanisms permitting the lawful transfer of personal data from the EU to the U.S.:
- EU-US Privacy Shield
- EU Standard Contractual Clauses (A/K/A standard data protection clauses)
- Binding Corporate Rules
Cisco Meraki adheres to the standards of all three transfer mechanisms, in order to ensure the protection of our customer’s and partner’s data, and remain in compliance with EU data protection requirements.
The EU-US Privacy Shield is a framework designed by the U.S. Department of Commerce and the European Commission. This framework previously provided participating U.S. companies a means of establishing that their data protection measures were sufficiently adequate to permit lawful transfers of personal data from the EU to the U.S. Cisco Meraki is presently a covered entity under Cisco Systems, Inc.’s Privacy Shield certification. All companies certifying to compliance with Privacy Shield must continue to adhere to the framework’s data protection requirements, which presently remain enforceable under U.S. law.
The Standard Contractual Clauses (SCCs) are specific contractual commitments approved by the European Commission. If adopted in an agreement between a sender of personal data in the EU and a receiver outside the EU or European Economic Area (EEA), SCCs serve as an appropriate safeguard to permit the lawful transfer of personal data between these two parties. The Schrems II decision reaffirms the importance of the SCCs as an essential safeguard for secure international data transfers in the interest of European individuals and businesses. Cisco Meraki and our customers can enter into SCCs through the Cisco Meraki EU Data Processing Addendum, outlined below.
Binding Corporate Rules (BCRs) are legally binding data protection policies, adopted typically by large, multinational companies, or groups of related companies, with a presence in the EEA, allowing intra-organizational transfers of personal data outside the EEA. BCRs must include general data protection principles, and must be enforceable to ensure appropriate safeguards for data transfers. Cisco’s Binding Corporate Rules, which have been approved by applicable Data Protection Authorities, include Cisco Meraki and ensure a high degree of data protection across the organization.
But how can I be sure Cisco Meraki sufficiently protects my data after Schrems II?
Cisco Meraki is committed to protecting the data that our Customers entrust to our cloud-hosted service. Privacy and security are foundational to the design of all our products and solutions. You can learn more about Cisco Meraki’s systematic approach to data protection, privacy, and security by reviewing our publicly-available list of Technical and Organizational Measures taken to ensure the protection of your data.
Cisco Meraki has always provided our customers with the ability to electronically enter into our Cisco Meraki Data Processing Addendum (DPA). Our DPA outlines Cisco Meraki’s commitments to safely process the data of our European customers. Under the Cisco Meraki DPA, customers can also enter into the SCCs, providing an approved method for secure international data transfers. Furthermore, Cisco’s approved Binding Corporate Rules, cover any international transfer of personal data within the Cisco enterprise where we act as controller (e.g., human resources data, administrative data, billing information, customer relationship management data).
Our customers and partners can take comfort in the fact that Cisco Meraki processes data with transparency, fairness, and accountability. How we handle customer data is outlined in detail in our Privacy Data Sheet (PDS), which we are happy to provide upon request. Our PDS illustrates the limited personal data Cisco Meraki collects as a result of our Out of Band Control Plane, which ensures that only network management traffic (not user data) flows to Meraki servers, and describes how we process that data and the security measures implemented to protect it. Our publicly available Meraki Cloud Architecture document further describes how we have built security and privacy by design into the Cisco Meraki cloud platform and discusses where personal data is processed and stored. We invite you to take a look at our GDPR and Trust pages for further information in this respect.
Cisco also publishes a Transparency Report twice a year, disclosing the number of law enforcement and intelligence agency requests Cisco receives for customer data around the world. All such demands are subject to Cisco’s principle-based review, whereby they will be thoroughly and individually scrutinized to balance the needs of law enforcement and privacy. In these instances, we seek first to inform the customer of any such request and involve the customer in responding.
As the legal and political landscape around the protection of personal data in Europe continues to evolve, we have focused resources and efforts to ensure all customer data, including personal data, is secure with privacy properly respected. We will continue to provide updates on our efforts via Cisco Meraki’s website at: http://meraki.cisco.com/trust and Cisco’s website at: http://trust.cisco.com.
For more information on this subject, please reach out to your Cisco Meraki representative.