<aside> 💡 This page provides information and resources to assist Notion customers with completing their transfer impact assessments.
This page is for informational purposes only. Notion may update or change this page at any time and will update the Last Updated date below when updates or changes are made.
In the European Court of Justice’s ruling in the “Schrems II” case (Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18), the Court of Justice of the European Union (”CJEU”) invalidated the EU-U.S. Privacy Shield as a cross-border data transfer mechanism on the grounds that U.S. government surveillance laws do not provide privacy protections that meet EU standards.
The CJEU also determined that transfers of EEA personal data to third countries under the EU Standard Contractual Clauses require an evaluation of whether the government surveillance laws in the recipient country provide privacy protections that meet EU standards. If protections under local laws alone are found to be insufficient, data exporters are required to identify supplementary measures for protecting the personal data that would be sufficient to meet EU standards. The European Data Protection Board has issued recommendations instructing companies to implement such supplementary measures, including conducting transfect impact assessments.
The CJEU identified two U.S. government surveillance laws as impairing the protection of EU personal data processed in the U.S.: FISA 702 and EO 12333.
Section 702 of the Foreign Intelligence Surveillance Act (”FISA 702”) is a U.S. statute that enables the federal government to require that companies disclose data about individuals located outside of the United States for foreign intelligence purposes. FISA 702 establishes an independent court called the Foreign Intelligence Surveillance Court that reviews and approves government orders for data collection requests.
Executive Order 12333 (”E.O. 12333”) is a directive to U.S. government intelligence agencies to conduct intelligence collection activities. EO 12333 does not itself authorize U.S. government agencies to compel the disclosure of data. EO 12333 must rely on a statute, such as FISA 702 to collect data.
FISA 702 applies to “Electronic Communications Service Providers.” This term is defined broadly and includes remote computing service providers. Because of this broad definition, it’s possible that Notion technically could be subject to FISA 702, as would most U.S.-based SaaS companies.
However, according to a white paper issued by the White House in 2020, the U.S. government focuses its requests for information under FISA 702 on communications data. The white paper states that most companies do not process the types of data that are of interest to the U.S. government. It states that most companies have never received orders to disclose data under FISA 702 and have never disclosed data to U.S. intelligence agencies.
In practice, it is unlikely that FISA 702 would apply to Notion. Notion does not process communications data and is not a telecommunications provider. Notion only transfers data relating to its customers using the services.
It is also unlikely that EO 12333 would require Notion to disclose data. EO 12333 does not authorize U.S. agencies to compel disclosure of data. Any such disclosure requests would need to be processed under a statute like FISA 702.
As of the Last Updated date below, Notion has not received any requests from U.S. government agencies to obtain personal data. This includes national security requests under FISA 702 as well as requests via court orders and emergency requests.