Okta’s Response to the Court of Justice of the European Union’s Decision on Transfers of Personal Data

Okta is the identity company that stands for trust. We consider the security and privacy of our customers’ data as foundational elements of our business. Today, we’re updating our customers about their transfers of EU individuals’ personal data to Okta’s service, in light of the July 16, 2020 decision of the Court of Justice of the European Union (“CJEU”).

The CJEU has confirmed the validity of the European Commission’s standard contractual clauses as a legal mechanism for the transfer of EU personal data, but has invalidated the EU-US Privacy Shield framework. Okta’s customers may continue to use our service, relying on the European Commission’s standard contractual clauses (the “SCCs”), which are already included in our Data Processing Addendum. Okta has never self-certified to the now-invalidated Privacy Shield framework.

The CJEU’s decision ruled that the decision on the adequacy of the protection provided by the EU-US Privacy Shield is invalidated, but the decision on standard contractual clauses for the transfer of personal data to processors established in third countries is valid. The case, known as Schrems II, affirms the use of the SCCs as a lawful transfer mechanism.

The SCCs are a set of standard contractual terms that provide sufficient safeguards regarding data protection and privacy for the personal data of EU individuals to be transferred from Europe to other countries.

Today’s ruling aligns with Okta’s long-standing position that the SCCs reflect Okta’s strong commitment to ensuring the privacy and security of our customers’ data.

Although the CJEU struck down Privacy Shield, our customers can be assured that they can continue to legally and safely transfer personal data to Okta pursuant to the SCCs without any business interruption. Our Data Processing Addendum, which incorporates the SCCs, along with information regarding Okta’s sub-processors, can be found on our Trust & Compliance Documentation page.

If you have any questions on Okta’s privacy practices or the impact of today’s ruling, please reach out to: [email protected]

This content is provided for informational purposes. It is not intended to provide legal advice. Okta encourages its customers to consult with their own legal counsel to familiarize themselves with the requirements that govern their specific situations. This information is provided as of the date of document publication, and may not account for changes after the date of publication.