First published to the Twilio blog on February 25, 2021. Visit the original post here.
Transfers of EU personal data to the US and other third countries have long been an area of concern for privacy-conscious EU customers and EU data protection authorities. On July 16, 2020, these concerns came to the forefront again when the Court of Justice for the European Union (CJEU) ruled on Schrems II. While Twilio has already taken significant steps to ensure data we process is adequately safeguarded wherever in the world we process it (including, among other things, our Binding Corporate Rules and issuing semi-annual transparency reports), we know that this ruling raises important questions about the impact they may have on your business.
We’re excited to share the following details for how Twilio is taking further action to give customers greater control over personal data transfers, and we’re committed to providing updates on a quarterly basis.
As regions, like Europe, continue to lead in the development of comprehensive privacy and data protection regulation, we continue to anticipate that similar privacy and data protection regulations will soon become more common around the world. The CJEU decisions have only accelerated Twilio’s work. Our teams are actively working on a broad regional strategy that will expand our global infrastructure into EU data centers and update internal processes to further mitigate the concerns raised by the CJEU in relation to cross-border data flows as well as other limitations customers may face in relation to transferring personal data out of the EU.
This will be an iterative process, but there are three core efforts actively underway:
- We’re enabling you to keep user EU personal data in the European Union.
Twilio customers will have control over where their data is physically stored, enabling them to keep EU personal data entirely within the EU region, both at rest and in transit.
- We’re implementing additional security controls, restricting Twilio personnel from accessing EU personal data without appropriate permissions.
Non-EU employees of Twilio will be unable to access EU personal data without explicit permission from an EU entity. This includes implementing controls ensuring that only pseudonymized data is transferred to Twilio systems within the US, while also further expanding our enterprise access control system to enhance oversight and control over access to EU personal data.
- We’re implementing additional legal safeguards for EU customers who contract with Twilio.
Twilio will be updating our contracts to ensure that new EU customers are contracted through our entity in the EU by default. We will also be providing ways for current EU customers to contract through our EU entity upon request.
What we’re delivering in 2021
What we plan to deliver on this year represents a significant stride towards helping address customer concerns associated with cross-border transfers of EU personal data; however, we plan to address this process in stages.
Throughout the first half of 2021, Twilio is piloting our initial regional offering, beginning with our Voice and Messaging products. The Messaging channels that will be supported as part of this initial offering are SMS and Chat. In the second half of 2021, we intend to enable these channels within our regional Ireland entity. Following this, we will continue the work to incorporate additional Twilio products, including Twilio SendGrid products, in 2022.
It’s important to note that during 2021, our primary focus for our initial channel offering will be to isolate customers’ end user data, such as message details records or call detail records and audio recordings—data for which we act primarily as a processor under GDPR. We will continue to work towards regionalization of other non-end user operational data, such as billing and invoicing, support, regulatory compliance, and business analytics information, in 2022.
We’re dedicated to keeping you informed
Transparency is core to Twilio’s mission of being the world’s most trusted customer communications platform. We are committed to providing additional updates on a quarterly basis as we continue to work aggressively towards the delivery of a broad, regional infrastructure.
Ongoing Updates on Twilio’s Response to
Q2 2021 Update
In February, Twilio published our first edition of this blog post, outlining our response to the 2020 ruling from the Court of Justice for the European Union (CJEU) commonly referred to as ‘Schrems II’ and the subsequent guidelines published by the European Data Protection Board (EDPB) in November 2020. Since that time, product and engineering teams across the Twilio platform have accelerated our work to provide our customers with regionalized products and functionality that help you achieve compliance, and reduce cross-border data transfer risk, around the world. In our first edition, we committed to providing proactive updates on a quarterly basis, and we’re excited to share our first update on the work being done towards this effort.
While we’ve greatly accelerated our regional efforts to ensure that customers can respond proactively, we’ve also taken advantage of what we consider to be a unique opportunity to solve for future regulatory shifts once and for all. As we look into Q3, we’re prepared to begin delivering the value created as a result of this work into customers’ hands.
Q3 2021 Update
Through Q2 and into Q3, our teams worked across key product, infrastructure, billing, and data access control initiatives to prepare for our Australia pilot program launch, which went live in September. This pilot features Twilio’s Programmable Voice, Elastic SIP Trunking, and Voice Client SDK products and expands Twilio’s infrastructure into Australia.
The pilot program is a critical step, paving the way for our team to regionalize Twilio within new geographies, particularly in Europe next quarter, while ensuring that every interaction you have with customers delivers the same level of trust and reliability that you expect from the Twilio platform.
As part of this effort, Twilio is introducing data centers in separate and distinct geographic locations to improve resiliency and further mitigate the risk of a single event impacting Twilio services. Ultimately, this enables you to build and operate your most latency-sensitive applications while meeting local data residency requirements.
For customers interested in participating in the Australian pilot, please contact your Twilio account representative for more information on how to get involved.
In addition, we are excited to announce that we’ve operationalized Twilio Ireland as our latest billing and contracting subsidiary. As of August, new European Twilio customers with either a phone number or a billing country in the region are automatically contracted through our Twilio Ireland subsidiary. We are actively working on extending this to existing European customers and will provide updates as we progress. This presents a strong first step in addressing concerns around personal data protection for our customers in Europe.
Timelines for regionalized Twilio products in Europe
In Q4 2021, we will be introducing Twilio Voice, our first publicly regionalized channel within the European region, with data centers in Ireland. In addition, the Conversations API will be available, supporting chat use cases this quarter. This launch will be followed by support for inbound and outbound SMS within the region during the first half of 2022, with additional products like Video, Email, Flex, MMS, and Conversations (SMS and WhatsApp) are expected during the second half of the year. Finally, our team is actively working to ensure that the teams supporting other Twilio entities, like Segment (acquired by Twilio in November 2020), are equally equipped to meet the same stringent standards set by our regional teams. The Twilio Segment team has delivered general availability for regional data ingestion in Q2, and will be releasing the Regional Connections and Protocols (which includes data ingestion and storage) as well as Regional Personas, into general availability in the first half of 2022.
|Q3 2021||Q4 2021||H1 2022||H2 2022|
|• Voice Pilot (Australia)
• Twilio Segment Regional Data Ingestion GA (Ireland, Australia, & Singapore)
|• Voice (Ireland)
• Conversations – chat only (Ireland)
|• Inbound & Outbound SMS (Ireland)
• Twilio Segment Regional Connections & Protocols (Ireland)
• Twilio Segment Regional Personas (Ireland)
|• Video (Ireland)
• Email (Europe)
• Flex (Ireland)
• MMS (Ireland)
• Conversations – SMS and WhatsApp (Ireland)
Access & Contracting: Further regionalizing how you do business with Twilio
In addition to the regionalization of our products and services, our teams are also working in tandem to improve the way that you do business with Twilio around the world. Teams are actively working to build and implement new, robust enterprise-ready access controls. These controls ensure (for example) that sensitive customer data remains regionalized and accessible only by Twilions in-region as necessary. They also ensure this sensitive data remains inaccessible out of region, except when specifically approved. We’re also working to introduce new billing and contracting opportunities that protect your business relationship with Twilio formally under a regionalized European entity, Twilio Ireland, when legally necessary or simply preferred. In Q3, we updated our terms of service and operationalized Twilio Ireland so that new customers are now contracting with this in-region entity. These are just two examples of the many safeguards actively being put into place to ensure our customers have the tools to operate in a fully-compliant manner, anywhere in the world.
Building a future-proof platform, today
The global regulatory landscape is ever-changing, and we’re acutely aware that rulings (like ‘Schrems II’) present important, time-sensitive issues that need to be addressed thoughtfully. As we continue to build a globally regionalized Twilio, our team has committed to a strategy that provides reliable, long-term solutions that deliver on needs today and well into the future–regardless of how regulatory measures, specifically with regards to sensitive customer data, may change for years to come. It’s a promise that Twilio is uniquely capable of delivering on, and we’re excited to bring these updates to you over the coming weeks and months.