Digital Services Act (DSA)

Customers whose primary place of business is in Europe, the Middle East, or Africa (collectively, EMEA) receive services through contracts with F5 Networks, Ltd. F5 Networks, which is headquartered in and incorporated under the laws of the United Kingdom, is the center of F5’s EMEA operations. EU and Swiss authorities have recognized that UK laws provide protection for personal data, fully satisfying the requirements of Chapter V GDPR and equivalent Swiss law. 

Customers headquartered in the Asia–Pacific (APAC) region contract with F5 Networks Singapore Pte Ltd. in Singapore. All other customers (including those headquartered in North America) contract with F5, Inc. in the United States. For all F5 services, the Data Protection Addendum (DPA), as supplemented by the Service-Specific Terms, includes the Standard Contractual Clauses and provisions that apply to all legally applicable transfers to F5. These Standard Contractual Clauses are accompanied by the international data transfer addendum published by the UK government for UK transfers, as well as additional language published by the Swiss Federal Data Protection and Information Commissioner for Swiss transfers. For relevant services, F5 also maintains a certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.

Yes. For relevant services, F5 maintains a certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.

No. These two U.S. legal provisions, which were the focus of the Schrems II decision, do not affect F5. In any case, due to improvements in U.S. law following the Schrems II decision, the European Commission determined in its Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-U.S. Data Privacy Framework that the earlier concerns about those provisions have been resolved. The European Data Protection Board (EDPB) analyzed the European Commission’s decision and noted (in its Information note on data transfers under the GDPR to the United States after the adoption of the adequacy decision on 10 July 2023) that “all the safeguards that have been put in place by the U.S. government in the area of national security (including the redress mechanism) apply to all data transferred to the U.S., regardless of the transfer tool used” (meaning, regardless of whether the data is transferred to the United States via the Data Privacy Framework, Standard Contractual Clauses, or another transfer tool).

F5 has never received a data access request or any other kind of directive under FISA 702. Many F5 services are not the type of service eligible to be targeted with a FISA 702 directive. Additionally, for almost all customers of F5 services, F5 does not process the type of data that is eligible to be targeted with a FISA 702 directive, which applies to data about the proliferation of weapons of mass destruction, foreign powers’ plans for attacks on the United States, intelligence about the clandestine activities of foreign spies, or other “foreign intelligence information” within the meaning of FISA.

F5 also cannot receive an order to produce customer data under EO 12333 because there is no such thing as an EO 12333 order. EO 12333 allocates certain responsibility within the United States Intelligence Community but does not impose any obligations on the private sector. F5 encrypts data in transit and uses additional security measures to protect against the theoretical interception activities that concerned the Schrems II court prior to the 2023 European Commission adequacy determination discussed above.

The CLOUD Act did not give the U.S. government new powers to demand data from companies that do business in the United States. The U.S. government does not issue “CLOUD Act orders” and F5 has never received one. The CLOUD Act provided clarification that when the U.S. government follows appropriate existing legal process (such as obtaining an order from a federal district court judge) to direct a company to provide specified data in its possession, custody, or control, the location of the data cannot be the basis for the company’s challenge to the order (though a conflict with the laws in force at such location still may be). The CLOUD Act has been in force since prior to the 2020 Schrems II decision. Subsequent to the Schrems II decision, the United States made various improvements to its rules and practices regarding government access to data. The European Commission then assessed these improvements and determined that U.S. law applicable to U.S. government demands for data now provides an adequate level of protection within the meaning of the GDPR. See Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-U.S. Data Privacy Framework. The European Data Protection Board (EDPB) analyzed this decision and noted (in its Information note on data transfers under the GDPR to the United States after the adoption of the adequacy decision on 10 July 2023) that “all the safeguards that have been put in place by the U.S. government in the area of national security (including the redress mechanism) apply to all data transferred to the U.S., regardless of the transfer tool used” (meaning, regardless of whether the data is transferred to the United States via the Data Privacy Framework, Standard Contractual Clauses, or another transfer tool).

Given the nature of F5’s customer relationships and the limited (and typically encrypted) data F5 handles for customers, such demands are extremely rare. F5’s policy for any demand for customer data is to (i) promptly notify the customer if legally permissible and then cooperate with the customer’s resolution of it or (ii) if customer notification is unlawful, attempt to redirect the requesting authority to the customer. If these efforts do not resolve the matter, F5 would assess the legality of the demand and raise all reasonable challenges to it (such as with an appeal), including whether compliance with the request would violate the GDPR or other relevant laws. During this process, F5 would request suspending the effects of the demand until the competent judicial authority has decided on its merits, including through any appeals process. F5 would not disclose any data in such a situation unless and until required to do so under the applicable procedural rules. If that point were reached, F5 would disclose only the minimum data necessary to comply with what remained of the original demand.

Every customer contract for F5’s services (the End User Services Agreement (EUSA)) includes Service-Specific Terms that incorporate and supplement F5’s Data Protection Addendum (DPA), which includes the Standard Contractual Clauses with relevant additional language for transfers subject to UK or Swiss law. In certain cases, the customer and F5 will have a different contract that incorporates these same protections, such as the contract for specific F5 support services. Customers can also refer to https://www.dataprivacyframework.gov/list, which shows that F5 has certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.

For transfers to F5 entities in “third countries” including the UK, F5 and its customers rely on the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which is available on the UK Information Commissioner’s website and is incorporated by reference in F5's DPA for relevant transfers governed by UK law. In addition, for certain services, F5 is certified under the UK Extension to the EU-U.S. Data Privacy Framework.