Last week, the Court of Justice of the European Union (CJEU) ruled the EU-US Privacy Shield, a mechanism governing personal data transfers from the EU to the US, is invalid due to concerns about US government access to EU personal data. Companies that relied on the EU-US Privacy Shield now must have an alternative basis with sufficient privacy protections to be able to transfer personal data to the United States. This does not affect GitHub’s commitment to developer privacy or the strength of our global privacy practices. Our response to this ruling is focused on providing uninterrupted support for trans-Atlantic developer collaboration for our users and customers, including the transfer of personal data across borders.
Prior to the ruling, GitHub had relied on the EU-US Privacy Shield and Swiss-US Privacy Shield frameworks for processing developers’ and customers’ personal data transferred from the EU, the UK, and Switzerland. Upon request, we also provided customers with overlapping protections under Standard Contractual Clauses (SCCs) for data transfer. SCCs—which remain valid under the latest CJEU ruling—are contractual commitments between entities transferring personal data, binding them to protect the privacy and security of such data.
In compliance with the new ruling, GitHub is now relying on SCCs to establish necessary data protection for all of our developers and customers, as reflected in our updated customer data protection terms and Privacy Statement. Regardless of whether we are acting as a processor on behalf of our customers or taking on the obligations of a data controller, we have the mechanisms in place to support continued flows of personal data from the European Economic Area, the UK, and Switzerland.
GitHub continues to provide a high standard of privacy protection to all our developers and customers, including the application of stringent individual privacy protections under the European Union’s General Data Protection Regulation (GDPR) to all GitHub users worldwide, regardless of their country of origin or location (see our Privacy Statement for GitHub’s Global Privacy Practices). These existing commitments go beyond the requirements of the SCCs, and our transparency reporting also gives developers and customers added transparency and notice about how GitHub responsibly handles legally authorized government requests for data.
We recognize additional changes to the regulatory framework are to be expected, and, as always, will remain attuned to requirements so we can quickly make any necessary adjustments to our compliance practices and continue to safeguard international developer collaboration. GitHub is proud of the levels of notice, choice, transparency, accountability, security, data integrity, and recourse we provide to our developers and customers worldwide. We are committed to complying with the applicable data privacy laws wherever we do business, and we will continue to advance our protections for developers and customers based on any future developments.