Last Updated: Jun 2, 2021
As a global platform used by users across the world to engage in research, scholarship, and innovation activities, ORCID is committed to addressing changes in privacy and security requirements that impact its users.
On July 15, 2020, the European Court of Justice (“ECJ”), the highest court within the EU legal system, issued its decision in Schrems II, invalidating the EU-US Privacy Shield as lawful under the EU’s General Data Protection Regulation (“GDPR”) and upheld the continued use of the Standard Contractual Clauses (SCCs) to transfer data to a third country. See Facebook Ireland and Schrems, Case C-311/18 (pending at the Court of Justice of the European Union (“CJEU”) [hereinafter “Schrems II”]. In its decision, the ECJ raised concerns regarding whether personal data transferred from the EU to the US maintained adequate protection once stored within the US. In light of this decision, ORCID engaged outside counsel to conduct a review of the impact of Schrems II on its business operations. Below is additional information regarding ORCID’s approach to continued cross-border data transfers from the EU to the US.
Does ORCID currently transfer personal data from the EU to the US?
Yes, ORCID does transfer personal data from the EU to the US as part of its network infrastructure. The live registry software is hosted on servers located within the US.
How does ORCID lawfully transfer personal data under the GDPR?
ORCID relies on two mechanisms to transfer personal data under the GDPR. First, ORCID obtains the consent of its users at the time of registration to the transfer of personal data from the EU to the US. Second, ORCID enters into the Standard Contractual Clauses (SCCs) with member organizations as needed.
How can I add the Standard Contractual Clauses to my existing ORCID membership agreement?
ORCID is happy to enter into the Standard Contractual Clauses with any member located in the EU, EEA or UK that is transferring personal data to ORCID using the member API. Please reach out to your ORCID engagement team contact to discuss the addition of the Standard Contractual Clauses to your membership agreement.
Does ORCID provide information about its data practices?
Yes, ORCID maintains a number of documents on its website related to its privacy and security practices. Those documents include:
TRUSTe Letter of Attestation (Microsoft Word – Certification Letter of Attestation_ORCID20191220.docx)
Does ORCID provide any supplemental measures in the transfer of personal data from the EU to the US?
Yes, in addition to the safeguards discussed above, ORCID incorporates the following supplementary measures to address data protection.
Data Subject Control. Users are provided with a high amount of transparency and control related to the information shared with ORCID and other users or member organizations. ORCID has taken actions to minimize the amount of personal data needed to establish an ORCID record, requiring only a first name and email address. In addition, ORCID makes it clear that its tools and services provide users with control over registration, what is connected to an iD, and who can access user information.
Third-Party Processor Agreements. ORCID enters into agreements with its processors that incorporate data privacy and security provisions. Prior to entering into agreements with processors, ORCID conducts due diligence that addresses privacy and security components. To conduct this due diligence, ORCID first determines whether or not the third-party provider will have access to and/or receive copies of any Personal Data. If the answer is yes, then ORCID moves forward with negotiating a data processing agreement that aligns with the requirements of the GDPR and any other applicable data protection requirements.
Data Encryption. ORCID implements reasonable encryption measures for all data at rest and in transit. Further, all back-ups are encrypted.
Technical and Organizational Measures. ORCID implements a variety of security controls to support the secure management of its databases and infrastructure. These security controls include security patch management; system access monitoring; audit logging; access control; and change control mechanisms. Additionally, ORCID maintains an incident response plan as well as a disaster and data recovery process.
Does ORCID provide users with information on how it will respond to government requests to access data?
Is ORCID subject to US Surveillance laws?
It is not likely that ORCID would be subject to US surveillance law requests highlighted in the Schrems II decision. Since ORCID is not an “electronic communication service provider” as defined under Section 50 USC § 1881(b)(4), it is not subject to the Foreign Intelligence Services Act (“FISA”). ORCID provides an online registry that is used to identify researchers from member organizations; as such, Section 702 under FISA would not apply to ORCID and its data.
Does ORCID provide users located outside of the EU with the same or similar privacy protections?