New Developments in EU-US Data Transfers
The transfer of data between the European Union and the United States is probably one of the most contentious privacy topics of the past few years.
This article shall shed some light on the adequacy decision published by the European Commission on July 10, 2023, and the new EU-US Data Privacy Framework.
In 2013 Edward Snowden revealed to the public numerous mass surveillance programs of the United States.
NOYB (None of your Business) a non-profit organization headed by Austrian lawyer Max Schrems brought a complaint regarding the transfer of data from Facebook Ireland to the US parent company and afterwards accessed by the US surveillance authorities. The then in place Safe Harbour agreement was nullified meaning that it could no longer be used as a legal basis to transfer the data to the United States.
In 2018 the General Data Protection Regulation came into force. The successor of Safe Harbor, called Privacy Shield, was again challenged by NOYB. In the famous Schrems II decision on 16.7.2020 Privacy Shield was nullified and could not be used as a legal basis to transfer data to the United States.
In this decision it was also said that the Standard Contractual Clauses were still valid but additional measures needed to be taken which led to quite some uncertainty and many questions in the privacy community and businesses alike. The Standard Contractual clauses have been updated on 4.6.2021 to address some of the concerns.
EU-US Data Privacy Framework
The US Government and the representatives of the EU were aware of the need to address the shortcomings mentioned in the Schrems II decision and negotiated a third agreement now called EU-US Data Privacy Framework.
Based on an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’, which introduced new binding safeguards to address the points raised by Court of Justice. Notably data can be accessed by US intelligence agencies only to the extent of what is necessary and proportionate.
Furthermore, an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes was established.
Based on these improvements the EU Commission released an adequacy decision for the United States on July 10th, 2023.
What is an adequacy Decision?
An adequacy decision is one of the transfer mechanisms provided by the GDPR to legally transmit data to a third (meaning non-EU) country.
It is a determination by the EU Commission that this specific country and its laws and practices grant an adequate protection of the privacy of individuals and data can be transferred to this country with no additional conditions.
A list of countries for which this is true can be found here.
A note to our Swiss customers
The Swiss Federal Data Protection and Information Commissioner (FDPIC) published the following statement. The data transfer is legal even if negotiations on an agreement are still ongoing. Yokoy is also ready for the new Swiss Federal Act on Data Protection entering into force on September 1, 2023.
On the same day this decision was rendered NOYB announced another court challenge of this decision. So, it remains to be seen if the new framework is here to stay or not. So far, the courts have struck down such frameworks twice and it is possible that it happens a third time.
What have we done at Yokoy to protect your data?
Regarding the Yokoy expense and Yokoy invoices modules there is a possibility to deactivate the only subprocessor who is storing data in the United States.
Yokoy Pay’s Partner Marqeta has bold security measures in place and is used by Visa and Mastercard to do the same service they provide to Yokoy. The transfers between our headquarter in Switzerland and the EU or the UK are also covered by an adequacy decision.
Our subprocessors are transparently listed on our website with their technical and organizational measures taken. They can be found here.
Yokoy also conducted a Transfer Impact Assessment that concluded that based on the data in question (mostly expense data that are guided and protected by our customers expense policies) and the extensive security measures we as well as our partners have taken an access by the US Surveillance authorities for national security reasons is unlikely.
As Yokoy’s Data Protection Officer, I can confirm that to date we never had a request from any US or any other countries data protection or security authorities. If this would happen, we have a process in place which includes informing you about the request (if permitted) and making sure, also with external lawyers experienced in this area, that the request is legitimate and proportionate.
Independently of this decision, the transfer of data has always been lawful in the past and we will continue to monitor the developments. As you can see here and in the one-pager here we take the security of your data very seriously and are regularly tested by independent third parties through penetration testing or our ISO 27001 security audits done by TÜV Rheinland.
Simplify your spend management
If you enjoyed this article, you might find the resources below useful.