Data Transfer Assessment
Tradeshift Data Transfer Impact Statement regarding Transfer of Personal Data to the United States in light of the European Court of Justice “Schrems II” Decision
March 10, 2022 – Tradeshift Holdings Inc.
Important: This is not legal advice – the requirement in some situations to prepare a Transfer Impact Assessment applies to the data controller. This is Tradeshift’s attempt, as the data processor, to assist with such assessments.
Q: What personal data governed by European data protection laws (European Economic Area, United Kingdom and Switzerland – “Europe”) may be accessible by or transferred to Tradeshift affiliated companies in the US in Tradeshift’s activity as a processor (on behalf of our customers)?
Type of Data – The Tradeshift platform and SaaS products process business contact information (e.g. person’s name, email address and/or phone number they use for business communications), such business contact information may be processed by virtue of use of the service by an individual user or as content within a business document exchanged using the service, and the system may assign user identifiers to associate with each specific user of the applications. The Tradeshift products do not process personal data about individuals acting for themselves as consumers.
GDPR and similar laws – In the EU countries, such data is regulated under the General Data Protection Regulation (GDPR) with implementing laws in place in each EU country. This enables such EU personal data to be freely transferred between the EU countries and other countries in the European Economic Area (EEA). The UK has similar law as does Switzerland.
“International Transfers” – There is an international transfer of personal data when such data is made available outside Europe. It can include just allowing remote access to the data from someone sitting in a country outside of Europe. Although Tradeshift’s primary hosting locations are located in Europe, there is access to the Tradeshift systems and systems operated by Tradeshift’s service providers (Sub Processors) from some Tradeshift employees and Sub Processors in the United States. Tradeshift has support, operations, and consulting personnel residing in the United States who require access to customer data to perform their duties. Please refer to Exhibit A of the Tradeshift Data Processing Agreement (at https://tradeshift.com/agreements/gdpr-data-protection) for more information about Tradeshift’s processing activities. A list of Tradeshift’s Sub Processors and more information about hosting locations for various products and by various Sub Processors is found at https://tradeshift.com/privacy/subprocessors.
Q: What transfer mechanism is relied upon by Tradeshift to provide adequate safeguards for the transfer of personal data from Europe to the United States?
Where personal data governed by European data protection law is transferred by a customer to a Tradeshift entity in the United States, Tradeshift relies on the European Commission’s Standard Contractual Clauses (“SCCs”) to provide contractual obligations safeguarding the personal data. To review Tradeshift’s Data Processing Agreement (which incorporates the Standard Contractual Clauses) please visit https://tradeshift.com/agreements/gdpr-data-protection.
Similarly, where customer personal data governed by European data protection law is transferred between Tradeshift affiliated companies or transferred by Tradeshift to Sub Processors, Tradeshift enters into the SCCs with those parties.
Q: Which types of US government surveillance and intelligence gathering laws are applicable to Tradeshift’s US companies (specifically Tradeshift Inc. and Tradeshift Holdings Inc.) and is the transfer mechanism used by Tradeshift effective to protect fundamental privacy rights in respect of such laws?
FISA, the Cloud ACT, and EO 12333 – Section 702 of the US Foreign Intelligence Surveillance Act of 1978 (‘FISA’) that applies to data collection from ‘electronic communication service providers’ allows US government authorities to compel disclosure of information about non-US persons located outside the US in certain circumstances and for the purpose of foreign intelligence gathering. This gathering must be approved specifically by the Foreign Intelligence Surveillance Court in Washington, DC. The law applies to most remote computing service providers (“RCSP”) as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711 which would technically include Tradeshift.
The Executive Order 12333 is a directive that organizes US intelligence activities. Unlike FISA 702, EO 12333 does not authorize the US government to require any company to disclose data, though it may be used to authorize clandestine intelligence activities involving overseas access to data without the involvement of the company in question.
Tradeshift relevance: Because Tradeshift does provide methods of electronic communication it could be subject to FISA 702 and related process, however, the nature of the data held by Tradeshift does not include personal data that is likely to be of interest to US intelligence agencies (i.e., foreign intelligence important to the national security of the US).
The US Department of Commerce, Department of Justice, and the Office of the Director of National Intelligence jointly issued the White paper Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II in September 2020. The “White Paper” states that for many companies, the issue of national security access to their personal data is unlikely to arise because this data would not be of interest to national security agencies and confirms that “companies handling ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.
The business transaction data that Tradeshift processes could theoretically be of interest to US government officials investigating business activities but only if such information is required for foreign intelligence purposes. Another reason that data on the Tradeshift systems is unlikely to be sought by US government officials is that Tradeshift is not the source of truth or primary storage location for the business transaction data processed by Tradeshift, so there are likely to be better sources for such data. If such information were sought from Tradeshift safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance.
Q: Does Tradeshift receive requests from the US National Security agencies?
Tradeshift occasionally provides information to courts as part of discovery in commercial litigation. But with regard to requests from US intelligence agencies, the answers is pretty simple, as of the time Tradeshift issued this Statement (March 2022), Tradeshift has never received a request from US officials in relation to customer personal data. Tradeshift will begin issuing a transparency report like other SaaS vendors do, if this situation changes.
Q: What safeguards has Tradeshift put in place regarding transfers of personal data from Europe?
Tradeshift has implemented measures to protect all customer data processed by Tradeshift, including personal data, as confidential information of the customer. The measures include technical, contractual and organizational measures.
- Technical measures include: encryption of data submitted to the Tradeshift products at rest and in transit and annual independent security audits of the Tradeshift security measures. Further information is available in the Tradeshift Information Security Policy and in the Tradeshift Data Protection Agreement.
- Contractual measures are set out in the Tradeshift Data Processing Agreement which incorporates the Standard Contractual Clauses such as contractual obligations to inform customers of authority requests for personal data if allowed.
- A vendor oversight process with regard to Sub Processors including execution of Standard Contractual Clauses and review of security measures and independent audit reports.
- Organizational measures include privacy and security review of new features and system changes, employee education, and access restrictions.
Q: Are there Supplementary Measures that Tradeshift takes to protect data transferred to the Unites States?
In light of the measures that Tradeshift takes to protect customer data, with regard to storage and transfer globally, the low risk of US foreign intelligence requests for Tradeshift-managed data, and in light of the fact that Tradeshift prohibits customers from providing sensitive personal data to Tradeshift for processing, Tradeshift believes that the risks involved with transfer of customer personal data to (or access from) the United States do not require additional measures at this time. Tradeshift will re-evaluate this position as may be warranted by a change in circumstances.