Frequently Asked Questions on Data Transfers

These Frequently Asked Questions set out the data protection mechanisms used by Yahoo EMEA Limited (“Yahoo”) when transferring personal data from customers and users residing in the European Union and the European Economic Area (EU/EEA) to other regions.

What did the Court of Justice of the European Union ("CJEU") rule in the Schrems II judgement?

On July 16, 2020, the CJEU invalidated the EU-US Privacy Shield framework, one of the mechanisms that enabled organisations based in the EU/EEA to transfer personal data to organisations based in the United States. Other mechanisms to transfer personal data outside the EU/EEA (for example, Standard Contractual Clauses ("SCCs") and Binding Corporate Rules) remain valid.

The CJEU also said that additional safeguards may be required when the laws around access to personal data by public authorities in the recipient country do not ensure a level of protection essentially equivalent to that guaranteed within the EU/EEA. 

Does Yahoo transfer data outside of the EU/EEA? If yes, to which countries?

As stated in our Privacy Policy, we transfer personal data to our affiliates and third party suppliers that are established in countries outside of the EU/EEA. 

When we transfer data to our affiliates or to third parties outside the EU/EEA, we ensure that the required safeguards are in place for the transfer. These safeguards include adequacy decisions where the recipient is located in a country that is deemed adequate by the EU or the EU SCCs to protect the transfer. The countries to which we transfer personal data include: Australia, the United Kingdom, India, United States, Canada, Singapore, Taiwan, and Israel.

What data transfer mechanisms does Yahoo use when transferring personal data outside of the EEA/EU?

As stated in our Privacy Policy, when Yahoo transfers personal data outside of the EU/EEA, we rely on the following mechanisms:

  • adequacy decisions adopted by the European Commission. For example, these enable Yahoo to transfer personal data to Israel and to businesses in Canada.
  • SCCs adopted by the European Commission 

How does Yahoo provide a level of data protection in third countries where we store data similar to that afforded in the EU/EEA?

Where we transfer personal data to third countries, Yahoo and our affiliates continually evaluate the level of protection in place and have a range of technical and organisational controls in place to ensure an adequate level of protection. Some of the additional safeguards we have in place include encryption of data in transit and at rest including data pseudonymisation as appropriate and in line with industry standards, access restrictions and controls, and specific annual data protection training to employees. We also have a robust process to handle requests from government authorities (see below).

What is Yahoo's approach to requests from law enforcement for access to data?

Yahoo and its affiliates carefully review all law enforcement requests and will only disclose user data in response to a law enforcement request supported by valid legal process, such as a subpoena, court order, search warrant or Mutual Legal Assistance Treaty request, except in rare circumstances of emergency disclosure where disclosure is necessary to prevent imminent danger of death or serious physical injury, as permitted by applicable law (including the GDPR). To this end, all government data requests are assessed in accordance with the following three global principles:

  1. Minimise disclosure of user data and restrictions to freedom of expression online 
  2. Protect human rights, including the rights to privacy and freedom of expression 
  3. Be accountable and transparent with our users 

To ensure full accountability and transparency with our users, Yahoo publishes a bi-annual Transparency Report. This Report contains information relating to our responses to requests from government authorities in relation to law enforcement and national security. For more information, please visit ourTransparency Report page.

When we receive a request for user data from law enforcement, we carefully review the scope of data to be provided and interpret the request narrowly to disclose the least amount of data necessary to comply with the request. We have previously refused or objected, and will continue to reject or object to, requests that are overbroad or inconsistent with the applicable laws.  

How can I obtain further information from Yahoo?

For general information about how Yahoo collects, uses and shares data, or to contact our Customer Support team or our Data Protection Officer, please visit our Privacy Centre.  If you are a business partner of Yahoo, please reach out to your Yahoo point of contact.