Skip to main content
Bye-bye Privacy Shield

Bye-bye Privacy Shield

|   nexnet

With its ruling of 16 July 2020, the European Court of Justice (ECJ) reached a landmark decision that packs a punch: The Privacy Shield was declared to be invalid. What is it all about, and how will it affect our customers? We explain the ruling and its implications here.

With its ruling of 16 July 2020, the European Court of Justice (ECJ) reached a landmark decision that packs a punch: The Privacy Shield was declared to be invalid. What is it all about, and how will it affect our customers? We explain the ruling and its implications here.

In Europe there is a higher standard of protection for personal data, which is enshrined in the Charter of the Fundamental Rights of the European Union. The law related to this is now known by everyone in Germany: The General Data Protection Regulation (GDPR). This standard of protection should of course also be achievable in international data communications. It has thus been determined that a transfer of personal data to third countries is only permissible if an appropriate protection equivalent to the GDPR can be guaranteed.

Privacy Shield was supposed to offer a guarantee of this kind for dataflows in the USA: With the ruling of 16 July 2020, however, the ECG has found that owing to the applicable law in the USA, the Privacy Shield does not provide the citizens of the EU with an adequate guarantee as “the requirements of national security, of public interest, and compliance with American law are granted priority, […] as the surveillance programmes based on American legislation are not restricted to the required degree [and] do not open a legal path to an authority that provides guarantees that would be equivalent in substance to the guarantees that are necessary according to EU law.” In plain English, the court found that access of American security authorities to data of EU citizens without a possibility of legal protection violates the guarantees of the GDPR. Thus, transferring personal data according to Privacy Shield is not permissible.

In principle, the ECJ declared the further possible guarantee of the standard contractual clauses to be valid, but only if it can be guaranteed that “the level of protection demanded by EU law is complied with and that the transfer of personal data based on such clauses is suspended or forbidden if these clauses are violated or compliance with them is impossible.” This also  rules out – at least for any data transfer to the USA – the standard data protection clauses. They also cannot be removed by the American statutory requirements.

Many American companies have thus begun to store the data of their European customers exclusively on servers within Europe. However, this does not solve the problem. For according to § 2713 of the “Stored Communications Act”, data must be handed over if they are “within such provider’s possession, custody, or control, regardless of whether such communication, record or other information is within or outside of the United States.” At the present moment in time, the use of American providers of services and software is thus not possible in a legally secure way.

What does this mean for nexnet’s customers?
Since it was founded in 2000, nexnet has placed great value on security and thus operates its own data centres in Germany. Through our many IT specialists, we are capable of developing and operating solutions and services ourselves. If, despite this, we sometimes require third-party assistance, we deal exclusively with German or European providers who also guarantee the protection level of the GDPR. This enables us to offer our customers GDPR security. Not data transfer to the USA takes place in any of the services offered by nexnet. With nexnet, your customer data are secure.

Contact us now

It’s not only since the coming into force of the General Data Protection Regulation (GDPR) that nexnet has placed great importance on data security. With over 388 million invoices, nexnet manages an enormous amount of personal data. In doing so, however, the experts in Subscription Billing rely exclusively on their own servers located in Germany. Subscription management providers from the USA have been left standing by this decision. Their German customers have to search for an alternative that will allow their subscriptions to be billed and managed in a GDPR compliant manner. nexnet can help here. Get in touch with us.

 

Back