With its ruling of July 16, 2020, the European Court of Justice (ECJ) made a landmark decision: the Privacy Shield was declared invalid. Here we explain exactly what this means and how it affects our customers.
In Europe, there is a high standard of protection for personal data. This standard was enshrined in the Charter of Fundamental Rights of the European Union. Everyone in Germany is now familiar with the law on this: the General Data Protection Regulation (DSGVO). Of course, it should also be possible to ensure this standard of protection for international data traffic. Therefore, it was determined that a transfer of personal data to third countries is only permissible if an adequate level of protection equivalent to the GDPR can be guaranteed.
The Privacy Shield should provide such a guarantee for the flow of data to the USA. In the judgment of July 16, 2020, the ECJ now found that the Privacy Shield does not provide sufficient safeguards for European Union citizens based on the applicable law in the U.S., as “the requirements of national security, public interest and compliance with U.S. law are given priority […] since the surveillance programs based on U.S. law are not limited to what is strictly necessary [und] no legal recourse is available to an institution offering guarantees equivalent in substance to those required by Union law.” In plain language, therefore, it was determined that access by U.S. security authorities without a legal remedy also to data of European Union citizens violates the safeguards of the GDPR. This means that a transfer of personal data is not permitted under the Privacy Shield.
In principle, the ECJ has validated the further guarantee option of standard contractual clauses, but only if it can be ensured “that the level of protection required by Union law is respected and that transfers of personal data based on such clauses are suspended or prohibited if those clauses are infringed or compliance with them is impossible.” This means that – at least for a data transfer to the USA – the standard data protection clauses are also ruled out. Even they cannot undermine U.S. legislation.
Many American companies have therefore started to store data of European customers exclusively on servers in Europe. However, this does not help with the problem that has been pointed out. This is because under section 2713 of the Stored Communications Act, data must be released if it is “in the possession, custody, or control of such provider […] regardless of whether such communication, record, or other information is located within or outside the United States.” The use of American providers of services and software is thus not possible with legal certainty at the current time.
What does this mean for nexnet’s customers?
Since its foundation in 2000, nexnet has placed great emphasis on security and therefore operates its own data centers in Germany. Thanks to our many IT specialists, we are able to develop and operate solutions and services ourselves. However, should we ever need the help of third parties, we rely exclusively on German or European providers who also guarantee the level of protection of the GDPR. This allows us to offer our customers the desired DSGVO security. No data is transferred to the USA for any of the services offered by nexnet. Your customer data is safe with nexnet.
Contact us today:
Not only since the entry into force of the General Data Protection Regulation, DSGVO for short, nexnet has attached particular importance to data security. With over 388 million invoices, nexnet manages a huge amount of personal data. The subscription billing experts rely exclusively on their own servers located in Germany.
Subscription management providers from the USA have lost out as a result of this decision. Your German customers need to look for an alternative that can bill and manage subscriptions in a DSGVO-compliant manner. nexnet can help here. Get in touch without any obligation.