t3n, 23 October 2020: Companies that don’t store their information on European servers find themselves standing in front of the rubble of the erstwhile Privacy Shield. Now they have to act fast as they go about finding a suitable, secure alternative.
The Privacy Shield, a data protection framework negotiated by the EU and the USA,was declared to be invalid by the European Court of Justice (ECJ) on 16 July 2020. The General Data Protection Regulation (GDPR) has been familiar to everyone for some time now. Since its introduction, a consistently high standard for the protection of personal data has been in place in Europe. Privacy Shield was supposed to ensure that – despite this high standard – data processing of the international data traffic between Europe and the USA would continue to be possible, while ensuring that the same high standard could be secured for the data of Europeans. According to the ECJ, Privacy Shield could not provide this security, and thus did not enable a sufficient guarantee for the data protection of EU citizens.
This framework is now invalid and exchanging data between Europe and the USA without violating EU data protection law is thus possible only with great difficulty. In practice this means that any companies based in Germany that store data with companies in the USA, or forward data to such service providers, violate the GDPR. Many American companies have now started to store data of European customers exclusively on servers located in Europe. But is that the solution? Not really, for according to American law, providers must surrender data on request – even if these data are stored outside the USA. Even the so-called standard contractual clauses, which continue to be possible in theory, do not allow data to be transferred to US companies, if these do not provide other measures under group law, or in the encryption of the data.
If you’re still reliant on US providers, you should look for an alternative as soon as possible. For your business, the following now applies: the less you have recourse to international providers, the lower the risk of having problems with data protection. To help you keep track track of things, here are a few tips for how to proceed:
- As the use of Privacy Shield has been illegal since August 2020, you should (if you haven’t done so already) think about a data transfer alternative that conforms to the GDPR. In short: the servers on which your personal data are stored have to be located in the EU.
- Existing contracts should be checked for security and references to Privacy Shield removed. If there are any security gaps, the supervisory authorities must be informed immediately. In addition, data transfers for which there is no legal basis must be ceased or a new provider located in the EU must be found.
- Also, when choosing a provider, you should ensure that they don’t have any subcontractors that process your data in the USA.
Admittedly, all of that still sounds somewhat abstract. To get a clearer picture of the problem – and of the solution – consider the story of Mareike: Mareike is the CEO of Datensammler AG. For her billing she has worked for several years with the company Chargebee, which is based in the USA. The data of her European and German customers are thus stored on Chargebee’s (American!) servers. In the past, Mareike, or to be precise, Chargebee, had counted on Privacy Shield. Since it was declared illegal however, she has been on the lookout for a suitable solution that would guarantee a secure data transfer for her customers, while protecting the data from unauthorized third parties. Here she has had to face a number of challenges, as she naturally wanted to be on the safe side, legally speaking. While searching for a suitable partner that would allow her to avoid this data problem, she came across the German company nexnet.
nexnet is an outsourcing service provider and expert in the fields of financial accounting, credit management and subscription billing. Because nexnet naturally has to deal with many sensitive personal data in these areas, it takes data protection very seriously. Mareike has thus finally found a partner that she doesn’t need to worry about – neither with regard to the security of her customers’ data, nor to the possibility of breaking European law. She is amazed by how smooth the change to nexnet has been and is looking forward to a long-term, secure collaboration.
Guaranteeing the security of customer requires a great deal of technical knowledge and of experience. nexnet has both of these. For over 20 years already, nexnet has attached particular importance to the issue of data protection. Data that nexnet needs to carry out its tasks are also stored, but they never leave the in-house systems, as no external service provider is required – least of all in the USA. A secure data transfer is guaranteed by a range of measures, including modern SSL-certificates, and a data management system, including a dedicated data management team. Additionally, all staff receive regular training in security and data protection. nexnet’s data centre is overseen, updated, and expanded by an in-house IT department, and is monitored by a sophisticated security system – thus assuring the highest level of security. You can thus rest assured that your data are optimally protected and that cyber criminals will no longer have a chance of accessing your data.
You don’t want to have to worry any more about the risks that go with securing sensitive data, and you want to be on the legal safe side in the future? Then get in touch with the experts at nexnet.