In its ruling of July 16, 2020, the European Court of Justice (ECJ) made a landmark decision that had it all: the Privacy Shield was declared invalid. We explain exactly what this means and how it affects our customers here.
Europe has a high standard of protection for personal data. This standard was enshrined in the Charter of Fundamental Rights of the European Union. Everyone in Germany now knows the law on this: the General Data Protection Regulation (GDPR). Of course, this standard of protection should also be ensured for international data traffic. It has therefore been stipulated that the transfer of personal data to third countries is only permitted if an appropriate level of protection equivalent to the GDPR can be guaranteed.
The Privacy Shield was intended to provide such a guarantee for the flow of data to the USA. In its judgment of 16 July 2020, the CJEU now found that the Privacy Shield does not provide sufficient guarantees for European Union citizens on the basis of the applicable law in the USA, as "the requirements of national security, the public interest and compliance with US law take precedence [...] since the surveillance programs based on US law are not limited to the extent strictly necessary [and] there is no legal recourse to an institution which would provide guarantees equivalent in substance to those required under EU law." In plain language, it was therefore established that access by the US security authorities to data of citizens of the European Union without the possibility of legal protection also violates the guarantees of the GDPR. This means that the transfer of personal data is not permitted under the Privacy Shield.
In principle, the ECJ has declared the further guarantee option of the standard contractual clauses to be valid, but only if it can be ensured "that the level of protection required by Union law is complied with and that transfers of personal data based on such clauses are suspended or prohibited if those clauses are infringed or compliance with them is impossible." This also rules out the standard data protection clauses - at least for data transfers to the USA. They cannot override US legislation either.
Many American companies have therefore started to store European customers' data exclusively on servers in Europe. However, this does not help with the problem described above. According to Section 2713 of the Stored Communications Act, data must be released if it is "in the possession, custody, or control of that provider [...] regardless of whether the communication, record, or other information is located inside or outside the United States." The use of American providers of services and software is therefore currently not possible with legal certainty.
What does this mean for nexnet's customers?
Since its foundation in 2000, nexnet has attached great importance to security and therefore operates its own data centers in Germany. Thanks to our many IT specialists, we are able to develop and operate solutions and services ourselves. Should we nevertheless need the help of third parties, we rely exclusively on German or European providers who also guarantee the level of protection provided by the GDPR. This enables us to offer our customers the desired GDPR security. Data is not transferred to the USA for any of the services offered by nexnet. Your customer data is safe with nexnet.
Even before the General Data Protection Regulation (GDPR) came into force, nexnet attached great importance to data security. With over 388 million invoices, nexnet manages a huge amount of personal data. The subscription billing experts rely exclusively on their own servers located in Germany.
Subscription management providers from the USA have been left behind by this decision. Your German customers will have to look for an alternative that can be used to bill and manage subscriptions in compliance with the GDPR. nexnet can help here. Get in touch without obligation.
