The European Court of Justice has overturned the “Privacy-Shield” that has governed data protection and exchange between the EU and the USA so far. This means that the second agreement, after the 2015 Safe Harbor Agreement, has already been declared invalid by the highest European court and now raises major questions for business practice. With Integromat we present an automation software which processes data according to GDPR. Thus, Integromat Privacy meets the highest judicial requirements for personal data.
Privacy-Shield agreement has been cancelled
With Facebook, Google or Apple there are numerous big players on the market that are not directly subject to European data protection law. However, the protection of personal data is an increasingly important task for the EU, which is also repeatedly taken up by the highest European court. With the adoption of the GDPR at the latest, it has become clear that data protection in the EU also has strong implications for business practice.
The term data in this article always refers to personal data. This means that individual persons can be identified basend on this data, for example through business data.
The transatlantic exchange of data was previously regulated by the so-called “Privacy-Shield”. However, the ECJ has now declared that this is not sufficient for strict European data protection, as US surveillance laws cannot adequately and appropriately protect the data of EU citizens.
The GDPR is the basis for the ruling. It prohibits data processing outside the EU if the level of data protection in other countries outside the EU is insufficient. This includes the USA in particular. The Privacy-Shield has so far given the USA an adequate level of data protection, provided that US companies comply with European law on the basis of this agreement.
The privacy-shield agreement has now been declared as ineffective by the ECJ.
Since US authorities in America have special examination rights, which allow access to the data of EU citizens even without legal protection or court order, the ECJ concluded that the level of data protection in the USA is insufficient.
What are my options when using US providers in practice?
At this point in time, we can speak of a legal vacuum, as the ruling leaves companies politically alone. Some of the following options are still subject to existing legal uncertainties and cannot be considered absolutely certain until more specific instructions are given to companies or data transfer between the EU and the US is renegotiated.
If possible, you should switch to EU servers if US companies offer this. Amazon Web Services or Microsoft, for example, offer this option.
Currently, the safest option seems to be not to use US service providers or those service providers that work with US subcontractors.
It is also possible to wait for the reaction of the EU Commission and data protection authorities, but this is associated with a residual risk. The current political situation suggests that a quick political solution and cooperation from the USA is unlikely or at least protracted. In addition, your customers, users or other affected parties may request you to stop transferring data to the USA.
Since the damage of the ECJ ruling will also be considerable for US companies, it can be hoped for a quick solution on the part of the companies, at least. Ideally, this will build up pressure on politics.
Integromat privacy: Is the automation supplier affected by the ECJ judgement?
Personal data are processed on the basis of the GDPR. The data processing of Integromat is therefore not affected by the Privacy-Shield and meets the requirements of the European law.
The storage of personal data also takes place in the EU, on servers in the Czech Republic.
They are also ISO 9001 and ISO 27001 certified, DIN standards for quality management and information security management systems.
Why Integromat now gains new relevance for automation
Integromat works similar to Zapier. The automation software supports numerous apps in the cloud, connects them with each other and thus creates seamless, efficient data flows. In terms of price, Integromat is even ahead in direct comparison with paper: 1000 process steps are available for 0€ with no limit on applications.
A detailed comparison of the two cloud process automation tools is available in German here.
We have appreciated Integromat privacy policies for a long time, but the ECJ’s ruling makes it clear how necessary the European market has “domestic” software providers operating under European law. With the declaration of the Privacy-Shield as ineffective, it becomes clear again how insecure US providers can be in times of tightened data protection. Even if a revision of the transatlantic agreement on data processing is concluded in the near future, this can again be declared ineffective, as it was the case in 2015 with the Safe Harbor Agreement, and present companies with new challenges.
This is particularly unpleasant as companies are currently left completely alone with the ECJ ruling and its effects.
Effects of the ECJ judgement on other automation suppliers
The Privacy-Shield has so far regulated the majority of data transfers between the EU and the USA. With the ruling of the European Court of Justice declaring this passage invalid, software providers from the USA are confronted with new challenges. One of these providers is Zapier.
Based on the current state of knowledge and legal situation, we can only advise against the continued use of Zapier as a technical assessment. If you wish to continue to do so, you are exposing yourself to your own risk. We cannot foresee what exactly the legal consequences will be for companies working with US providers affected by the ECJ ruling on the Privacy-Shield. However, there are indications of this in this German article.
What else to know about Integromat privacy
Any mentioned references to Integromat privacy have only effects on the service offer of the Czech software provider. More precisely this means:
At this stage you can be sure that Integromats GDPR compliant operations are carried out and your data is processed in a legally compliant and secure manner. This will not change even after the latest ECJ ruling. The situation is different with the US American competition.
If you use Integromat to automate a process, for example by integrating Mailchimp or Instagram, the use of these softwares is still at your own judgement and, according to the ECJ ruling, is associated with risks. The data processing of these third party providers is not covered by the GDPR-compliant data processing of Integromat. Not the connected, automated apps, but the service of Integromat itself is subject to European law,
So you should decide for yourself how you would like to deal with any US software providers in the future.
Integromat as GDPR compliant software provider
At this point in time, we recommend that European software providers be given preference over US companies like Zapier. Although it is conceivable that a further agreement on EU-US data exchange will come around, we can in no way foresee how the ECJ ruling on the Privacy-Shield will affect us in the future or whether more recent agreements will not be overturned again.
If you have any questions or concerns regarding your automation with Integromat, please contact us or arrange a free appointment today for automation & IT consulting.
Disclaimer: This article does not constitute legal advice, but only an editorial contribution. We are no lawyers and only carry out an IT-technical assessment based on the ECJ ruling and publicly available data. We do not assume any liability for contents or derived recommendations for action.