Zapier Privacy affected by ECJ judgement
Zapier Privacy affected by ECJ judgement

The European Court of Justice has overturned the “Privacy-Shield” that has governed data protection and exchange between the EU and the USA so far. This means that the second agreement, after the 2015 Safe Harbor Agreement, has already been declared invalid by the highest European court and now raises some questions for business practice. We will deal with them: What does this mean for Zapier Privacy? Can you continue to use Zapier? Should you continue to use Zapier? Are there any alternatives that might be privacy-compliant?

Privacy-Shield has been declared ineffective

At the latest since the GDPR, it has become clear that data protection is becoming increasingly important in the EU, which has implications for business practice in particular. Nevertheless, there are numerous US big players on the market, such as Facebook, Google, Microsoft or Apple, which are not directly subject to European data protection law.

The term data in this article always refers to personal data. This means that individual persons can be identified based on that data, for example through business data.

The transatlantic exchange of data was previously regulated by the so-called “Privacy-Shield”. However, the ECJ has now ruled that this is not sufficient for strict European privacy, as US surveillance laws cannot adequately and appropriately protect the data of EU citizens.

The GDPR is the basis for the ruling. It prohibits data processing outside the EU if the level of data protection in other countries is insufficient. This includes the USA in particular. The Privacy-Shield has so far given the USA an adequate level of data protection, provided that US companies comply with EU law on the basis of this agreement.

This Privacy-Shield agreement has now been declared invalid by the ECJ.

Since US authorities in America have special examination rights, which allow access to the data of EU citizens even without legal protection or court order, the ECJ concluded that the level of data protection in the USA is insufficient.

What are my options when using US providers in practice?

At this point in time, we can speak of a legal vacuum, as the ruling leaves companies politically alone. Some of the following options are still subject to existing legal uncertainties and cannot be considered absolutely certain until more specific instructions are given to companies or data processing between the EU and the US is renegotiated.

If possible, you should switch to EU servers if US companies offer this. Amazon Web Services or Microsoft, for example, offer this option.

Currently, the safest option seems to be not to use US service providers or those service providers that work with US subcontractors.

It is also possible to wait for the reaction of the EU Commission and data protection authorities, but this is associated with a residual risk. The current political situation suggests that a quick political solution and cooperation from the USA is unlikely or at least protracted. In addition, your customers, users or other affected parties may request you to stop transferring data to the USA.

Since the damage of the ECJ ruling will also be considerable for US companies, it can be hoped fora quick solution at least on the part of the company. Ideally, this will build up pressure on politicians.

Zapier Policy: Is the US provider affected by the ECJ ruling?

The Privacy-Shield has so far regulated the majority of data transfers between the EU and the USA. The ECJ’s decision to declare this passage invalid poses new challenges for European companies that use US providers such as Microsoft or Facebook.

One one of these suppliers is Zapier. The data protection information can be freely accessed on Zapiers webpage. At first glance, it seems that the automation provider is affected by the ECJ ruling. Zapier Privacy and the associated data processing has so far been based on the Privacy-Shield. The company is committed to these principles.

But Privacy-Shield regulations are not the only data protection requirement Zapier meets. They fully comply to GDPR. Since its adoption in 2018, Zapier implemented changes and improvements to comply with EU-regulations. They even inform their customers and partners about all relevant steps in order to comply with GDPR.

In terms of GDPR, it is extremely important to publish one’s vendors and sub-processors. And that’s exactly what Zapier did. Their list is easily accessible and lists all their vendors and sub-processsors who also have an executed Data Processing Addendum each. Each vendor and sub-processor only gets access to data which is relevant for their actual assignment, so a minimum set of data is shared.

Even better: They offer a DPA, which again is extremely important in order to meet highest EU data protection requirements. Zapier informs customers, partners and developers about this requirement here. In addition Zapier pointed out all its vendors and sub-processors – as seen here here.

If you are interested in the exact wording of this document, there’s a PDF you can access here. We are used to strict EU and German regulations and laws and in our sight, Zapiers DPA seems to work perfectly fine with GDPR.

Can Zapier still be used in compliance with data protection regulations?

From our point of view, Zapier, as well as many other big US-american companies, such as Microsoft, Apple or Google, fell victim to the surprising and drastic ECJ ruling on the Privacy-Shield. It remains to be seen how US companies, that were previously covered by the Privacy Shield, will be treated by the EU. We think it is likely that the EU will either enter into a new agreement with US authorities or revise the Privacy Shield as soon as possible.

From our research and all the above linked information freely accessible through Zapier it is safe to further use Zapier. They present all relevant information in an open and transparent manner and impose the strictest data protection guidelines on themselves.

What else to know about Zapier Privacy when integrating apps

Zapier Privacy only refers to the service offer of the automation service provider. What does that mean exactly?

Zapier themselves compell with GDPR and stated how they meet the EU-regulation in terms of their service offer. For the connection of US software providers in your automation and the associated data processing, the privacy policies of Zapier does not apply.

This means that if you use an automation workflow in which, for example, Facebook, GMail or Mailchimp are integrated, the use of this software is at your own discretion. Only the service itself is subject to European law, not the apps used therein.

So you should decide for yourself how you would like to deal with any US software providers in the future.

Will Zapier no longer be usable in the future?

We cannot foresee the future impact of the ECJ ruling on the Privacy-Shield. If there is another agreement on transatlantic data exchange, the tide will turn again. However, after doing our research and talking to Zapier personally, we can say that we continue to appreciate and use Zapier as an automation provider. Even if there is uncertainty – everybody acts on its on risks.

As we’ve been also interested in a quick solution for our customers, we were very impressed by the professional and fast reaction from Zapier and the developers and managers of the automation software.

If you have any questions or concerns regarding your automation with Zapier, please contact us or make a free appointment today for automation & IT consulting.

Disclaimer: This article does not constitute legal advice, but only an editorial contribution. We are no lawyers and only carry out an IT-technical assessment based on the ECJ ruling and publicly available data. We do not assume any liability for contents or derived recommendations for action.