The European Court of Justice has overturned the "Privacy-Shield" that has governed data protection and exchange between the EU and the USA so far. This means that the second agreement, after the 2015 Safe Harbor Agreement, has already been declared invalid by the highest European court and now raises major questions for business practice. With Make we present an automation software which processes data according to GDPR. Thus, Make Privacy meets the highest judicial requirements for personal data.
With Facebook, Google or Apple there are numerous big players on the market that are not directly subject to European data protection law. However, the protection of personal data is an increasingly important task for the EU, which is also repeatedly taken up by the highest European court. With the adoption of the GDPR at the latest, it has become clear that data protection in the EU also has strong implications for business practice.
The term data in this article always refers to personal data. This means that individual persons can be identified basend on this data, for example through business data.
The transatlantic exchange of data was previously regulated by the so-called "Privacy-Shield". However, the ECJ has now declared that this is not sufficient for strict European data protection, as US surveillance laws cannot adequately and appropriately protect the data of EU citizens.
The GDPR is the basis for the ruling. It prohibits data processing outside the EU if the level of data protection in other countries outside the EU is insufficient. This includes the USA in particular. The Privacy-Shield has so far given the USA an adequate level of data protection, provided that US companies comply with European law on the basis of this agreement.
The privacy-shield agreement has now been declared as ineffective by the ECJ.
Since US authorities in America have special examination rights, which allow access to the data of EU citizens even without legal protection or court order, the ECJ concluded that the level of data protection in the USA is insufficient.
At this point in time, we can speak of a legal vacuum, as the ruling leaves companies politically alone. Some of the following options are still subject to existing legal uncertainties and cannot be considered absolutely certain until more specific instructions are given to companies or data transfer between the EU and the US is renegotiated.
If possible, you should switch to EU servers if US companies offer this. Amazon Web Services or Microsoft, for example, offer this option.
Currently, the safest option seems to be not to use US service providers or those service providers that work with US subcontractors.
It is also possible to wait for the reaction of the EU Commission and data protection authorities, but this is associated with a residual risk. The current political situation suggests that a quick political solution and cooperation from the USA is unlikely or at least protracted. In addition, your customers, users or other affected parties may request you to stop transferring data to the USA.
Since the damage of the ECJ ruling will also be considerable for US companies, it can be hoped for a quick solution on the part of the companies, at least. Ideally, this will build up pressure on politics.
Make is an automation supplier based in the Czech Republic. Make's privacy policy makes it clear that data is processed according to EU data protection law. Thus, the service offer of the software is not affected by the ECJ judgement and can still be used as usual.
Personal data are processed on the basis of the GDPR. The data processing of Make is therefore not affected by the Privacy-Shield and meets the requirements of the European law.
The storage of personal data also takes place in the EU, on servers in the Czech Republic.
They are also ISO 9001 and ISO 27001 certified, DIN standards for quality management and information security management systems.
Make works similar to Zapier. The automation software supports numerous apps in the cloud, connects them with each other and thus creates seamless, efficient data flows. In terms of price, Make is even ahead in direct comparison with paper: 1000 process steps are available for 0€ with no limit on applications.
The automation tool is also very well suited for users with complex business processes. Make attaches great importance to security and data protection not only in the privacy policy, but also in the daily application. Thus developers can easily map automation for companies without knowing or seeing all data and passwords.
A detailed comparison of the two cloud process automation tools is available in German here.
We have appreciated Make privacy policies for a long time, but the ECJ's ruling makes it clear how necessary the European market has "domestic" software providers operating under European law. With the declaration of the Privacy-Shield as ineffective, it becomes clear again how insecure US providers can be in times of tightened data protection. Even if a revision of the transatlantic agreement on data processing is concluded in the near future, this can again be declared ineffective, as it was the case in 2015 with the Safe Harbor Agreement, and present companies with new challenges.
This is particularly unpleasant as companies are currently left completely alone with the ECJ ruling and its effects.
The Privacy-Shield has so far regulated the majority of data transfers between the EU and the USA. With the ruling of the European Court of Justice declaring this passage invalid, software providers from the USA are confronted with new challenges. One of these providers is Zapier.
From their Privacy Policy it is clear that the automation supplier is affected by the ECJ ruling, because Zapier's data protection and the associated data processing has so far been based solely on the Privacy-Shield. This will no longer be sufficient. Read more about it here.
Based on the current state of knowledge and legal situation, we can only advise against the continued use of Zapier as a technical assessment. If you wish to continue to do so, you are exposing yourself to your own risk. We cannot foresee what exactly the legal consequences will be for companies working with US providers affected by the ECJ ruling on the Privacy-Shield. However, there are indications of this in this German article.
Any mentioned references to Make privacy have only effects on the service offer of the Czech software provider. More precisely this means:
At this stage you can be sure that Make GDPR compliant operations are carried out and your data is processed in a legally compliant and secure manner. This will not change even after the latest ECJ ruling. The situation is different with the US American competition.
However, Make privacy policy does not apply if you use it to connect US software providers in your automation systems and thus process data via these tools.
If you use Make to automate a process, for example by integrating Mailchimp or Instagram, the use of these softwares is still at your own judgement and, according to the ECJ ruling, is associated with risks. The data processing of these third party providers is not covered by the GDPR-compliant data processing of Make. Not the connected, automated apps, but the service of Make itself is subject to European law,
So you should decide for yourself how you would like to deal with any US software providers in the future.
At this point in time, we recommend that European software providers be given preference over US companies like Zapier. Although it is conceivable that a further agreement on EU-US data exchange will come around, we can in no way foresee how the ECJ ruling on the Privacy-Shield will affect us in the future or whether more recent agreements will not be overturned again.
If you have any questions or concerns regarding your automation with Make, please contact us or arrange a free appointment today for automation & IT consulting.
Disclaimer: This article does not constitute legal advice, but only an editorial contribution. We are no lawyers and only carry out an IT-technical assessment based on the ECJ ruling and publicly available data. We do not assume any liability for contents or derived recommendations for action.
Cloud Integration, iPaaS, SaaS, BPA… Ough, hard to keep track of all these terms. They are currently used frequently (and increasingly) in the context of automation, and it is sometimes difficult to make a clear distinction and distinction. We have already written blog posts on the terms iPaaS, SaaS and BPA, but we’ll take them up again here to make the difference.
But let’s start with cloud integration, because that’s the central umbrella term in which we embed all the other technologies in this blog post.
Arrange a free cloud integration consultation now
Arrange a free cloud integration consultation now
To illustrate these advantages, an example is suitable that we know well from our everyday work as an automation agency:
The central data to be used here is the data of a major customer. This can be the simplest information, such as the address. This address is required in numerous but completely different processes in the company: on the one hand, for correct invoicing in accounting. On the other hand, in the CRM system, where all the data of the large customer is also stored. But the address is also important in sales, for example, when employees go to the sales meeting on site.
Now the customer announces that the address of the company has changed after a move. This information will reach you by e-mail. There are now two options:
01. The e-mail is forwarded to all affected departments, accounting, sales, customer service, marketing… All persons open their corresponding program, CRM, accounting software, marketing tools (such as newsletter marketing) and change the data already stored there of the customer. This means that in multiple applications, different people do exactly the same thing: change one address.
02. But there is also an alternative: By connecting your applications, thus by integrizing them, the customer’s e-mail, or rather the information it contains about the address change, is automatically passed on to all affected applications: CRM, accounting, marketing, ERP. This does not require any clicks, because the cloud integration detects a trigger, i.e. address change, and thus automatically starts the process.
What sounds unimpressive in a single process becomes more effective when such a process occurs several times a day or weekly. Because there is a lot of data that is available in different applications and should always be correct. If these applications are cloud applications they are suitable for cloud integration.
But cloud integration doesn’t just happen. There are now a variety of applications that enable and implement this. Such tools usually allow us to link the relevant cloud applications on a central platform and define clear rules on when, how, where, how much data should be passed on and what happens to them.
To realize cloud integration, there are various applications and technologies that are sometimes used interchangeably.
We have made a first distinction between iPaaS and BPA here.
We explain the term SaaS in more detail here.
Cloud integration is rather an umbrella term that includes numerous technologies, such as SaaS, iPaaS and BPA, and this is also absolutely necessary. Cloud integration is a concept that is made possible by appropriate technologies.
However, all terms share the commonality that they are cloud-based and thus offer enormous potential for growth and scaling. In addition, they are often cheaper to implement and maintain because changed requirements are easy to implement.
As an independent automation agency, we implement cloud integration according to your requirements. We use a variety of SaaS tools and iPaas (strictly speaking BPA) software. Together we find individual solutions that are flexible and scalable.