Zapier Privacy: After ECJ Ruling: Does Zapier comply with European data protection law?
The European Court of Justice has overturned the "Privacy-Shield" that has governed data protection and exchange between the EU and the USA so far. This means that the second agreement, after the 2015 Safe Harbor Agreement, has already been declared invalid by the highest European court and now raises some questions for business practice. We will deal with them: What does this mean for Zapier Privacy? Can you continue to use Zapier? Should you continue to use Zapier? Are there any alternatives that might be privacy-compliant?
Privacy-Shield has been declared ineffective
At the latest since the GDPR, it has become clear that data protection is becoming increasingly important in the EU, which has implications for business practice in particular. Nevertheless, there are numerous US big players on the market, such as Facebook, Google, Microsoft or Apple, which are not directly subject to European data protection law.
The term data in this article always refers to personal data. This means that individual persons can be identified based on that data, for example through business data.
The transatlantic exchange of data was previously regulated by the so-called "Privacy-Shield". However, the ECJ has now ruled that this is not sufficient for strict European privacy, as US surveillance laws cannot adequately and appropriately protect the data of EU citizens.
The GDPR is the basis for the ruling. It prohibits data processing outside the EU if the level of data protection in other countries is insufficient. This includes the USA in particular. The Privacy-Shield has so far given the USA an adequate level of data protection, provided that US companies comply with EU law on the basis of this agreement.
This Privacy-Shield agreement has now been declared invalid by the ECJ.
Since US authorities in America have special examination rights, which allow access to the data of EU citizens even without legal protection or court order, the ECJ concluded that the level of data protection in the USA is insufficient.
What are my options when using US providers in practice?
At this point in time, we can speak of a legal vacuum, as the ruling leaves companies politically alone. Some of the following options are still subject to existing legal uncertainties and cannot be considered absolutely certain until more specific instructions are given to companies or data processing between the EU and the US is renegotiated.
If possible, you should switch to EU servers if US companies offer this. Amazon Web Services or Microsoft, for example, offer this option.
Currently, the safest option seems to be not to use US service providers or those service providers that work with US subcontractors.
It is also possible to wait for the reaction of the EU Commission and data protection authorities, but this is associated with a residual risk. The current political situation suggests that a quick political solution and cooperation from the USA is unlikely or at least protracted. In addition, your customers, users or other affected parties may request you to stop transferring data to the USA.
Since the damage of the ECJ ruling will also be considerable for US companies, it can be hoped fora quick solution at least on the part of the company. Ideally, this will build up pressure on politicians.
Zapier Policy: Is the US provider affected by the ECJ ruling?
The Privacy-Shield has so far regulated the majority of data transfers between the EU and the USA. The ECJ's decision to declare this passage invalid poses new challenges for European companies that use US providers such as Microsoft or Facebook.
One one of these suppliers is Zapier. The data protection information can be freely accessed on Zapiers webpage. At first glance, it seems that the automation provider is affected by the ECJ ruling. Zapier Privacy and the associated data processing has so far been based on the Privacy-Shield. The company is committed to these principles.
But Privacy-Shield regulations are not the only data protection requirement Zapier meets. They fully comply to GDPR. Since its adoption in 2018, Zapier implemented changes and improvements to comply with EU-regulations. They even inform their customers and partners about all relevant steps in order to comply with GDPR.
In terms of GDPR, it is extremely important to publish one's vendors and sub-processors. And that's exactly what Zapier did. Their list is easily accessible and lists all their vendors and sub-processsors who also have an executed Data Processing Addendum each. Each vendor and sub-processor only gets access to data which is relevant for their actual assignment, so a minimum set of data is shared.
Even better: They offer a DPA, which again is extremely important in order to meet highest EU data protection requirements. Zapier informs customers, partners and developers about this requirement here. In addition Zapier pointed out all its vendors and sub-processors - as seen here here.
If you are interested in the exact wording of this document, there's a PDF you can access here. We are used to strict EU and German regulations and laws and in our sight, Zapiers DPA seems to work perfectly fine with GDPR.
Can Zapier still be used in compliance with data protection regulations?
From our point of view, Zapier, as well as many other big US-american companies, such as Microsoft, Apple or Google, fell victim to the surprising and drastic ECJ ruling on the Privacy-Shield. It remains to be seen how US companies, that were previously covered by the Privacy Shield, will be treated by the EU. We think it is likely that the EU will either enter into a new agreement with US authorities or revise the Privacy Shield as soon as possible.
From our research and all the above linked information freely accessible through Zapier it is safe to further use Zapier. They present all relevant information in an open and transparent manner and impose the strictest data protection guidelines on themselves.
What else to know about Zapier Privacy when integrating apps
Zapier Privacy only refers to the service offer of the automation service provider. What does that mean exactly?
Zapier themselves compell with GDPR and stated how they meet the EU-regulation in terms of their service offer. For the connection of US software providers in your automation and the associated data processing, the privacy policies of Zapier does not apply.
This means that if you use an automation workflow in which, for example, Facebook, GMail or Mailchimp are integrated, the use of this software is at your own discretion. Only the service itself is subject to European law, not the apps used therein.
So you should decide for yourself how you would like to deal with any US software providers in the future.
Will Zapier no longer be usable in the future?
We cannot foresee the future impact of the ECJ ruling on the Privacy-Shield. If there is another agreement on transatlantic data exchange, the tide will turn again. However, after doing our research and talking to Zapier personally, we can say that we continue to appreciate and use Zapier as an automation provider. Even if there is uncertainty - everybody acts on its on risks.
As we've been also interested in a quick solution for our customers, we were very impressed by the professional and fast reaction from Zapier and the developers and managers of the automation software.
Disclaimer: This article does not constitute legal advice, but only an editorial contribution. We are no lawyers and only carry out an IT-technical assessment based on the ECJ ruling and publicly available data. We do not assume any liability for contents or derived recommendations for action.
Cloud Integration, iPaaS, SaaS, BPA… Ough, hard to keep track of all these terms. They are currently used frequently (and increasingly) in the context of automation, and it is sometimes difficult to make a clear distinction and distinction. We have already written blog posts on the terms iPaaS, SaaS and BPA, but we’ll take them up again here to make the difference.
But let’s start with cloud integration, because that’s the central umbrella term in which we embed all the other technologies in this blog post.
To illustrate these advantages, an example is suitable that we know well from our everyday work as an automation agency:
The central data to be used here is the data of a major customer. This can be the simplest information, such as the address. This address is required in numerous but completely different processes in the company: on the one hand, for correct invoicing in accounting. On the other hand, in the CRM system, where all the data of the large customer is also stored. But the address is also important in sales, for example, when employees go to the sales meeting on site.
Now the customer announces that the address of the company has changed after a move. This information will reach you by e-mail. There are now two options:
01. The e-mail is forwarded to all affected departments, accounting, sales, customer service, marketing… All persons open their corresponding program, CRM, accounting software, marketing tools (such as newsletter marketing) and change the data already stored there of the customer. This means that in multiple applications, different people do exactly the same thing: change one address. 02. But there is also an alternative: By connecting your applications, thus by integrizing them, the customer’s e-mail, or rather the information it contains about the address change, is automatically passed on to all affected applications: CRM, accounting, marketing, ERP. This does not require any clicks, because the cloud integration detects a trigger, i.e. address change, and thus automatically starts the process.
What sounds unimpressive in a single process becomes more effective when such a process occurs several times a day or weekly. Because there is a lot of data that is available in different applications and should always be correct. If these applications are cloud applications they are suitable for cloud integration.
But cloud integration doesn’t just happen. There are now a variety of applications that enable and implement this. Such tools usually allow us to link the relevant cloud applications on a central platform and define clear rules on when, how, where, how much data should be passed on and what happens to them.
IPaaS, SaaS, BPA, ABC – who can still see through it?
To realize cloud integration, there are various applications and technologies that are sometimes used interchangeably.
Cloud integration cannot be done without SaaS, iPaaS and BPA
Cloud integration is rather an umbrella term that includes numerous technologies, such as SaaS, iPaaS and BPA, and this is also absolutely necessary. Cloud integration is a concept that is made possible by appropriate technologies.
However, all terms share the commonality that they are cloud-based and thus offer enormous potential for growth and scaling. In addition, they are often cheaper to implement and maintain because changed requirements are easy to implement.
As an independent automation agency, we implement cloud integration according to your requirements. We use a variety of SaaS tools and iPaas (strictly speaking BPA) software. Together we find individual solutions that are flexible and scalable.