Disclaimer: The content in this post is not – and should not be interpreted as – legal advice. For detailed information regarding the data transfers and GDPR, please seek legal counsel.
All transfers of personal data from the EU to anywhere outside of the EU must be protected by means approved by the European Commission. On the 16th July 2020, the Court of Justice of the EU (CJEU) decided to remove one of those means by invalidating what is known as the Privacy Shield- the Commission adequacy decision underlying the EU-US Safe Harbour arrangement (Case C-311/18, “Schrems II”). The Privacy Shield has been a common arrangement for allowing transfers of personal data from the EU to the US.
If you’re an ecommerce retailer wondering how the Schrems II decision impacts your business, here is a brief overview of commonly asked questions regarding the Privacy Shield invalidation and how Nosto continues to safeguard data for merchants.
Personal Data Within the Nosto Service
The personal data within the Nosto service is currently stored at the Amazon Web Services (AWS) data centre in North Virginia, US. As the personal data is located outside of the EU, we have naturally evaluated and decided upon the appropriate mechanisms for such transfers of personal data.
Despite the invalidity of Privacy Shield, there are still other legitimate mechanisms for transferring EU data to the US. The so-called standard contractual clauses (SCCs) issued by the European Commission are widely used across all industries and that is also what we have and will continue to rely upon with AWS. In a practical sense, the Schrems II decision has not impacted how we transfer the personal data we process on behalf of our customers. However, we have and will continue to keep a close eye on all developments in this area.
Privacy Shield Invalidation FAQs
Q: I heard that the Privacy Shield was shot down. What is Nosto doing to fix things?
A: Yes, the Privacy Shield was invalidated, but there are other means for legitimate transfers of EU personal data to other countries. Instead of Privacy Shield, Nosto has and will continue to rely on Standard Contractual Clauses.
Q: Where do you store my customer’s personal data and how can you be sure the transfer is legal now that Privacy Shield no longer exists?
A: We store the personal data at the Amazon Web Services data centre in North Virginia, US. We apply the Standard Contractual Clauses (as issued by the EU commission) for those transfers, so Privacy Shield has not had an impact on our transfers to AWS.
Q: I want my data to be in Europe. Will you be moving it here?
A: We are keeping a close eye on any developments in the area of privacy, especially in the aftermath of the Schrems II decision. However, as affirmed in the said decision, the Standard Contractual Clauses (as issued by the EU commission) afford adequate protection for personal data transferred outside of the EU.
Q: I don’t know much about privacy. I think my company is the data “Controller”, but how does that impact what I do with Nosto?
A: You are correct, when it comes to personal data, it is also important to distinguish between the different roles and responsibilities related to the processing of such data. A ‘Controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Whereas a ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. In the Nosto Service, the customer is the Controller and Nosto is in the role of the Processor.
The Schrems II decision puts Controllers in a position where they have to ensure that none of the processing of personal data on their behalf relies on Privacy Shield. As for the data processed on Nosto’s customers’ behalf in the Nosto Service, we can confirm that Nosto has not applied the Privacy Shield mechanism and that the Schrems II decision has no direct impact on such processing.
Didn’t find an answer to your question regarding the Privacy Shield invalidation or the handling of your personal data?
If you’re a Nosto-powered merchant, reach out to your Customer Success Manager for more information regarding the Privacy Shield invalidation. If you’d also like to review additional information regarding data privacy controls , check out Nosto’s data privacy overview.
This article originally appeared in the Nosto blog and has been published here with permission.