Download this must-have guide to start your marketing automation journey.

Blog
CRM & Privacy Shield
6 min read

CRM & Privacy Shield

The CJEU invalidated the Privacy Shield on July 16, 2020. Since then, there has no longer been any agreement regulating the transfer of data from European companies and citizens to the United States. Any transfer is now potentially illegal. A thunderclap for American platforms, which have a de facto oligopoly over the European internet. It is also a serious issue for US CRM (Customer Relationship Management) solutions, which can no longer legally guarantee the integrity of their customers’ data, regardless of where it is stored and processed in SaaS.

While the American and European authorities are working to negotiate a successor framework for transcontinental transfers, in the meantime this greatly impacts trust between B2B partners, particularly regarding business data stored in CRMs whose company is incorporated in the United States of America. The evolution of large enterprise contracts explicitly targeting US persons and the various extraterritorial laws such as the Patriot Act are indicative of a legal consideration of the risk.

Why was the Privacy Shield invalidated

The initial objective of the Privacy Shield is to define a legal framework for the transfer of personal data between Europe and the United States. But, following the revelations of PRISM (an American electronic surveillance program), Maximillian Schrems filed a complaint that led to the invalidation of the Privacy Shield by the CJEU, on the basis of the unequal treatment between a US and European citizen in the event of non-compliance with the regulation. Furthermore, it appears that various American laws, such as Section 702 of FISA, the Upstream program, and Executive Order 1233, authorize the mass, non-targeted processing of data, which contravenes the principle of proportionality set out in the GDPR.

This annulment has immediate effect. The consequence is that European companies that use this mechanism as the basis for the storage and processing of personal data by a company incorporated in the USA, for example a US SaaS software vendor, must find an alternative.

What are the consequences for Customer Relationship Management (CRM) SaaS solutions?

CRM (Customer Relationship Management), in French GRC or Gestion de la Relation Client, is now at the heart of the customer experience. The centralization of customer data now takes place in CRMs, from acquisition to customer loyalty, including billing and support for services and equipment. CRM is now overtaking ERPs (Enterprise Resource Planning) and becoming the hub of the company’s data capital.

Indeed, CRM software brings together all the information from the company’s various processes to provide a 360° real-time view of each customer. CRM goes beyond the software aspect to encompass the technology, people, and processes that feed, optimize, and analyze the quality and nature of the relationships maintained with the customer database.

This data is therefore a strategic and confidential asset of the company. Giving its competitors access to it amounts to allowing them to read like an open book both who its customers are, what its business terms and practices are, and the added value highlighted to win deals and build loyalty.

The famous example of Alstom Power (the manufacturer of nuclear reactor vessels for power plants and submarines), which was prosecuted by the USA for corruption in various business cases, was made easier by direct access to the group’s commercial data. The consequences were the arrest on American soil of French nationals, such as former head of the boiler division Frédéric Piérucci, a loss of French sovereignty through the forced sale to General Electric, and a direct loss of jobs and know-how.

The documents revealed by Edward Snowden in 2015 through WikiLeaks showed that the economic espionage of French companies by American intelligence agencies is commonplace. The American justice system even relies on the NSA to gather information on contracts that interest it. “The extraterritoriality of the American justice system has enabled more than 13 billion dollars to be extracted from French companies through fines imposed by the American justice system”.

Which CRM solutions are affected?

The CRM solutions directly impacted by the invalidation of the Privacy Shield agreement are SaaS software products owned by companies governed by American law. It does not matter whether or not the data is stored and processed by servers based in Europe or in France. The Cloud Act, passed by the USA in response to the European GDPR two months before its implementation, requires its nationals to give American state agencies access to data stored on their servers outside American territory.

It is an extension of the extraterritorial laws already in force, a strengthened version of the Patriot Act (an anti-terrorism law similar to an authorization to spy on foreign companies). These two laws apply to French companies as soon as they entrust their data to a service provider of American origin.

With the adoption of the Cloud Act, American operators and providers of digital services will be required to disclose companies’ data when the American authorities (police, justice, and administration) ask them to do so. This disclosure is made without going through the courts and without even informing the users concerned. In other words: by choosing to work with American CRM software, you implicitly choose to make your CRM data available to US authorities and thereby violate GDPR obligations.

The companies and main SaaS CRM software on the market concerned are (non-exhaustive list):

  • Salesforce CRM and Marketing Cloud / Pardot
  • Oracle CRM and Siebel
  • Microsoft Dynamics 365
  • Adobe Marketing Cloud and Marketo
  • Hubspot Sales and Hubspot Marketing
  • Active Campaign
  • Mailchimp
  • Zendesk Sell
  • Freshwork CRM (Freshsales)
  • Nimble
  • PipelineDeals
  • Nutshell CRM

What should you do if you use American SaaS CRM software?

Change your habits

You can choose to stop using a service that transfers your data outside the European Union.

You can then opt for a European company that guarantees no data transfers whatsoever. Several sites list this software, notably the Solainn database for French software solutions, and MartechTribe has grouped the main Marketing solutions by European country, including CRM and Marketing Automation software.

Here is a list of European CRM software (also non-exhaustive):

  • Pipedrive
  • Efficy
  • Everwin
  • Dimo Yellowbox
  • Webmecanik Pipeline
  • Sellsy
  • Sendinblue
  • NoCRM
  • SimpleCRM
  • Sage
  • SAP Sales Cloud

Add clauses

You can have standard clauses for data protection adopted by the European Commission (Standard Contractual Clauses or SCC) added. A European company that sends data to the United States, directly or indirectly via, for example, CRM software, must determine whether the company receiving it has put in place all the necessary actions at the technical, legal, and financial levels in order to provide appropriate safeguards.

Assess each contract

Each European company must therefore check its record of processing activities to see whether there are transfers of personal data to the United States and whether these were covered only through the Privacy Shield. If you wish to continue using the services of this US company, you will need to assess each of your contracts entered into with software vendors, in order to validate the appropriate clauses by mutual agreement with the company concerned.

It will then be necessary to refer to Article 46 of the GDPR. This part of the regulation states that the transfer can take place if appropriate safeguards are provided. An appropriate safeguard is when one can concretely assess data security, access to it by anyone – including government authorities – as well as the ability of European individuals to enforce their rights. In all cases, have your legal department or a specialized lawyer review your software solution provider’s general terms of sale and privacy policy.

Source https://www.salesforce.com/company/privacy/full_privacy/

Conclusion

The simplest thing is still to start choosing, for new software solutions – CRM or otherwise – those whose legal entity belongs to the European Community. The choices are numerous, of comparable quality, often less expensive, and with quality local support.

For older software, this is an opportunity to modernize them with a newer solution – CRMs are now in their fourth generation with AI and native integration with Marketing Automation. If you keep them, carry out a risk assessment in light of the Terms and Conditions and the Privacy Policy, and have the EEC’s SCC clauses, as well as Article 46 of the GDPR, added to them.

Continue exploring articles

Initiative zero carbon email

#ZeroCarbonEmail: Set an Expiration Date for Your Emails

Discover the email expiration date feature to ensure your communications don’t remain stored after they become obsolete.

An intelligent summary of your sales opportunities 🪄

Discover our new intelligent opportunity summary feature to get a clear recap of the actions to take in just a few seconds.

Feature

Speed up the creation of your emails and landing pages with AI 🪄

Write, improve, or translate your content in one click with AI built directly into your email and landing page editors.

Strategic guide: mastering Lead Nurturing for conversion

Lead Nurturing is not just a series of automated emails. It is the art of maintaining a relevant conversation with your prospects until they are ready to buy. This guide gives you the keys to structuring campaigns that turn interest into revenue. 1. The diagnostic phase: lay the foundations Before writing a single line, you […]

Folder Management: The Organization Your Team Has Been Waiting For! ✨

Emails on one side, campaigns on another, segments scattered everywhere… What if everything could be organized in one place? Introducing our new folder management feature.

Feature

How to track the performance of your marketing messages?

Introduction  You are already a well-established player in your market. Your target audience is clearly defined, your marketing channels are in place, and you may even have already audited your past actions. But one question remains essential: are your marketing messages really performing? Whether it is email, WhatsApp messages, SEA campaigns, social ads, or SMS, […]