• #CRM
  • #CRM strategy

On July 16, 2020, the CJEU (Court of Justice of the European Union) invalidated the Privacy Shield. Since then, there is no longer any agreement regulating the data transfer from European companies and citizens to the US. Any transfer is now potentially illegal. A thunderclap for the American platforms that have an oligopoly power on the European Internet services. This is also a serious concern for US CRM (Customer Relationship Management) solutions, which can no longer guarantee the integrity of their customers' data, no matter where it is stored and processed in SaaS. 

While American and European authorities are working to negotiate a successor regime for transcontinental transfers, impacts are important on the trust between B2B partners, especially for business data stored in CRMs whose companies are registered in the United States. The evolution of major account contracts explicitly targeting US persons and the various extraterritoriality laws such as the Patriot Act are indicative of a legal consideration of the risk. 

Why was Privacy Shield invalidated?

The initial objective of the Privacy Shield was to define a legal framework for the personal data transfer between Europe and the United States. However, following the revelations of PRISM (an american electronic surveillance program), Maximillian Schrems filed a complaint, which led to the invalidation of the Privacy Shield by the CJEU, on the basis of the inequity of treatment between a US and European citizen in case of non-compliance with the regulation. Furthermore, it appears that various US laws, such as the Article 702 of FISA, the Upstream program or Executive Order 1233, authorize the processing of data in bulk and in a non-targeted manner, which contravenes the principle of proportionality indicated in the GDPR.

This cancellation has immediate effect. The consequence is that European companies that use this mechanism as a basis for storing and processing personal data to a company registered in the US, for example a US SaaS software company, must find an alternative.

What effects for CRM Saas? 

CRM (Customer Relationship Management) is the heart of customer experience. Centralization of the Customer Data is managed on the CRM software, from acquisition to customer loyalty, including billing and support. 

Indeed, CRM software gathers every information from different sources and company processes to display a 360° view of each customer in real time. CRM strategy goes beyond and manages technologies, people and processes which supply, optimize and analyze quality and origin of the relationship with the customer database.

(Data becomes an integral part of strategic and confidential assets of the company. It gives a clear overview of many crucial information such as: who are the customers, what are your commercial conditions, what is the added value of your offer and other information which lead to winning customers and retaining them.) → ce n’est pas dans la version fr 

This data is therefore a strategic and confidential asset of the company. Giving access to it to competitors is like giving them an open book on who their customers are, what their commercial conditions and practices are, but also the added value they put forward to win business and build loyalty.  → version FR

The famous example of Alstom Power (manufacturer of nuclear tanks for power plants and submarines) which has been sued by the USA for corruption on several commercial files was eased by a direct access to the commercial data of the group.. The consequences were the arrest of French nationals on American soil, such as the former president of the boiler industry Frédéric Piérucc. A loss of sovereignty for France through the forced sale to General Electric, and a direct loss of jobs and know-how. 

The documents revealed by Edward Snowden in 2015 by the WikiLeaks showed that economic spying of French companies by American intelligence agencies is commonplace. U.S. justice system even relies on the NSA to gather information on contracts of interest. "The extraterritoriality of American justice has allowed French companies to be drained of more than 13 billion dollars with the fines imposed by the American justice system." 

Which CRM solutions are involved? 

CRM solutions which are directly impacted by the Privacy Shield invalidation are SaaS softwares owned by american right companies. No matter Data is stored and managed by a data center based in Europe or France. The Cloud Act, voted by the USA as an answer to European GDPR, obliged American companies to give access to their Data store on servers even if they are based outside the American territory. 

It is an extension of the extraterritoriality laws already in force, a strengthened version of the Patriot Act (an anti-terrorism law similar to an authorization to spy on foreign companies). Both laws apply to French companies as soon as they entrust their data to a US-based service provider. 

With the passage of the Cloud Act, U.S. digital operators and service providers will be forced to disclose corporate data when requested by U.S. law enforcement, judicial and administrative authorities. This disclosure is done without going through the courts and without even informing the users concerned. In other words: by choosing to work with a US CRM software, you implicitly choose to make your CRM data available to US forces and thus violate the obligations of the GDPR.

The companies and main SaaS CRM software on the market concerned are (non-exhaustive list):

  • Salesforce CRM and Marketing Cloud / Pardot 
  • Oracle CRM and Siebel 
  • Microsoft Dynamics 365
  • Adobe Marketing Cloud et Marketo 
  • Hubspot Sales and Hubspot Marketing
  • Active Campaign
  • Mailchimp
  • Zendesk Sell
  • Freshwork CRM (Freshsales)
  • Nimble
  • PipelineDeals
  • Nutshell CRM

What to do if you use a US SaaS CRM software? 

Change your habits

You may decline to use a service which transfers your data outside the European Union.

You can then choose one of the following European companies which guarantees any data transfer. Severalwebsites  lists these software solutions, such as Solainn for the French softwares, or MartechTribe which gather main marketing software solutions by European countries.

Here is an overview of some European CRM (non-exhaustive list): 

  • Pipedrive 
  • Efficy 
  • Everwin
  • Dimo Yellowbox
  • Webmecanik Pipeline
  • Sellsy
  • Sendinblue 
  • NoCRM 
  • SimpleCRM
  • Sage
  • SAP Sales Cloud

source https://martechtribe.com/

Add clauses

You can add typical data protection clauses adopted by the European Commission (SCC: Standard Contractual Clauses). A European company which sends its data to the United States, directly or indirectly (by a CRM software for example), must judge that the companyreceiving the data, has implemented all the necessary actions at the technical, legal and financial level in order to provide the appropriate guarantees. 

Evaluate each contract

Each European company must therefore check on its processing register if there are transfers of personal data to the United States and if these were covered solely through the Privacy Shield. If you wish to continue to use the services of this US company, you will have to evaluate each of your contracts with the software editors, in order to validate by mutual agreements with the company concerned the appropriate clauses. 

It will then be appropriate to refer to Article 46 of the GDPR. This part of the regulation states that the transfer can take place if appropriate guarantees are provided. An appropriate guarantee is when one can concretely judge the security of the data, the access to them by anyone - including government authorities - as well as the ability of European individuals to enforce their rights. In any case, have your legal department or a specialized lawyer review the terms and conditions of sale and privacy of your software solution provider. 

Source https://www.salesforce.com/company/privacy/full_privacy/

Conclusion

The easiest way is to start choosing new software solutions - CRM or others - whose legal entity belongs to the European community. There are many choices, of comparable quality, often less expensive and with quality local support. 

For older software, this is an opportunity to modernize them with a new, more up-to-date solution - CRMs are in their fourth generation with AI and native integration with Marketing Automation. If you keep them, conduct a risk assessment against the T&Cs and Privacy Policy, and have the EEC CSC clauses added, as well as Article 46 of the GDPR. 

Stéphane CouleaudStephane Couleaud is the founder and president of Webmecanik.
As a pioneer in CRM marketing for 25 years, he founded Webmecanik in Annecy and since 2015 has been offering an alternative to proprietary and expensive automation marketing solutions such as Marketo, Oracle Eloqua, Salefsorce Pardot or Hubspot. Stéphane is also the co-author of the reference book "Marketing Automation, please your customers, accelerate your business"

8 minutes to read