Invisionpower and the EU-US privacy shield

[hjmaier]

This is not a feature request, but a suggestion to the management.

Do you know the EU-US Privacy Shield? Invisionpower is not listed yet. 

As long Invisionpower is not listed there, no German (and probably no EU) located forum can use services like the anti SPAM network you provide for you customers. At least is it not legal to do so. 

Would you (or the management) consider to enlist yourself there? According to my lawyer, it is mandatory if I want to use that service. 

[Lindy]

Thanks for your feedback. We are in fact aware of the Privacy Shield program. For the benefit of others, Privacy Shield (formerly the safe harbor agreement) is an agreement between the EU and US. Participation is voluntary, however, once a US corporation enters into the program, it is enforced by the US Department of Commerce - this was a big advantage to the EU as otherwise, absent a physical presence in the EU, data protection laws in the EU are largely unenforceable in the US. 

The GDPR, which is not the same thing as Privacy Shield, aims to extend data transfer, processing and storage protections and expand the EU's reach to US companies, even those not enrolled in Privacy Shield via various trade agreements. Many believe that's unlikely to be successful except in severe circumstances with large corporations and in those cases, those companies likely have a presence in the EU anyway. Regardless of reach, we feel the GDPR is appropriately encouraging us all to hold ourselves accountable for the personally identifiable data we process and store and we're taking our obligations seriously. 

Those in the Privacy Shield program don't necessarily meet the requirements of the GDPR and we've opted not to, as of yet, go through the cumbersome certification and registration process (and to the best of my knowledge, nobody else in the industry has either) as the GDPR offers more protection than that required by PS (for example, IP addresses are definitively considered PII data by the GDPR whereas previously, dynamic IPs may or may not be, depending on opinion and interpretation) and we've instead focused our efforts on reaching GDPR compliance (which, to be clear, has been an enormous effort.) We will have a GDPR compliance section on our website very soon that will be of interest to you.

I am not in a position to question the accuracy of your attorney's service and am aware Germany has more stringent data protection guidelines than other EU members. With that said, we have thousands of clients across the EU, including Germany and I've never seen or heard of a local regulation requiring a resident to only do business with those in the Privacy Shield program. I would think that would have a significantly adverse effect on the ability to engage in international commerce as a German. Nonetheless, regarding the spam service, if you opt to use the spam service, you'll just want to list us on a (sub)processors page on your site (a blurb in your privacy policy.) The GDPR requires your (as the controller) vendors/processors and sub-processors also be GDPR compliant and we will be. Again, I cannot speak to Germany specifically, but I have no knowledge of a requirement to be Privacy Shield certified and again, you can be PS certified and still not necessarily be compliant with the GDPR as the latter is more restrictive. 

I hope this helps. As mentioned, we'll have more information on the GDPR on our site soon.