Arrow pointing to left
All posts

Sales - 5 min READ

GDPR compliance and the new EU-US Data Privacy Framework: A quick guide

Copy blog urlTwitter share logoLinkedin share logoEmail to logo
Article featured image
Author photo: Katrina Oko-Odoi

Katrina Oko-Odoi

Sr. Content Marketing Manager

Making sense of General Data Protection Regulation (GDPR) requirements and data privacy laws as a US-based business is a tall order. And that’s on top of navigating software-specific data collection practices, from Google Analytics 4 to your email marketing platform, and figuring out sticky data collection issues like cookies and consent.

But if you have — or hope to have — an EU customer base, struggling through the complexities of GDPR compliance is a necessary inconvenience. And with two previous agreements around EU-US data transfer shot down in European courts, it was starting to seem like we’d never arrive at a clear solution.

Well, circumstances have changed with the European Commission’s approval of the EU-US Data Privacy Framework, also known as the Trans-Atlantic Data Privacy Framework. Let’s get into what this plan means for you as a business leader — and the steps you need to take to help ensure compliance with GDPR through this new framework.

A quick background on the new EU-US data privacy framework

The European Union (EU) approved a new plan on July 10, 2023 that lets US companies keep storing data from European citizens on American soil. This new ruling, officially called the EU-US Data Privacy Framework, marks a significant shift in how data transfer between the EU and US is managed by both businesses and government.

US organizations actively doing business in Europe had been operating on somewhat shaky ground in terms of the legality of data transfer — so this plan comes none too soon. Until the framework’s approval in July, there was no prevailing plan in place since European courts had nullified two earlier agreements that attempted to accomplish the same thing:

  • Safe Harbor Agreement: First introduced in 2000, this agreement allowed US companies to self-certify that they complied with EU data privacy laws. It was invalidated by the European Court of Justice (ECJ) in 2015.

  • Privacy Shield Framework: Introduced in 2016 to replace the previous International Safe Harbor Privacy Principles, but nullified by the Court Justice of the European Union (CJEU) in 2020.

Both earlier plans were invalidated because European officials were concerned about US government surveillance of EU citizens’ data. The newly approved EU-US Data Privacy Framework replaces these previous deals and introduces a different approach to safeguarding the data of European citizens, which appears to satisfy the concerns around government surveillance.

How the new framework impacts your business

Good news: if your business has access to EU customer data and uses that data for marketing and advertising purposes, the new plan benefits you — offering your organization a clear pathway to make sure the flow of personal data between the EU and the US is legal, helping you comply with the broader GDPR law.

Here’s a simple breakdown of the changes included in the framework:

  • Key data privacy principles. Companies are required to follow a set of principles (listed below) designed to balance individual privacy rights with the requirements of trans-Atlantic data transfers.

  • New US court for EU data claims: The new framework requires the establishment of a US court with authority to hear the data violation claims of European citizens, known as the Data Protection Review Court.

  • New complaint process: Complaints from EU citizens will first be reviewed by a US civil liberties protection officer. If necessary, they’ll then be sent to the Data Protection Review Court for a secondary review.

  • Limited intelligence collection: The US agreed to limit the interception of electronic communications from EU citizens.

Data privacy principles your business should follow

The new plan brings legal clarity to businesses that transfer data across the Atlantic. But by agreeing to the framework, your business commits to following new data compliance and privacy standards:

  • Access. EU citizens must have access to their personal data and the right to rectify or erase it.

  • Accountability. Your company is accountable for abiding by the principles of the framework, and noncompliance can result in steep fines and financial penalties.

  • Choice. Individuals have the right to opt out of having their data collected.

  • Notice. Notify people about the type of data you collect and how you intend to use it.

  • Security. Put exhaustive safeguards in place to protect sensitive data from being accessed without permission or misused.

If we could sum up these principles in one word, it would be transparency. To comply with the framework, make sure your business is open about the type of data you collect and its purpose, and clarify how individuals can opt out.

Sure, this may be more challenging to achieve than it sounds, but once all the pieces are in place, your company stands to benefit. Committing to this agreement can help you establish trust among prospects, customers and other stakeholders — and even enhance your company’s reputation.

Get the latest from our blog every month

How to participate in the EU-US Data Privacy Framework

To participate in the EU-US data transfer under the new plan, your business needs to verify your commitment and publicly pledge to follow the EU-US Data Privacy Framework principles. Your self-verification can be legally enforced by US officials. Follow these steps to get started:

  1. Enroll your organization at

  2. If your company already participates in the EU-US Privacy Shield Framework, you can start using the new plan immediately — although you still need to self-verify under the new framework by October 10, 2023.

Keep in mind that this framework applies to EU data privacy only. There are state-specific data privacy laws in place that your business will likely also need to comply with, including the CCPA (California), VCDPA (Virginia) and ColoPA (Colorado).

Last but not least, remember that we may expect some legal challenges to the new EU-US data transfer law that could impact the validity of the new framework. Make sure to keep tabs on the latest developments and update your data handling practices when and how it makes sense.

Try Copper free

Instant activation, no credit card required. Give Copper a try today.

Ideo graphic
Masterclass graphic
Swell graphic
Bubbles graphic
Try Copper free image

Keep Reading

All posts
Arrow pointing to right
Featured image: Copper CRM product principles … 2023 and beyond

6 min READ

Copper CRM product principles … 2023 and beyond

How and why Copper defined our CRM product principles, and why we think they’ll make a difference for our users.

Featured image: An easy way to track your critical workflows

6 min READ

An easy way to track your critical workflows

Building the right pipeline structure in your client relationship system, for sales or non-sales workflows, can help you better manage key processes. Here's how.

Featured image: How to get more leads and hit your sales quota

3 min READ

How to get more leads and hit your sales quota

Skip the looming dread of missing your sales quota with these expert tips on how to get more leads.

Featured image: Case study: SportsDataIO powers a personalized email marketing strategy with Copper X Mailchimp

2 min READ

Case study: SportsDataIO powers a personalized email marketing strategy with Copper X Mailchimp

Fast-growing sports data provider added our Mailchimp integration to Copper CRM to power up their email marketing with personalized newsletters.