Sr. Content Marketing Manager
Making sense of General Data Protection Regulation (GDPR) requirements and data privacy laws as a US-based business is a tall order. And that’s on top of navigating software-specific data collection practices, from Google Analytics 4 to your email marketing platform, and figuring out sticky data collection issues like cookies and consent.
But if you have — or hope to have — an EU customer base, struggling through the complexities of GDPR compliance is a necessary inconvenience. And with two previous agreements around EU-US data transfer shot down in European courts, it was starting to seem like we’d never arrive at a clear solution.
Well, circumstances have changed with the European Commission’s approval of the EU-US Data Privacy Framework, also known as the Trans-Atlantic Data Privacy Framework. Let’s get into what this plan means for you as a business leader — and the steps you need to take to help ensure compliance with GDPR through this new framework.
A quick background on the new EU-US data privacy framework
The European Union (EU) approved a new plan on July 10, 2023 that lets US companies keep storing data from European citizens on American soil. This new ruling, officially called the EU-US Data Privacy Framework, marks a significant shift in how data transfer between the EU and US is managed by both businesses and government.
US organizations actively doing business in Europe had been operating on somewhat shaky ground in terms of the legality of data transfer — so this plan comes none too soon. Until the framework’s approval in July, there was no prevailing plan in place since European courts had nullified two earlier agreements that attempted to accomplish the same thing:
Safe Harbor Agreement: First introduced in 2000, this agreement allowed US companies to self-certify that they complied with EU data privacy laws. It was invalidated by the European Court of Justice (ECJ) in 2015.
Privacy Shield Framework: Introduced in 2016 to replace the previous International Safe Harbor Privacy Principles, but nullified by the Court Justice of the European Union (CJEU) in 2020.
How the new framework impacts your business
Good news: if your business has access to EU customer data and uses that data for marketing and advertising purposes, the new plan benefits you — offering your organization a clear pathway to make sure the flow of personal data between the EU and the US is legal, helping you comply with the broader GDPR law.
Here’s a simple breakdown of the changes included in the framework:
Key data privacy principles. Companies are required to follow a set of principles (listed below) designed to balance individual privacy rights with the requirements of trans-Atlantic data transfers.
New US court for EU data claims: The new framework requires the establishment of a US court with authority to hear the data violation claims of European citizens, known as the Data Protection Review Court.
New complaint process: Complaints from EU citizens will first be reviewed by a US civil liberties protection officer. If necessary, they’ll then be sent to the Data Protection Review Court for a secondary review.
Limited intelligence collection: The US agreed to limit the interception of electronic communications from EU citizens.
Data privacy principles your business should follow
The new plan brings legal clarity to businesses that transfer data across the Atlantic. But by agreeing to the framework, your business commits to following new data compliance and privacy standards:
Access. EU citizens must have access to their personal data and the right to rectify or erase it.
Accountability. Your company is accountable for abiding by the principles of the framework, and noncompliance can result in steep fines and financial penalties.
Choice. Individuals have the right to opt out of having their data collected.
Notice. Notify people about the type of data you collect and how you intend to use it.
Security. Put exhaustive safeguards in place to protect sensitive data from being accessed without permission or misused.
If we could sum up these principles in one word, it would be transparency. To comply with the framework, make sure your business is open about the type of data you collect and its purpose, and clarify how individuals can opt out.
Sure, this may be more challenging to achieve than it sounds, but once all the pieces are in place, your company stands to benefit. Committing to this agreement can help you establish trust among prospects, customers and other stakeholders — and even enhance your company’s reputation.
Get the latest from our blog every month
How to participate in the EU-US Data Privacy Framework
To participate in the EU-US data transfer under the new plan, your business needs to verify your commitment and publicly pledge to follow the EU-US Data Privacy Framework principles. Your self-verification can be legally enforced by US officials. Follow these steps to get started:
Enroll your organization at www.dataprivacyframework.gov
If your company already participates in the EU-US Privacy Shield Framework, you can start using the new plan immediately — although you still need to self-verify under the new framework by October 10, 2023.
Keep in mind that this framework applies to EU data privacy only. There are state-specific data privacy laws in place that your business will likely also need to comply with, including the CCPA (California), VCDPA (Virginia) and ColoPA (Colorado).
Last but not least, remember that we may expect some legal challenges to the new EU-US data transfer law that could impact the validity of the new framework. Make sure to keep tabs on the latest developments and update your data handling practices when and how it makes sense.