On 10 July 2023, the EU adopted new rules that make it easy to transfer personal data to the US. The rules took effect immediately. What does this mean in practice for those of us who work with marketing, sales and delivery of services covered by this?
Free transfer within the EU/EEA
As most people know, it has been possible to freely transfer personal data within the EU/EEA, while as a general rule it has been prohibited to transfer personal data outside the EEA. Therefore, it has e.g. for the large companies such as Microsoft, HubSpot and others, it is important to establish regional data centers in the EU.
Schrems II stopped the previous framework
Previously, there was a set of regulations within the EU called the Privacy Shield Framework which ensured an opportunity for the transfer of data to the USA. This framework was in principle set aside after the Schrems II judgment, which has affected many people and which has caused considerable unease about what is permitted or not, when it has been related to the transfer of data to the US and the use of US- based services.
The US is now approved, if the business you buy from is as well
The European Commission can still approve individual countries through something called an adequacy decision, and on July 10th the EU approved such a decision which means that if an American business is on the list of approved businesses, you can transfer personal data to it as if it were a European business.
What does that mean in practice?
All other rules within the GDPR must still be followed, so that you must have a basis for processing or a data processor agreement to share personal data with others. In practice, this means that American services, like many of us who work in marketing and sales - provided they are on the list - can be used.
Strengthened and simplified privacy protection
Since the Schrems II judgment, there have been negotiations between the European Commission and the United States. One of the things that has been a challenge has been the United States' intelligence laws. The US has now changed its intelligence legislation to strengthen privacy, and it has introduced better rights for individuals.
- We are happy that privacy in the USA has improved and that it will now be much easier for Norwegian businesses to comply with the privacy regulations, says head of the international section in the Norwegian Data Protection Authority, Tobias Judin.
Need help with GDPR?
PS! We help businesses deal with GDPR and privacy whether you work in sales, marketing or customer service. Book a no-obligation chat if you are worried about how you are handling this today.
David Aleksandersen
David Aleksandersen is Chief Revenue Officer at Spring Agency. He has over 25 years of experience in sales, marketing, and management, both nationally and internationally. David has a Computer Science degree from Østfold University College and is studying Digital Transformation at Oslo Met. Before joining Spring, he worked as a business advisor at MarkedsPartner, marketing manager at Dataton AB, and as CEO at Smart Simulation AS.