On 10 July 2023, the EU adopted new rules that make it easy to transfer personal data to the US. The rules took effect immediately. What does this mean in practice for those of us who work with marketing, sales and delivery of services covered by this?
As most people know, it has been possible to freely transfer personal data within the EU/EEA, while as a general rule it has been prohibited to transfer personal data outside the EEA. Therefore, it has e.g. for the large companies such as Microsoft, HubSpot and others, it is important to establish regional data centers in the EU.
Previously, there was a set of regulations within the EU called the Privacy Shield Framework which ensured an opportunity for the transfer of data to the USA. This framework was in principle set aside after the Schrems II judgment, which has affected many people and which has caused considerable unease about what is permitted or not, when it has been related to the transfer of data to the US and the use of US- based services.
The European Commission can still approve individual countries through something called an adequacy decision, and on July 10th the EU approved such a decision which means that if an American business is on the list of approved businesses, you can transfer personal data to it as if it were a European business.
All other rules within the GDPR must still be followed, so that you must have a basis for processing or a data processor agreement to share personal data with others. In practice, this means that American services, like many of us who work in marketing and sales - provided they are on the list - can be used.
Since the Schrems II judgment, there have been negotiations between the European Commission and the United States. One of the things that has been a challenge has been the United States' intelligence laws. The US has now changed its intelligence legislation to strengthen privacy, and it has introduced better rights for individuals.
- We are happy that privacy in the USA has improved and that it will now be much easier for Norwegian businesses to comply with the privacy regulations, says head of the international section in the Norwegian Data Protection Authority, Tobias Judin.
PS! We help businesses deal with GDPR and privacy whether you work in sales, marketing or customer service. Book a no-obligation chat if you are worried about how you are handling this today.