Today I would like to focus on a topic that is not very attractive from a content point of view, but very relevant regarding data protection and its impact on the marketing world.
As is well known, the European Union and its data protection regulations are undoubtedly among the most restrictive in the world.
Its GDPR or GDPR (General Data Protection Regulation) extends beyond its borders, regulating the exchange of data with other countries, for example, the United States.
Between the two continents we have had several “agreements” of collaboration:
- Safe Harbor Agreement: Established in the early 2000s and invalidated in 2015.
- EU-U.S. Privacy Shield: Established in 2016 and invalidated in 2020.
Privacy Shield Invalidation
The latter agreement was invalidated by the Court of Justice of the European Union (CJEU) for two main reasons.
- First, the U.S. legislation granted U.S. authorities the right to collect personal data from EU data subjects without adequate safeguards. This was deemed insufficient to protect the personal data of EU citizens from U.S. government surveillance.
- Second, EU data subjects lacked effective means to seek redress against the U.S. government. This aspect was in direct conflict with EU data protection requirements, as U.S. legislation was not in line with the EU’s data protection requirements. did not restrict access to and use of personal data transferred from the EU in a manner that satisfied the equivalent essential proportionality and protection principles required by EU law.
These concerns led to the invalidation of the Privacy Shield, which meant that transfers of personal data from the EU to the U.S. were not allowed. could no longer be based on this framework. Instead, organizations had to resort to other mechanisms, such as Standard Contractual Clauses (STCs) or Binding Corporate Rules (BCRs), to ensure compliance with the EU’s General Data Protection Regulation (GDPR).
But how does this affect those of us in marketing?
Well, in a very relevant way, since many of the tools we work with in our day-to-day work are American. This implies that the data stored in these tools were located on servers in the United States, so de facto, keeping the information in these tools was outside the protection of the GDPR.
This involved arduous processes to overcome this obstacle between suppliers and customers in this situation.
Many of the North American companies invested heavily in data centers located on the European continent to overcome this obstacle, but others were unable to do so.
The genesis of a new agreement
With the entry of the new Baiden Administration, a new framework has been established to restore confidence and ensure the continuity of data flow. This agreement reflects a renewed commitment to protect the privacy of individuals and to facilitate trade and cooperation with the EU-US Data Privacy Framework:
Keys to the new agreement
In summary, these are:
- Rigorous Certification Process: Companies in the U.S.A. Must certify their adherence to defined privacy principles, ensuring a level of protection equivalent to that of the EU.
- High Data Protection Standards: Practices such as purpose limitation, data minimization and accuracy, and respect for individual rights, such as access and rectification, are required.
- Oversight and Effective Enforcement: The U.S. Department of Commerce and the FTC plays a key role in monitoring and enforcing these standards.
- Restrictions on Further Data Transfer: The transfer of data to third parties is strictly controlled, maintaining the agreed protection.
- Annual Recertification: To maintain their status, organizations must recertify their compliance annually.
This new framework represents an important milestone for businesses and consumers concerned about data privacy, and understanding it is vital to any effective and secure marketing strategy.
Do you want to download the full text of this agreement? You can do it now.
To verify the certification of a company or tool under this framework, you can consult the following sources: