3. New laws for cross-border regulation
The European Commission plans to introduce a new law aimed at improving the enforcement of GDPR by EU countries' privacy regulators. This law will address concerns about inefficient handling of major cases, particularly involving Big Tech companies. It aims to set procedural rules for cross-border investigations and infringements, harmonize administrative procedures, and support GDPR cooperation and dispute resolution mechanisms.
For example, American giants Meta, Google, and Apple have set their EU headquarters in Ireland. Amazon’s EU headquarters is in Luxembourg. And under GDPR, tech companies are overseen by the national regulator in the EU country where they are headquartered. Note that Ireland has faced criticism for lax enforcement of GDPR privacy laws and imposed multimillion-euro fines to sanction GDPR infringements from Meta.
This new EU regulation aims to set clear procedural rules for national data protection authorities who deal with cross-border investigations and infringements. It aims to streamline enforcement while anticipating discussions and potential resistance from data privacy watchdogs, advocacy groups, and technology companies.
“Nobody will be happy with the Commission proposal as usual, because the data protection authorities agree on the problem but they do not agree on the solutions,” - Olivier Micol, the Commission’s head of unit for data protection which is leading the work on the policy.
Non-governmental organizations want to be more involved in the procedures and companies like Google, Apple and Amazon will push back for fear of new fines, Micol said.
“Big Tech companies will not be very happy with it because it will make the system more efficient to have more enforcement,” he said.
What does this mean for your business?
To adhere to GDPR, marketers must:
-
Pay close attention to data transferred between countries
-
Adopt more transparent, secure, and accountable data handling practices when working with international data.
-
Be aware of the Data Privacy Framework, which we uncover in the next section.
4. Data Privacy Framework notes how data is transferred from the USA to the EU
Introduced in July 2023, the EU-U.S. Data Privacy Framework was enacted to ensure that data can flow freely (safely and legitimately) between the USA and the EU.
Previously, businesses could transfer EU data to the US under the EU/US privacy frameworks, like the Safe Harbour and Privacy Shield. However, the EU courts ruled these insufficient in Schrems I and II.
The Data Privacy Framework is replacing the Privacy Shield, which was less secure because it allowed European citizens’ data to be stored by American companies locally in American data centers.
Privacy enthusiast Max Schrems was the pioneer in invalidating the Privacy Shield, as he felt that this was not robust enough to protect user privacy. "Just announcing that something is 'new,' 'robust' or 'effective' does not cut it before the Court of Justice. We would need changes in U.S. surveillance law to make this work," - Schrems
As a result, the United States changed its law to impose stronger privacy safeguards on US intelligence accessing EU personal data. Now, the US can only access EU data that is “necessary and proportionate.” Previously, Uncle Sam could access anything and everything under the sun regarding an EU citizen. The US has established a data protection review court which is accessible to EU citizens, and does allow EU citizens to challenge US surveillance practices.
Zooming out, it makes a lot of sense that data must be shared across the Atlantic Ocean. The internet is such a massive, interconnected platform. But it’s the way this data was handled that is under the magnifying glass.
US-based companies like Google, Amazon, and Meta collect a ton of customer data and use it to send personalized messaging to their customers. There have been massive lawsuits between companies spanning the Atlantic Ocean around the misuse of customer data.
This updated framework will make it much easier and more seamless for American companies to operate in Europe.
The door is not closed- Schrems is promising to challenge the decision to further examine the privacy validity outlined within the EU-U.S. Data Privacy Framework. At Twilio, we are constantly examining international law to ensure we remain compliant.
What does this mean for your business?
To remain compliant with the DPF, businesses must:
-
Consider how they transfer personal data between the EU and the US.
-
Review their data flows, revise contracts with third parties, and implement more strict privacy measures to maintain cross-data transfers that uphold the EU privacy standards.
-
Determine the best solution for themselves. Interpretations of data residency are multi-faceted. Some customers may still prefer the ability to pursue a data resident solution rather than the DPF.
How Twilio Segment maintains GDPR compliance
As you monitor the changes to GDPR, you can at present maintain a high level of customer privacy right now by investing in a CDP like Twilio Segment.
Segment practices are GDPR compliant. As the central record for your customer data, we are also committed to making it easier for you to comply with GDPR.
Segment can help you with compliant and consented data through:
Consent management
Initially, we request the customer to consent to data collection and then ensure at runtime the visitor’s preferences are respected. This occurs by surfacing a banner to give visitors the ability to configure consent preferences. It also accounts for all the integrations connected to your website source in Segment, even when a new one is added!
Segment uses time zones to determine if a user is physically in the EU, and we look at their language preferences as a hint to determine if they may be a European resident versus a visitor from another country.
We provide a fully customizable user experience, including an out-of-the-box solution for the Consent Manager if you want to go live quickly or a fully customizable solution so you can align user experience with your product or brand.
Segment’s Destination Insert Functions enable you to insert code to enrich data before it reaches the destination. One use case is Privacy and Compliance such as data masking, encryption and decryption, improved PII data handling, and tokenization.
PII protection
The privacy portal allows users to create a dynamic data inventory in minutes. With Segment, you can automatically detect and classify personally identifiable information (PII) to create a dynamic customer data inventory for your Segment data. Each data point is matched against common PII fields and assigned a risk-based classification of red, yellow, or green.
Segment makes it easy to proactively enforce your company’s data privacy policies, to protect against sensitive data being collected like passwords and card numbers. Segment allows you to set rules to automatically block restricted personal data from being collected.
Local data processing
With “Regional Segment” you can ingest, process and store customer data on infrastructure hosted in the EU. The right to erasure helps you manage user deletion across Segment and supported destinations. It provides visibility into the progress of deletion requests to confirm when data is deleted, so you can update your users and your company.
And finally, Segment lets you block data collection for specific users with one-click suppression. You can issue suppression requests to restrict user data from being sent to Segment and Cloud-based Destinations. Then, use the suppression list to easily add or remove users if their preferences change over time.
Conclusion
Sometimes the only constant is change. Regulatory bodies like the GDPR are constantly improving the way user data is protected. Many other countries have started to follow suit, implementing their own privacy regulations. The United States introduced CCPA, Canada has PIPEDA, Singapore introduced PDPA, and Brazil has LGPD.
And with technological advancements like AI, the sky’s the limit on how data can be used to enhance customer journeys (and how regulations will enforce privacy.)
It is important that you keep your finger on the pulse of these updated regulations to ensure you’re protecting your customer’s privacy. At Twilio Segment, we remain committed to protecting your user’s data while still providing customized, personalized experiences.