Since GDPR came into effect in 2018, data movement between the EU and other countries like the United States has become more complicated due to the expanded consumer protections required of all organizations. On July 10, 2023, the European Commission announced an adequacy decision for the United States regarding the EU-U.S. Data Privacy Framework. Article 45(3) of GDPR grants the European Commission authority to determine whether non-EU countries ensure an “adequate level of protection” – i.e. a level of protection that is functionally equivalent to the prevailing standards set by GDPR in the EU.

The recent decision means that the European Commission considers protections offered by the EU-U.S. Data Privacy Framework to be compliant with GDPR for the purposes of data flows from the European Union to the United States, specifically regarding the handling of data of EU-based users by US-based entities. This makes it more straightforward for global enterprises to move and use their data internationally. 

In addition to affirming GDPR compliance, the EU-U.S. Data Privacy Framework (DPF) also allows EU individuals to seek legal redress in suspected cases of data mishandling by US-based entities through a Data Protection Review Court, established through Executive Order 14086. As U.S. companies need to meet the enhanced data privacy guidelines outlined in GDPR, data security and protection will become even more important. 

Furthermore, the US International Trade Administration has advised that all organizations that are currently self-certified under the old EU-US Privacy Shield standard can automatically transition (beginning July 17, 2023) to the EU-U.S. Data Privacy Framework, provided their privacy policies are updated accordingly and they comply with the DPF standards. Non-EU countries in Europe (Switzerland, UK, Norway) also intend to participate in DPF, and adequacy decisions from the respective authorities are expected to be imminent. For the UK-US and Swiss-US DPFs, there will likewise be automatic transitions for organizations previously certified under Privacy Shield. As companies look to switch to this new framework companies will need comprehensive data governance and lineage to track and catalog data.

How Fivetran handles data security and what this means for you

We have long observed the prevailing legal and regulatory requirements established by GDPR and all Fivetran services are GDPR-compliant. We were certified under Privacy Shield when it was active, and will accordingly be transitioning to the new Data Privacy Framework.

GDPR protects eight core rights:

• The right to access
• The right to be informed
• The right to data portability
• The right to be forgotten
• The right to object
• The right to restrict processing
• The right to be notified
• The right to rectification

Fivetran serves these needs using:

• Column-level hashing and blocking to obscure PII, either by encrypting it or categorically excluding it from sensitive environments, respectively
• Metadata logging to ensure visibility into the full provenance of all data assets

In addition, Fivetran supports data residency across a wide range of regions and clouds, with a choice of over 20 major cloud regions worldwide, across North America, Europe, Asia and the Pacific. We also support geographically bounded access, in which there is no data sent out of a designated cloud region without your permission, as well as private networking through services such as PrivateLink. We are continually investing in areas of data security and governance to ensure your most critical and sensitive business data is protected.

Fivetran users who depend on data movement across the Atlantic, such as Lufthansa, GroupM and DPDgroup can continue to sync their data with confidence. To see for yourself how it works, consider booking a demo.

[CTA_MODULE]