Three years after a European court invalidated a transatlantic data transfer agreement, the European Union on Monday formally adopted a new agreement with the U.S. meant to better ensure privacy protections for data moving between American tech companies and users based overseas.
The European Commission decided that the U.S. has provided adequate protections to E.U. citizens’ data after Washington implemented safeguards for Europeans against U.S. surveillance, including redress in front of a new data protection review court for E.U. citizens who believe American intelligence collected their personal data in a way that violates the agreement.
The agreement is the result of years of diplomatic negotiations between the U.S. and EU over differences in privacy standards and clashing over America’s spy programs.
“The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework,” European Commission President Ursula von der Leyen said in a statement. “Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.”
Under the agreement, U.S. tech companies are obligated “to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties,” according to a European Commission press release.
The decision provides some reassurance to American tech companies that have been in the E.U.’s crosshairs since the lapse of Privacy Shield, the previous agreement that the EU adopted in 2016. The agreement was invalidated by an EU court in 2020 after a legal challenge by privacy activist Max Schrems. The court sided with Schrems that Privacy Shield did not offer EU citizens protections equivalent to those in the EU. Failure to reach a new agreement could have potentially forced American companies to cease data transfers with the European Union entirely.
“Businesses and diplomats alike will breathe easier now that the EU-U.S. Data Privacy Framework has received the EU’s stamp of approval,” Caitlin Fennessy, vice president and chief knowledge officer of the International Association of Privacy Professionals wrote in a statement. “Data can flow better protected and less hindered across the Atlantic, albeit with a legal challenge anticipated. While ‘finally’ is sure to be a common sentiment, the fact that this framework took three years to build suggests that no one wanted a quick and temporary fix.”
The European Center for Digital Rights, a group led by Schrems, said Monday it will challenge the agreement in court.