Strengthening Transatlantic Ties | New Data Transfer Agreement Between EU and US
Learn about the transatlantic data-transfer agreement between the EU and the U.S., addressing concerns raised by previous pacts. Discover the enhanced privacy measures and safeguards, as well as the potential legal challenges ahead. Find out how this agreement benefits companies and individuals on both sides of the Atlantic while complying with EU privacy law.
A new transatlantic data-transfer agreement between the European Union (EU) and the United States has been approved in a third attempt, following assurances from U.S. President Joe Biden about protecting EU citizens' data from potential access by American security agencies. However, EU Justice Commissioner Didier Reynders anticipates legal challenges similar to the ones faced by its two predecessors.
EU Commission President Ursula von der Leyen stated that this adequacy decision facilitates data transfer between thousands of companies on both sides of the Atlantic while complying with EU privacy law. The decision follows lengthy negotiations and an executive order from President Biden, promising to safeguard EU citizens’ data transferred to the US.
The agreement marks a significant advancement in the ongoing issue that left numerous companies, including Meta Platforms Inc., in legal uncertainty following the 2020 annulment of the previous Privacy Shield pact by the EU's top court. This annulment threatened to disrupt significant data exchanges necessary for various business activities, from sales and marketing to payroll processing.
The newly approved EU-U.S. Data Privacy Framework addresses concerns previously raised by the European Court of Justice. It introduces several measures, such as limiting access to EU data by US intelligence services to what is deemed necessary and proportionate. The framework also establishes a Data Protection Review Court (DPRC), accessible to EU individuals.
Notably, if the DPRC determines that data has been collected violating the new safeguards, it can order the data's deletion. This comprehensive approach, coupled with additional obligations for US companies importing data from the EU, represents significant improvements over the old Privacy Shield mechanism.
Under the new framework, US companies can participate by committing to a detailed set of privacy obligations. For example, companies must delete personal data when no longer necessary and ensure continued protection when personal data is shared with third parties.
The new framework provides several recourse avenues for EU individuals if US companies mishandle their data. These include free independent dispute resolution mechanisms and an arbitration panel. The safeguards also limit data access by US public authorities, particularly for criminal law enforcement and national security purposes, to what is necessary and proportionate.
Privacy advocate Max Schrems, who initiated the legal battles that resulted in the cancellation of prior EU data transfer pacts, is ready to challenge this most recent agreement. Schrems has expressed concerns about the recurring pattern of these agreements, speculating that the current one could meet a similar end.
The US has set up an independent and impartial redress mechanism, including the Data Protection Review Court (DPRC), to address complaints from EU individuals regarding their data's collection and use by US intelligence agencies.
The functioning of the EU-U.S. Data Privacy Framework will be subject to periodic reviews, with the first review expected within a year of the adequacy decision's enforcement. These reviews will be carried out by the European Commission, together with representatives of European data protection authorities and competent US authorities.

Automating CCPA Risk Assessments and Cybersecurity Audits: Complying with Draft Regulations
The issued draft regulations on CCPA risk assessments and cybersecurity audits by the California Privacy Protection Agency (CPPA) give you an idea of how to comply with imminent obligations
- Data Protection
- USA

India Digital Personal Data Protection Act 2023 - All You Need to Know
Discover the India Digital Personal Data Protection Act (DPDPA) 2023 – India's first comprehensive data protection law. Learn how it affects businesses, data principals, and more. Stay informed about the latest data privacy regulations.
- Data Protection

International Privacy Authorities Issue Joint Statement on Data Scraping
Learn about the joint statement issued by global privacy authorities on August 24, 2023, addressing the risks of data scraping to privacy. Discover its implications for businesses and mitigation strategies
- Data Protection