Strengthening Transatlantic Ties | New Data Transfer Agreement Between EU and US
Learn about the transatlantic data-transfer agreement between the EU and the U.S., addressing concerns raised by previous pacts. Discover the enhanced privacy measures and safeguards, as well as the potential legal challenges ahead. Find out how this agreement benefits companies and individuals on both sides of the Atlantic while complying with EU privacy law.
A new transatlantic data-transfer agreement between the European Union (EU) and the United States has been approved in a third attempt, following assurances from U.S. President Joe Biden about protecting EU citizens' data from potential access by American security agencies. However, EU Justice Commissioner Didier Reynders anticipates legal challenges similar to the ones faced by its two predecessors.
EU Commission President Ursula von der Leyen stated that this adequacy decision facilitates data transfer between thousands of companies on both sides of the Atlantic while complying with EU privacy law. The decision follows lengthy negotiations and an executive order from President Biden, promising to safeguard EU citizens’ data transferred to the US.
The agreement marks a significant advancement in the ongoing issue that left numerous companies, including Meta Platforms Inc., in legal uncertainty following the 2020 annulment of the previous Privacy Shield pact by the EU's top court. This annulment threatened to disrupt significant data exchanges necessary for various business activities, from sales and marketing to payroll processing.
The newly approved EU-U.S. Data Privacy Framework addresses concerns previously raised by the European Court of Justice. It introduces several measures, such as limiting access to EU data by US intelligence services to what is deemed necessary and proportionate. The framework also establishes a Data Protection Review Court (DPRC), accessible to EU individuals.
Notably, if the DPRC determines that data has been collected violating the new safeguards, it can order the data's deletion. This comprehensive approach, coupled with additional obligations for US companies importing data from the EU, represents significant improvements over the old Privacy Shield mechanism.
Under the new framework, US companies can participate by committing to a detailed set of privacy obligations. For example, companies must delete personal data when no longer necessary and ensure continued protection when personal data is shared with third parties.
The new framework provides several recourse avenues for EU individuals if US companies mishandle their data. These include free independent dispute resolution mechanisms and an arbitration panel. The safeguards also limit data access by US public authorities, particularly for criminal law enforcement and national security purposes, to what is necessary and proportionate.
Privacy advocate Max Schrems, who initiated the legal battles that resulted in the cancellation of prior EU data transfer pacts, is ready to challenge this most recent agreement. Schrems has expressed concerns about the recurring pattern of these agreements, speculating that the current one could meet a similar end.
The US has set up an independent and impartial redress mechanism, including the Data Protection Review Court (DPRC), to address complaints from EU individuals regarding their data's collection and use by US intelligence agencies.
The functioning of the EU-U.S. Data Privacy Framework will be subject to periodic reviews, with the first review expected within a year of the adequacy decision's enforcement. These reviews will be carried out by the European Commission, together with representatives of European data protection authorities and competent US authorities.
Get Started For Free with the
#1 Cookie Consent Platform.
No credit card required

CPRA's 12-Month Purge: Syncing Salesforce and Zendesk Without Losing Your Mind
That 12-month data retention clock is ticking. If you're juggling customer data between Salesforce and Zendesk, California's privacy law has handed you a major technical challenge: purge personal information consistently across both platforms without disrupting operations or missing anything that could trigger a violation.
- Legal & News
- Data Protection

EU AI Act Compliance: What Small Developers Need to Know Now
As a small developer or startup founder, you're stuck with a tough balancing act: meeting strict regulations without the deep pockets of tech giants. This breakdown cuts through the legal noise to focus on what actually matters for small shops under these new rules.
- Legal & News
- Data Protection

Climate Data Privacy Risks and Litigation: Critical Developments for Organizations
Recent legal battles over climate data have triggered unprecedented questions about transparency, privacy protections, and stakeholder access rights. If your organization collects, uses, or depends on climate-related information, these emerging legal trends demand your immediate attention.
- Legal & News
- Data Protection