EU, US shake hands on protections for transatlantic data transfers
The European Union and the U.S. announced a landmark data transfer agreement Monday, ending years of negotiations and redefining how digital information can be shared across the continents with a new emphasis on better protecting data privacy.
Under the agreement, the European Commission (EC) will officially acknowledge the U.S. can be trusted to secure the privacy of European citizen data sent transatlantically. In exchange, the U.S. has agreed to stringent new data privacy protections, including by limiting American intelligence services’ data access to what is “necessary and proportionate,” the commission said.
The new framework also will jumpstart transatlantic digital trade exchanges worth trillions of dollars, impacting thousands of companies across the continents, according to the White House. It takes effect Tuesday.
"The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic," EC President Ursula von der Leyen said in a prepared statement. “The U.S. has implemented unprecedented commitments to establish the new framework.”
A previous agreement was deep-sixed by the EU's top court due to concerns over inadequate protections from U.S. intelligence agency probes.
American intelligence officials did not immediately reply to a request for comment on the new agreement.
EU citizens whose data is transferred to U.S. companies will have new rights, including to get access to their data or insist on correction or deletion of inaccurate or “unlawfully handled” data, the EC said.
The deal also establishes a Data Protection Review Court (DPRC) that EU citizens can freely access to ensure their data is protected.
The EC said in a press release that the agreement “introduces significant improvements” over past practices, including by mandating the deletion of data the DPRC concludes has been improperly collected.
The agreement will make corporate data transfers faster and more seamless, officials say, by streamlining the regulatory process for U.S. companies that receive European data. If companies commit now to detailed privacy rules, European entities will be able to send their data without adhering to additional regulations beyond the EU’s General Data Protection Regulation (GDPR), which regulates personal data usage across the continent.
In the U.S., the Department of Commerce will administer the program by processing applications for certification and monitoring whether participating companies continue to meet the requirements. The Federal Trade Commission will be responsible for enforcement whenever certified companies run afoul of the rules.
The rules require participating companies to adhere to “privacy principles such as purpose limitation, data minimisation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties,” the EC press release said.
The announcement of the agreement follows a related Biden administration executive order from October that enhanced safeguards for U.S. signals intelligence activities.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.