The European Union and the United States have announced a significant data transfer agreement that marks the culmination of years of negotiations and aims to redefine how digital information is shared across the continents with a renewed focus on data privacy. In this landmark agreement, the European Commission (EC) officially recognizes the US as a trusted partner in safeguarding the privacy of European citizen data transmitted transatlantically.
In return, the US has committed to adopting stringent data privacy protections, including limiting access by American intelligence services to only necessary and proportionate data.
The new framework is expected to catalyze transatlantic digital trade exchanges valued at trillions of dollars, impacting thousands of companies on both sides of the Atlantic. It comes into effect immediately, aiming to ensure secure data flows for Europeans and provide legal certainty for companies.
EC President Ursula von der Leyen praised the US for implementing unprecedented commitments to establish this new data privacy framework.
This agreement builds upon the EU’s decision to discard a previous data transfer agreement due to concerns over insufficient protections against US intelligence agency investigations. The new deal grants EU citizens whose data is transferred to US companies new rights, including access to their data, the ability to request corrections or deletion of inaccuracies, and protection against unlawful handling of data.
Furthermore, a Data Protection Review Court (DPRC) will be established, enabling EU citizens to freely access it and ensure the protection of their data.
The agreement is designed to expedite corporate data transfers, streamlining the regulatory process for US companies receiving European data. By adhering to detailed privacy rules, these companies can receive European data without being subject to additional regulations beyond the EU’s General Data Protection Regulation (GDPR). The Department of Commerce will administer the program by processing certification applications and monitoring ongoing compliance, while the Federal Trade Commission will handle enforcement when certified companies violate the rules.
Participating companies must abide by privacy principles such as purpose limitation, data minimization, data retention, data security, and responsible data sharing with third parties, as outlined by the EC.