EU adopts more robust data privacy agreement with US

The decision provides some reassurance to US tech companies that have been in the EU’s crosshairs since Privacy Shield lapsed.
EU sanctions
European Union flags in front of the European Parliament in Brussels. (Getty Images)

Three years after a European court invalidated a transatlantic data transfer agreement, the European Union on Monday formally adopted a new agreement with the U.S. meant to better ensure privacy protections for data moving between American tech companies and users based overseas.

The European Commission decided that the U.S. has provided adequate protections to E.U. citizens’ data after Washington implemented safeguards for Europeans against U.S. surveillance, including redress in front of a new data protection review court for E.U. citizens who believe American intelligence collected their personal data in a way that violates the agreement.

The agreement is the result of years of diplomatic negotiations between the U.S. and EU over differences in privacy standards and clashing over America’s spy programs.

“The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework,” European Commission President Ursula von der Leyen said in a statement. “Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.”


Under the agreement, U.S. tech companies are obligated “to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties,” according to a European Commission press release.

The decision provides some reassurance to American tech companies that have been in the E.U.’s crosshairs since the lapse of Privacy Shield, the previous agreement that the EU adopted in 2016. The agreement was invalidated by an EU court in 2020 after a legal challenge by privacy activist Max Schrems. The court sided with Schrems that Privacy Shield did not offer EU citizens protections equivalent to those in the EU. Failure to reach a new agreement could have potentially forced American companies to cease data transfers with the European Union entirely.

“Businesses and diplomats alike will breathe easier now that the EU-U.S. Data Privacy Framework has received the EU’s stamp of approval,” Caitlin Fennessy, vice president and chief knowledge officer of the International Association of Privacy Professionals wrote in a statement. “Data can flow better protected and less hindered across the Atlantic, albeit with a legal challenge anticipated. While ‘finally’ is sure to be a common sentiment, the fact that this framework took three years to build suggests that no one wanted a quick and temporary fix.”

The European Center for Digital Rights, a group led by Schrems, said Monday it will challenge the agreement in court.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts