Europe approves new EU-US data-sharing agreement

The EU-US Data Privacy Framework has an adequate level of protection for personal data, the EU’s executive commission said.

"Today we take an important step to provide trust to [EU] citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values," Commission chief Ursula von der Leyen said.

EU Justice Commissioner Didier Reynders added: “Personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or authorisations.”

The agreement was made possible by the Biden administration, which issued an executive order in 2022 that incorporated "safeguards" into the US intelligence agencies' rules regarding the transfer of European citizens' data, limiting their access to what is “necessary and proportionate” to protect national security.

In the agreement, US companies signing onto the EU-US Data Privacy Framework would be required to delete Europeans' personal data when it was no longer needed for the purpose it was collected.

Moreover, European citizens would have the right to redress if they found their data was wrongly handled by US companies.

President Joe Biden welcomed the announcement, stating that the decision "reflects our joint commitment to strong data privacy protections and will create greater economic opportunities for our countries and companies on both sides of the Atlantic". 

The agreement was also celebrated by groups representing tech companies, with DigitaleEurope stating it means "good news for thousands of businesses".

“This is a major breakthrough,” said Alexandre Roure, public policy director at the Brussels office of the Computer and Communications Industry Association, whose members include Apple, Google and Meta.

“After waiting for years, companies and organisations of all sizes on both sides of the Atlantic finally have the certainty of a durable legal framework that allows for transfers of personal data from the EU to the United States.” 

The US Software Alliance (BSA) added the pact would "bolster the management of data across borders – a cornerstone of our modern economy – and improve safeguards for citizens of the EU and US alike".

However, Max Schrems, the European privacy campaigner who triggered legal challenges over the practice, warned that the agreement failed to resolve core issues and vowed to challenge it to the EU’s top court.

Schrems called the new agreement a copy of the previous one and stated that his Vienna-based group, None of Your Business (NOYB), was readying a legal challenge and expected the case to be back in the European Court of Justice by the end of the year.

“Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice,” Schrems said. “We would need changes in US surveillance law to make this work – and we simply don’t have it.”

The two previous attempts to create a legal framework regarding US-EU data sharing have been shot down in European courts due to privacy concerns.

However, the European Commission argued that the new framework offered "significant improvements" over the previous data-transfer mechanism.