You are here: Home / News & more / News / EU-US: historic agreement on data protection and exchange

EU-US: historic agreement on data protection and exchange

Illustration de l'actualité - cliquer pour agrandir
The European Commission and the US government have signed a new treaty on data sharing: the EU-US Data Privacy Framework. The treaty defines agreements on the retention of European citizens' personal data by the United States. This puts an end to a three-year legal wrangle over the sharing and storage of European citizens' data outside the European Union.

For years, the European Union and the United States have relied on the Safe Harbor agreement to govern the exchange of personal data between the two continents. In 2015, the European Union Court of Justice ruled that this agreement did not provide sufficient guarantees to protect the privacy of Europeans. On this basis, Brussels and Washington drew up a new legal basis in 2016 to enable data exchange. The result of these negotiations was called the Private Shield.

However, in the summer of 2020, the European Court drew a line under this treaty, finding that the US did not provide the same level of protection as that provided in Europe. The measures taken by the United States to protect personal data did not sufficiently comply with the principle of proportionality required by the GDPR (the principle according to which technical and organisational measures to protect data should be appropriate and proportional to the risk of access, disclosure and use). Furthermore, according to the Court, it is impossible for Europeans to influence the way in which personal data is processed by American institutions.

After nearly three years of negotiations, a new treaty on data sharing was announced on 10 July 2023: the EU-US Data Privacy Framework. Under this treaty, European companies and organisations can securely transfer the personal data of European citizens to American companies*. No additional guarantees are required to ensure that personal data is protected to the same degree as on the Old Continent.

For example, one of the agreements limits the data that US intelligence agencies can collect from European citizens. These agencies will only be authorised to consult data if it is "necessary and proportionate". Intelligence services will also be more closely monitored. To this end, a Data Protection Review Court (DPRC) will be set up. The DPRC is an independent and impartial body that will ensure intelligence services comply with the limits, principles and rules of the new treaty.

Finally, it was agreed that Europeans can object to the collection of their personal data by US intelligence agencies. To do so, they can turn to the European Data Protection Supervisor (EDPS), the organisation in which the privacy regulators of all EU member states are represented.

Would you like to partner with an American company? The transfer of personal data to the United States may take place if the U.S. company is approved on the U.S. Department of Commerce website, with no need for any special clauses or additional security measures. Alternatively, if the company you wish to partner with is not on the list, then you should make use of the data transfer mechanisms laid down by the European Data Protection Supervisor.

The EU-US Data Privacy Framework came into force on 10 July 2023. It will be reviewed again in a year's time, and representatives of European and American regulators will take stock of how the treaty is working in practice.

DPO Paradigm,
Brussels, 12/07/2023

* Consult the list of American companies that comply with the Data Privacy Framework: Participant Search (