EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

EU-US personal data exchanges

EU-US personal data exchanges



Commission communication (COM(2016) 117 final) — Transatlantic Data Flows: Restoring Trust through Strong Safeguards


It takes stock of the steps taken by the European Union (EU) to achieve the objectives set out in the 2013 communication on restoring trust in EU-US data flows. That European Commission communication followed reports of large-scale intelligence collection programmes in the US.


The 2013 communication set out 3 key actions designed to restore trust in EU-US data flows:

  • Adopt the data protection reform package proposed by the Commission in 2012 (see point 1 below).
  • Make the Safe Harbour* (set of rules for transatlantic data flows) safer on the basis of 13 recommendations set out in the 2013 communication on the Safe Harbour.
  • Strengthen data protection safeguards for law enforcement cooperation, notably by concluding negotiations on the EU-U.S. Data Protection Umbrella Agreement.
  • 1.

    EU data protection reform package

The reform package is composed of 2 instruments:

The package was formally adopted in April 2016.

  • 2.

    EU-US Privacy Shield

The 2013 communication on the Safe Harbour pointed to a number of weaknesses in the functioning of the arrangement, in particular a lack of:

  • transparency by companies in their following of the scheme;
  • effective enforcement by US authorities of those companies’ compliance with the scheme’s privacy principles.

The achievements of the EU-US Privacy Shield, the new set of rules that replaces Safe Harbour, are set out in the communication in 4 categories:

  • strong obligations on companies and robust enforcement;
  • clear limits and safeguards with respect to government access;
  • effective protection of EU individuals’ privacy rights with several redress possibilities;
  • an annual joint review mechanism.
  • 3.

    EU-US Data Protection Umbrella Agreement

The communication states that the Umbrella Agreement provides a harmonised and comprehensive set of data protection safeguards that will apply to all transatlantic exchanges between relevant authorities in the area of criminal law enforcement (or, alternatively, between private entities and law enforcement authorities based on an international agreement, such as those on Passenger Name Records or the Terrorist Finance Tracking Program). In particular, it:

  • covers all data exchanges taking place in the context of transatlantic law enforcement co-operation in criminal matters;
  • covers all the core EU data protection rules in terms of:
    • processing standards (e.g. data quality and integrity, data security),
    • safeguards and limitations (e.g. purpose and use limitations, data retention) as well as
    • individual rights (access, rectification, administrative and judicial redress);
  • ensures the availability of judicial redress rights for denial of access, denial of rectification and unlawful disclosure;
  • generalises and expands to the whole law enforcement sector the principle of independent oversight as a core data protection requirement (including powers to investigate and resolve individual complaints of non-compliance with the agreement);
  • will be subject to periodic joint reviews.

The Umbrella Agreement was signed by the EU and the US on 2 June 2016.


For more information, see:


Safe Harbour: name given to the 2000 EU-US set of rules for the transfer of personal data from the EU to US companies and their subsequent use. The Commission’s Safe Harbour adequacy decision (finding that the rules provided an adequate level of protection for transatlantic data transfers) was invalidated by the European Court of Justice in October 2016 and has in the meantime been replaced by the EU-US Privacy Shield.


Communication from the Commission to the European Parliament and the Council Transatlantic Data Flows: Restoring Trust through Strong Safeguards (COM(2016) 117 final, 29.2.2016)


Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1-88)

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89-131)

last update 28.11.2016