The EU-US data protection 'umbrella agreement' will not of itself provide a lawful authority for the transfer of the data to the US from the EU but will instead apply a range of privacy "protections" to data that is exchanged between law enforcement agencies in the EU and US, the Commission said.
EU justice commissioner Věra Jourová confirmed, however, that the new agreement would not come into effect until new legislation is passed by the US Congress to give EU citizens a right to judicial redress in the US where their data is misused by US agencies.
"Robust cooperation between the EU and the US to fight crime and terrorism is crucial to keep Europeans safe," Jourová said. "But all exchanges of personal data, such as criminal records, names or addresses, need to be governed by strong data protection rules. This is what the umbrella agreement will ensure."
Jourová said the deal had been "initialled" by "chief negotiators" from the Commission and US government and is "an important step to strengthen the fundamental right to privacy effectively and to rebuild trust in EU-US data flows".
"I now look forward to the swift adoption of the Judicial Redress Bill by the US Congress, which would enable us to finally sign and conclude the umbrella agreement," Jourová said.
According to the Commission, the new agreement means that personal data can only be transferred between EU and US law enforcement agencies "for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism, in the framework of police cooperation and judicial cooperation in criminal matters". The agreement prohibits the further processing of the data "for other incompatible purposes", it said.
The new agreement will also prohibit US authorities from transferring the data shared with them by an EU authority to "a non-US, non-EU country or international organisation" without that EU authority's permission.
The agreement also places limits on the time US authorities will be able to retain data shared with them by EU authorities and will require those US authorities to be open about the "retention periods" they observe and to "take into account the impact on people's rights and interests" when setting them.
EU citizens whose data is shared with US authorities will have qualified rights of access to that data and will be able to request that inaccurate data is corrected, the Commission said. The agreement also provides for a mechanism to be put in place to ensure US law enforcement agencies inform competent authorities and, where appropriate, data subjects of "data security breaches", it said.
In her statement, commissioner Jourová also said she is "confident" that an updated EU-US Safe Harbour Agreement will soon be finalised.
EU data protection laws prevent companies from sending personal data outside of the European Economic Area (EEA) unless "adequate protections" have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, but not including the US, are deemed by the European Commission to provide adequate protection.
The European Commission and the US Department of Commerce negotiated a separate Safe Harbour Agreement to facilitate commercial personal data transfers between the EU and US in 2000.
However, a review by the Commission, carried out following revelations about US intelligence gathering practices leaked to the media by whistleblower Edward Snowden, found "deficiencies in transparency and enforcement" in how the safe harbour framework works. Since the Snowden leaks, EU officials have been pressing for the framework to be improved and have threatened to suspend the agreement if their concerns were not adequately addressed.
Jourová said: "We continue to work with determination with our US counterparts on the final details."