The European Union has issued a significant new decision, ruling that EU user data can be transferred to the US.

User data has been a sticking point between the US and EU, with EU regulators concerned about privacy. The EU generally provides more privacy protections than the US, and privacy experts have been concerned that US intelligence agencies could access EU user data.

Privacy concerns have caused multiple countries to rule that tools like Google Analytics are illegal.

Despite concerns, the EU has decided that the US provides enough data protections to warrant allowing data to transfer between the jurisdictions.

Today, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.

“The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic,” President Ursula von der Leyen said. “Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.”

The EU says the US will provide safeguards to ensure EU user data is not inappropriately accessed or abused.

In addition, the US legal framework provides for a number of safeguards regarding the access to data transferred under the framework by US public authorities, in particular for criminal law enforcement and national security purposes. Access to data is limited to what is necessary and proportionate to protect national security.

EU individuals will have access to an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence agencies, which includes a newly created Data Protection Review Court (DPRC). The Court will independently investigate and resolve complaints, including by adopting binding remedial measures.

The decision is sure to anger privacy advocates, while tech companies will celebrate it.