The transfer of data between the EU and the US by multinational companies such as Facebook, Google, Amazon — as well any many manufacturing companies — had been covered by what was known as the Safe Harbor agreement, which allowed for the protection of EU citizens' data on US servers.
The basic rule was that companies operating in the European Union are not permitted to send personal data to "third countries" outside the European Economic Area, unless they guarantee adequate levels of protection.
However, in October 2015, the European Court of Justice declared Safe Harbor invalid in a case brought by Austrian citizen Maximillian Schrems regarding Facebook's processing of his personal data. The court found that the "United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred."
Since then, the EU has been pressing the US for a mandatory reporting system for companies to declare the number of requests for access to data by the intelligence agencies. US negotiators have so far resisted the idea.
However, the stumbling block has been the amount of independent scrutiny there is of the data held on US servers and how access to it for surveillance purposes can be controlled. The EU has stricter laws on the oversight of intelligence agencies than the US.
"We need guarantees that there is effective judicial control of public authorities' access to data for national security, law enforcement and public interest purposes," EU Justice Commissioner Vera Jourova said at a conference in Brussels.