[akerl_]

Which agreement between the US and EU mandates this?

[nabla9]

EU-U.S. and Swiss-U.S. Privacy Shield Framework.

It came to effect 2016 and replaced the Safe Harbor agreement.

[akerl_]

"While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law."

From https://www.privacyshield.gov/Program-Overview

[nabla9]

U.S companies have option to either do legally binding self-certifications or outside compliance reviews.

If they don't do that, they have no authority to collect data from EU Citizens (no user accounts or customers from EU).