BRUSSELS—The U.S. and the European Union reached a preliminary deal to allow data about Europeans to be stored on U.S. soil, heading off a growing threat to thousands of companies’ trans-Atlantic operations.
The deal, announced Friday by President Biden and European Commission President Ursula von der Leyen, could if concluded resolve one of the thorniest outstanding issues between the two economic giants. It also assuages concerns of companies including Meta Platforms Inc. and Alphabet Inc.’s GOOG 0.15% Google that were facing mounting legal challenges to data transfers that underpin some of their operations in Europe.
Hanging in the balance has been the ability of businesses to use U.S.-based data centers to do things like sell online ads, measure their website traffic or manage company payroll in Europe.
An earlier deal authorizing trans-Atlantic data flows was deemed illegal by the EU’s top court in 2020. That ruling was the second time since 2015 that the EU’s Court of Justice had deemed U.S. safeguards on Europeans’ data to be insufficient. The court said the U.S. didn’t provide EU citizens effective means to challenge U.S. government surveillance of their data when it is in the U.S.
The new deal, dubbed the Trans-Atlantic Data Privacy Framework, attempts to address the EU top court’s concerns by establishing an appeals process for EU individuals that includes what the U.S. calls an independent Data Protection Review Court with binding authority to adjudicate claims and impose remedies.
The new U.S. data-protection court, along with a commitment to limit disproportionate signals intelligence collection, will be created via a U.S. executive order, both EU and U.S. officials said.
One issue in the talks in recent months, according to people briefed on their content, has been whether a mechanism that is implemented without a change to U.S. law would satisfy the EU’s top court.
Officials and observers on both sides of the Atlantic expect the new agreement to be challenged in court again, raising some uncertainty about how long Friday’s deal will last.
Mr. Biden said the “framework underscores our shared commitment to privacy, to data protection and to the rule of law” and would allow EU authorities “to once again authorize trans-Atlantic data flows that help facilitate $7.1 trillion in economic relations with the EU.”
Ms. von der Leyen said the agreement “will enable predictable and trustworthy data flows between the EU and U.S., safeguarding privacy and civil liberties.”
If successful, the data agreement would resolve one of the last big point of contention in U.S.-EU relations of recent years. Over the past year, the two sides have agreed a truce in their long-running fight over subsidies to Airbus SE and Boeing Co. , struck a deal to unwind U.S. tariffs on steel and aluminum and have increasingly aligned their positions regarding China’s economic practices.
“Just like we did when we resolved the Boeing-Airbus dispute and lifted the steel aluminum tariffs, the United States and the EU are finding creative new approaches to bring our economies and our people closer together on shared values,” Mr. Biden said, standing alongside Ms. von der Leyen in Brussels.
The deal, if it stands, would mark a major victory for thousands of companies in an array of sectors that transfer data from the EU to the U.S., many of which have warned in securities filings of potential disruption should they be forced to cut off trans-Atlantic data flows.
Friday’s deal is particularly important for big U.S. technology companies that have called on diplomats to strike a deal to head off more cases in which European privacy regulators are ordering them or their clients to cut off their transfer of data to the U.S.
In France and Austria, regulators citing the 2020 EU court decision have recently ordered certain websites to stop using Alphabet’s Google Analytics service because it sends information about users’ internet addresses to the U.S., where the regulators say it could be requested by government agencies. Similar cases are pending in other EU countries.
Ireland’s Data Protection Commission has also been completing a draft order under the EU court precedent that could have forced Meta Platforms’ Facebook to stop sending certain data about its users to servers in the U.S., because it could be caught in surveillance requests. Meta has warned that such an order, if implemented, could force it to stop offering some of its services in Europe.
But privacy lawyers and experts say such orders would likely be pre-empted or delayed by the new EU-U.S. agreement—at least until a new court battle is fought—because the new framework addresses the same concerns that the EU court raised in 2020.
Jay Modrall, a partner at law firm Norton Rose Fulbright in Brussels, said the deal is “going to be a big relief to many companies,” although he added that the deal is also likely to be challenged again.
On Friday, tech companies including Google and Meta commended the deal. The Computer & Communications Industry Association, which represents companies including Amazon.com Inc. and Apple Inc., said the deal should “restore legal certainty for thousands of businesses that routinely transfer commercial data between the EU and U.S.”
“With concern growing about the global internet fragmenting, this agreement will help keep people connected and services running,” said Nick Clegg, Meta’s vice president of global affairs, on Twitter.
Major economies including China and India in recent years have considered privacy rules that require businesses to keep data within national borders out of national-security and data-protection concerns. In Europe, the dispute over data transfers pushed some U.S. companies to similarly move data or facilities to the bloc.
While many U.S. businesses such as Microsoft Corp. say they already comply with EU privacy standards, the pending agreement will nevertheless clear the air for customers concerned about whether their personal information could be subject to surveillance, said Julie Brill, the company’s chief privacy officer.
“This will start to build those bridges and build the confidence that they need,” Ms. Brill said.
The deal announced Friday is the latest effort to bridge more than two decades of wrangling over how to balance privacy and commerce when it comes to trans-Atlantic data flows. But while some lawyers and lobbyists in the U.S. expressed optimism that the new deal will withstand legal scrutiny, some in Europe have said that they think any deal that isn’t coupled with changes to U.S. surveillance laws isn’t likely to pass muster with the EU’s Court of Justice.
“We had a purely ‘political agreement’ in 2015 too called #PrivacyShield—but it lacked basic legal underpinning and was dead on arrival,” Max Schrems, the Austrian lawyer and privacy activist who spearheaded the cases that struck down two earlier agreements dubbed Safe Harbor and Privacy Shield, said on Twitter ahead of the deal.
—David Uberti and Kim Mackrael contributed to this article.
Write to Daniel Michaels at daniel.michaels@wsj.com and Sam Schechner at sam.schechner@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8