The United States and the European Union reached a preliminary agreement to allow data about Europeans to be stored on American soil, averting a growing threat to the trans-Atlantic operations of thousands of companies.
The agreement, announced Friday by President Biden and European Commission President Ursula von der Leyen, has the potential to resolve one of the most contentious outstanding issues between the two economic behemoths. It also allays the fears of companies such as Meta Platforms Inc. and Alphabet Inc.’s Google, which were facing mounting legal challenges to data transfers that underpin some of their European operations.
In 2020, the EU’s top court ruled that an earlier agreement governing trans-Atlantic data flows was illegal. This was the second time since 2015 that the EU’s Court of Justice ruled that US safeguards on Europeans’ data were insufficient. The court ruled that the US did not provide EU citizens with an effective way to challenge the US government’s surveillance of their data.
Officials and observers on both sides of the Atlantic anticipate that any new agreement will be challenged in court, raising doubts about how long Friday’s agreement will last.
Mr. Biden and Ms. von der Leyen did not elaborate on how the new agreement would function and withstand legal challenges. The question in the talks has been whether the United States could persuade the EU—and its top court—with new administrative appeals mechanisms for Europeans without changing U.S. law, which would require congressional approval, according to people briefed on the talks in recent months.
Mr. Biden stated that the framework “underpins our shared commitment to privacy, data protection, and the rule of law,” and that it would allow EU authorities to “reauthorize trans-Atlantic data flows that help facilitate $7.1 trillion in economic relations with the EU.”
According to Ms. von der Leyen, the agreement “will enable predictable and trustworthy data flows between the EU and the US, while protecting privacy and civil liberties.”
If it is successful, the data agreement will put an end to one of the last major stumbling blocks in US-EU relations in recent years. Over the past year, the two sides have reached an agreement to end their long-running dispute over Airbus SE and Boeing Co. subsidies, reached an agreement to end US steel and aluminum tariffs, and have increasingly aligned their positions on China’s economic practices.
“Just as we did when we resolved the Boeing-Airbus dispute and lifted the steel and aluminum tariffs, the United States and the EU are finding creative new ways to bring our economies and people closer together on shared values,” Mr. Biden said in Brussels, standing alongside Ms. von der Leyen.
If the agreement is approved, it will be a major victory for thousands of companies in a variety of industries that transfer data from the EU to the US, many of which have warned in securities filings about potential disruption if they are forced to cut off trans-Atlantic data flows.
The ability of businesses to use U.S.-based data centers to do things like sell online ads, measure website traffic, or manage company payroll in Europe has been in jeopardy.
The agreement reached on Friday is especially important for major U.S. technology companies, which have urged diplomats to reach an agreement to avoid a growing number of cases in which European privacy regulators have ordered them or their clients to halt data transfers to the United States.
In France and Austria, regulators recently ordered certain websites to stop using Alphabet’s Google Analytics service, citing a 2020 EU court decision, because it sends information about users’ internet addresses to the United States, where the regulators say it could be requested by government agencies. Similar cases are being prosecuted in other EU member states.
Ireland’s Data Protection Commission has also been finalizing a draft order under EU court precedent that could have forced Meta Platforms’ Facebook to stop sending certain data about its users to servers in the United States, fearing that it would be intercepted in surveillance requests. Meta has warned that if the order is carried out, it may force it to discontinue some of its services in Europe.
However, privacy lawyers and experts believe that such orders would be preempted by the new EU-US agreement—at least until a new court battle is fought—because any agreement would have to address the same concerns raised by the EU court in 2020.
The deal is “going to be a big relief to many companies,” according to Jay Modrall, a partner at law firm Norton Rose Fulbright in Brussels, though he adds that it is also likely to be challenged again.
On Friday, tech companies such as Google and Meta praised the deal. According to the Computer & Communications Industry Association, which represents companies such as Amazon.com Inc. and Apple Inc., the agreement will “restore legal certainty for thousands of businesses that routinely transfer commercial data between the EU and the US.”
“With growing concern about global internet fragmentation, this agreement will help keep people connected and services running,” said Meta’s vice president of global affairs, Nick Clegg, on Twitter.
In recent years, major economies such as China and India have considered privacy rules requiring businesses to keep data within national borders for national-security and data-protection reasons. In Europe, the dispute over data transfers compelled some U.S. companies to relocate data or facilities to the bloc as well.
While many U.S. companies, including Microsoft Corp., claim to already comply with EU privacy standards, the pending agreement will clear the air for customers concerned about whether their personal information will be monitored, according to Julie Brill, the company’s chief privacy officer.
“This will begin to build those bridges and the confidence that they require,” Ms. Brill explained.
The agreement announced on Friday is the latest attempt to resolve more than two decades of wrangling over how to balance privacy and commerce in trans-Atlantic data flows. While some lawyers and lobbyists in the United States are optimistic that the new agreement will withstand legal scrutiny, some in Europe believe that any agreement that does not include changes to U.S. surveillance laws is unlikely to pass muster with the EU’s Court of Justice.
“We had a purely ‘political agreement’ called #PrivacyShield in 2015 as well – but it lacked basic legal underpinning and was dead on arrival,” Max Schrems, the Austrian lawyer and privacy activist who spearheaded the cases that struck down two previous agreements called Safe Harbor and Privacy Shield, said on Twitter ahead of the deal.