U.S.-EU Data Privacy Deal Faces Key Questions on Surveillance

Proposed protections to restrict U.S. government monitoring could be challenged in court

In Brussels, European Commission President Ursula von der Leyen, at podium, with President Biden. PHOTO: BRENDAN SMIALOWSKI/AGENCE FRANCE-PRESSE/GETTY IMAGES

A preliminary data-transfer deal between the U.S. and European Union outlines a new mechanism for how Europeans can challenge U.S. surveillance but offers few details about the way it would work. The process could be the focus of legal pushback to the pending privacy agreement, which is seen as key for thousands of businesses that move information between the jurisdictions.

Companies and trade groups welcomed the announcement of the deal by President Biden and European Commission President Ursula von der Leyen on Friday. The Trans-Atlantic Data Privacy Framework came after nearly two years of talks pitting the bloc’s privacy safeguards against the U.S. national security apparatus.

The EU high court in 2020 invalidated a previous agreement, known as Privacy Shield, saying that it didn’t meet the bloc’s privacy standards through appropriate guardrails to U.S. surveillance or adequate legal means for Europeans to challenge it. Without Privacy Shield for the past 20 months, businesses faced legal uncertainty in shipping information across the Atlantic for activities such as cloud services, human resources, marketing and advertising.

Data-protection experts and privacy advocates warned that the new deal could face similar legal challenges.

“Once established, the new framework and redress mechanism will be tested by individuals and scrutinized by regulators, courts and the public at large almost immediately,” said Caitlin Fennessy, vice president and chief knowledge officer for the International Association of Privacy Professionals, a trade group.

The yearslong dispute stems from fears that U.S. officials could unlawfully peer into mass troves of personal data collected by technology companies such as Facebook parent Meta Platforms Inc.

The Trans-Atlantic Data Privacy Framework will include “binding safeguards to limit access to data by U.S. intelligence authorities to what is necessary and proportionate,” European Commission officials said. The White House said the deal will also balance U.S. national-security needs with Europeans’ ability to challenge unlawful surveillance, creating a Data Protection Review Court comprising members outside the U.S. government to review cases and remedial measures.

It is unclear where the new court will sit or under what authority it will be created. The White House didn’t immediately respond to a request for comment.

Washington could address EU concerns through regulatory and executive actions, said Peter Swire, a professor of law and ethics at the Georgia Institute of Technology Scheller College of Business. Administration officials could use such tools to create an independent body within the executive branch of the U.S. government to help police intelligence agencies, which are also overseen by the executive branch. Congress’s attempts to pass a comprehensive national privacy law have stalled for years.

Austrian lawyer privacy advocate Max Schrems at the European Court of Justice in Luxembourg in 2015.

PHOTO: JULIEN WARNAND/SHUTTERSTOCK

“European law requires an independent investigation and adjudication,” said Mr. Swire, a former White House privacy official.

The announcement of the deal Friday came as courts and regulators across Europe have dialed up their privacy enforcement in recent months.

In January, Austria’s data-protection regulator said an unnamed website violated the bloc’s General Data Protection Regulation by using Alphabet Inc.’s Google Analytics, a tool that tracks how people use websites. Google said at the time that it hadn’t received the type of national-security request referenced by regulators during 15 years of operating such services.

Ireland’s Data Protection Commission is preparing a final ruling in a closely watched case that could impede Meta’s ability to share information about European users to U.S. computer servers.

Nick Clegg, Meta’s president of global affairs, applauded the pending data-flows deal on Twitter.

“It will provide invaluable certainty for American and European companies of all sizes, including Meta, who rely on transferring data quickly and safely,” he said.

The potential pact marks the latest chapter of commercial fallout from 2013 disclosures by former National Security Agency contractor Edward Snowden that Washington and its allies conducted mass digital surveillance.

Austrian lawyer and privacy activist Max Schrems successfully argued in court that Facebook’s usage of his personal information exposed it to such surveillance, violating EU privacy safeguards. The ruling invalidated a data-transfer agreement known as Safe Harbor, leading to the creation of Privacy Shield. Mr. Schrems similarly challenged that deal in court in a case known among privacy experts as “Schrems II.”

On Friday, Mr. Schrems said in a statement that he might challenge the new deal if its final details don’t align with EU law.

“In the end,” he said, “the Court of Justice will decide a third time.”

Write to David Uberti at david.uberti@wsj.com