BRUSSELS—The European Union took a significant step toward finalizing a deal with the U.S. that would allow personal information about Europeans to be stored legally on U.S. soil, reducing the threat of regulatory action against thousands of companies that routinely transmit such information.

The European Commission, the EU’s executive arm, Tuesday published a draft approval of the preliminary deal it struck in March with the U.S. government. The agreement would re-establish a framework that makes it easy for businesses to transfer such information again following the invalidation of a previous agreement by an EU court in 2020.

As part of the new deal, the U.S. is offering—and has started to implement—new safeguards on how its intelligence authorities can access that data.

If concluded, the deal could resolve one of the thorniest outstanding issues between the two economic giants. Hanging in the balance has been the ability of businesses to use U.S.-based data centers to do things such as sell online ads, measure their website traffic or manage company payroll in Europe.

SHARE YOUR THOUGHTS

Should the EU approve the trans-Atlantic data-flow deal? Why or why not? Join the conversation below.

Blocking data transfers could upend billions of dollars of trade from cross-border data activities, including cloud services, human resources, marketing and advertising, if they involve sending or storing information about Europeans on U.S. soil, tech advocates say.

The U.S. in October began implementing the deal on its side, including an executive order signed by President Biden that gave Europeans new rights to challenge U.S. government surveillance.

The deal still isn’t sealed. Before the European Commission can complete its approval of the new agreement—called the EU-U.S. data privacy framework—it will need to consult with a board representing EU privacy regulators as well as EU member states. The European Parliament can also weigh in.

Significant debate is possible in Europe, where some privacy activists have said they expect the new deal to be challenged, and eventually struck down, in EU courts.

Details of the new data deal will be closely scrutinized because two previous data agreements were rejected by the EU’s top court, most recently in 2020, in part because the U.S. failed to give what the court said were actionable rights to challenge U.S. surveillance.

Max Schrems, the Austrian privacy lawyer whose lawsuits led to the EU court’s invalidation of the prior frameworks, said at a conference last month that he finds the U.S. changes to be insufficient.

The European Commission said its decision published Tuesday reflects a conclusion that the updated U.S. legal framework “provides comparable safeguards to those of the EU. ”

U.S. companies will be able to join the data privacy framework by committing to comply with a set of privacy obligations such as a requirement to delete personal data when it is no longer needed for its original purpose, the commission said.

As part of the changes the U.S. is implementing, EU citizens will have the opportunity to take complaints about the handling of their personal data to an arbitration panel. The U.S. has also committed that its intelligence agencies will collect only data about Europeans that is necessary and proportionate to protect national security, the commission said.

Didier Reynders, the EU Justice Commissioner, said the U.S. changes “allow the safe transfers of personal data between the two sides of the Atlantic.”

Completing a deal is particularly important for large U.S. technology companies, including Meta Platforms Inc. and Alphabet Inc.,

that have faced a number of cases where European privacy regulators have ordered or plan to order them or their clients to cut off data transfers to the U.S., citing the 2020 EU court ruling.

One of the most prominent such cases is one that Ireland is preparing, which would order Meta’s Facebook to stop sending certain data about its users to servers in the U.S. Ireland leads EU privacy enforcement for Facebook because the company’s regional headquarters are in Dublin.

Under the EU privacy law’s power-sharing rules, Ireland’s Data Protection Commission in July submitted the draft order to privacy regulators across the bloc, which are discussing potential changes, and it could be officially issued early next year, according to people familiar with the process.

The company has repeatedly warned in securities filings that should it lose the ability to store data in the U.S., it might no longer be able to offer some of its services in Europe. If the Irish order is issued before the EU-U.S. deal is finalized, however, the company could likely delay its implementation by appealing it in court.

Write to Sam Schechner at Sam.Schechner@wsj.com