The Meta Case: A Wake-Up Call for the Biden Administration to Safeguard Transatlantic Digital Trade and American Interests

The Biden administration needs to realize that unless it applies real pressure on the European Union (EU) to take action—and responsibility—for the way its regulators target U.S. firms with its data protection law, then its efforts to use the EU-U.S. Trade and Technology Council (TTC) to define its new approach to transatlantic digital trade will largely come to naught.

The European Data Protection Board’s (EDPB) fine of Meta is both historic for its size—$1.3 billion—and its broader implications in how it could be used to retrospectively target any and all U.S. firms that use a common and EU-legal tool (known as a standard contractual clause (SCC)). The Biden administration has invested considerable time and good faith in the transatlantic relationship. It persevered in the face of French hysterics in the lead-up to the first TTC meeting. It responded to EU concerns about U.S. policies, like those in the Inflation Reduction Act. Yet, time and again, the EU fails to reciprocate.

The United States would not tolerate this type of treatment and blatant trade discrimination from other trading partners, so why does it tolerate it from a supposed ally? It’s time that the Biden administration compels the EU to cease the targeting of U.S. high-tech firms, as the case against Meta is not the end, but the beginning, of a more dangerous phase where all transatlantic digital trade is at risk.

The Biden administration needs to act as the case against Meta is a foundational issue that affects all firms involved in transatlantic digital trade. The EDPB case against Meta is not a response to concerns about “big tech”, “surveillance capitalism”, or social media. Meta’s use of SCCs is par-for-the-course. SCCs are used by firms of all sizes and sectors as they’re the only scalable and widely accessible legal tool available to organizations transferring personal data from the EU to the United States and most of the rest of the world.

The role and value of SCCs are barely recognized and poorly understood by most policymakers. The International Association of Privacy Professionals (IAPP)-EY Annual Governance Report for 2019 surveyed 370 privacy professionals (from the EU and United States), showing that 88 percent reported using SCCs in 2019. A survey of nearly 300 firms—mainly EU firms (75 percent) headquartered across 25 countries, from all major industries, and a mix of company sizes—by Business Europe, DIGITALEUROPE, the European Round Table for Industry, and European Automobile Manufacturers Association found that nearly 85 percent used SCCs, and only 9 percent did not transfer data outside the EU (figure 1). Yet, as the Meta case shows, firms face an increasingly difficult challenge in using SCCs to comply with multiple, and often differing, data governance regimes around the world.

Figure 1: DIGITALEUROPE Survey: SCCs are used to transfer data globally (percent of respondents (n=172) that use SCCs and are aware of which geography they transfer data from the EEA)

The Meta decision provides another tool for European authorities to go service-by-service to target and cut off U.S. services like it has already done with Google, Zoom, and Microsoft. In fact, Meta’s case makes it faster (and thus easier) for the Irish Data Protection Commission to act against other U.S. firms as the case allows it to launch expedited investigations (as an Irish court rejected a Meta challenge against expeditated investigations). This, unfortunately, means that if the Irish Data Protection Commission and the EDPB want to bring more cases against U.S. firms, they can, but with a much faster process.

The Meta case, and broader turmoil over transatlantic data flows, is happening after the EU’s General Data Protection Regulation (GDPR) was supposed to provide a predictable and harmonized approach to data protection. The GDPR was supposed to make things easier. It was supposed to provide a range of tools for firms to transfer EU personal data overseas. Instead, successive court challenges have made it harder and more complex—and without political intervention, the situation will devolve into an irrevocably severed transatlantic digital relationship.

Yet, without genuine pressure from the Biden administration, the EU will inevitably deflect and demur, saying that it is what it is and that the European Commission does not have competency over national security issues like surveillance. The U.S. Department of Justice is already facing this as it engages with the EC on the surveillance reciprocity provisions in the EU-U.S. Transatlantic Data Privacy Framework. The EU can’t be allowed to continue to act as if it can’t act.

While it’s unclear what the Biden administration’s “new economic order” is in practice, surely the EU-U.S. TTC is a central pillar to show how two close, value-sharing partners can work together on trade related issues outside of the World Trade Organization and traditional bilateral trade negotiations and agreements.

The new Transatlantic Data Privacy Framework (TDPF) will hopefully come into force in mid-2023, thus nullifying the EDPB’s order for Meta to stop transferring data to the United States in six months. Yet, the TDPF will inevitably face a court challenge. Meanwhile, the EU and its member states propose and enact more and more measures that cut off data flows or discriminate against U.S. firms, such as via the EU Cybersecurity Certification for Cloud Services, discriminatory technical standards, the AI Act, and the Data Act. They’re doing so unperturbed by the Biden administration’s parallel good-faith efforts to negotiate the TDPF and restart negotiations for an EU-U.S. CLOUD Act/E-Evidence Agreement. They’re also going far faster than the Biden administration could ever respond.

This is why the Biden administration needs to finally step up real pressure on Europe to call time on the cascading efforts to target transatlantic data flows and U.S. firms. The next opportunity to do this is at next week’s TTC meeting in Sweden. Without this high-level pressure, Europe will continue to have it both ways—claiming to work with the United States in getting its issues addressed while simultaneously enacting measures to target U.S. trade and tech.