Despite its role in supporting a $7.1 trillion transatlantic digital economy, the legal mechanism which allows for U.S.-EU data flow continues to face a high level of scrutiny by the European Union. The result has been the excessive targeting of American companies which — in order to preserve the ability of American businesses to operate in European markets at all — must be swiftly addressed by the Biden Administration by carrying out the steps outlined in President Biden’s October 2022 Executive Order.
A decision by the European Data Protection Board this week creates a fresh sense of urgency for implementing a new U.S.-EU data flow agreement. Following an inquiry into American company Meta’s compliance with European data protection standards, the Board ordered Meta to cease data transfers between the U.S. and EU. It also levied a retroactive fine of 1.2 billion euros for the period in which data transfers were occurring under a legal mechanism that, until this decision, had been deemed valid by the EU.
The decision further complicates an already tricky legal landscape for companies that transfer data across the Atlantic. Prior to 2020, American businesses relied on the Privacy Shield agreement to legally transfer personal data compliant with EU law. But that year, the EU’s Court of Justice declared the Privacy Shield to be invalid. Among other concerns, the Court held that the agreement gave too much leeway to the U.S. government to access data while failing to provide European citizens with appropriate redress should they want their personal information erased. This decision left more than 5,300 companies, large and small, which relied on the agreement, to conduct transatlantic trade without a clear path to compliance with the EU’s data protection rules.
However, the 2020 decision did leave intact the ability for companies to use an alternative legal mechanism called Standard Contractual Clauses (SCCs) — pre-approved, standardized data protection clauses in compliance with the EU’s data privacy law, GDPR. Though the Biden administration wants to replace the Privacy Shield with an updated Data Privacy Framework, a deal negotiated with the European Commission in March 2022, SCCs have provided a legal means for businesses to continue data transfers in the meantime. Still, it is essential that the Framework be quickly implemented so that the United States can receive an adequacy decision from the EU, which would provide a broad legal basis for data transfers between the United States and the EU, rather than relying on a business-by-business basis.
That’s why this week’s Meta decision is so troubling. The European Data Protection Board determined that the SCC mechanism failed to address the risks to the fundamental rights and freedoms of data subjects identified by the Court of Justice in striking down the Privacy Shield. This creates a monumental risk for other American companies, thousands of which currently engage in data transfers supported by SCCs. Though Meta was the first to face investigation, this decision opens the door for a litany of ex-post fines for adhering to agreements that are currently recognized by the EU as valid.
Equally troubling is the potential impact on the European digital sector. The Court’s decision continues a pattern of layer after layer of new EU regulations that seem almost intentionally designed to discourage U.S. digital companies from investing and operating in Europe. But in the modern global economy, cross-border transfers of innovation and risk capital are essential for boosting productivity growth. From this perspective, systematic barriers to transatlantic data transfers will likely undercut tech innovation in Europe, with no evidence that the regulation of American companies has spurred growth of European tech firms.
Making matters worse is that this decision makes it unclear whether any company using SCCs is acting in compliance with GDPR, since the issues cited are a matter of the United States’ lack of data protection laws and concerns about the intelligence communities’ access to personal information. This means any company currently transferring personal data to and from the EU could be exposed to large ex-post fines.
There are immediate actions that could be taken by the Biden Administration to address this risk. In October, President Biden signed an Executive Order outlining steps the U.S. must take to implement U.S. commitments under the proposed European Union-U.S. Data Privacy Framework. Given this week’s decision by the European Data Protection Board and its severe implications for American companies, the Biden Administration must prioritize the implementation of the Framework. Without U.S.-EU data flows, we risk a fractured global market for digital services and the deterioration of U.S. companies’ ability to participate in transatlantic digital trade.
