Meta fined EUR 1.2 billion by Irish Data Regulator

The transfer of personal data to the US is still posing significant risks to international organisations, as Meta (formerly Facebook) can attest to.

The Irish Data Protection Commission (DPC) has found that the Irish subsidiary of Meta breached the EU GDPR when transferring the personal data of Facebook users to the US. The breach identified by the DPC was a failure to have in place “appropriate safeguards”, which is required when transferring personal data to a non-EU/EEA country, unless an adequacy decision from the European Commission is in place. There is currently no adequacy decision in favour of the US.

Meta transfers the personal data of Facebook customers based in the EU/EEA to its US counterpart, where that data is processed and stored. Historically, these transfers were made on the basis of the US Privacy Shield. However, in July 2020, the seminal CJEU case of Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems established that Privacy Shield did not offer sufficient protection to data subjects. As a result, Facebook (as it was then) was forced to abandon Privacy Shield and chose to rely instead on the European Commission’s Standard Contractual Clauses, plus certain additional supplementary measures, when transferring personal data to the US.

The recent decision of the DPC indicates that this was still not sufficient to protect Facebook users. This is a key point for many organisations who have – like Facebook – relied on Standard Contractual Clauses pending any other form of adequacy decision being put in place.

The DPC began investigating Facebook’s transfer practices in August 2020 and in the summer of 2022, it shared its draft findings with other EU/EEA data regulators for peer review. All agreed that the transfers breached the GDPR.

The DPC has ordered that Meta Ireland:

pays a fine of EUR 1.2 billion,
suspends any future transfers of personal data to the US (within five months from the date it was notified of the decision), and
ceases processing in the US the personal data of EU/EEA users which were unlawfully transferred (within six months from the date it was notified of the decision)
Meta has stated that it intends to appeal the decision and seek to stay the orders relating to data transfers.

Other companies transferring data between the EU and US will be eagerly anticipating the final outcome of this case, which has essentially become the ‘acid test’ in terms of the legitimacy of such transfer arrangements.

By Burness Paull LLP, Scotland, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact ukscotland@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.