The transfer of personal data to the US is still posing significant risks to international organisations, as Meta (formerly Facebook) can attest to.

The Irish Data Protection Commission (DPC) has found that the Irish subsidiary of Meta breached the EU GDPR when transferring the personal data of Facebook users to the US. The breach identified by the DPC was a failure to have in place “appropriate safeguards”, which is required when transferring personal data to a non-EU/EEA country, unless an adequacy decision from the European Commission is in place. There is currently no adequacy decision in favour of the US.

Meta transfers the personal data of Facebook customers based in the EU/EEA to its US counterpart, where that data is processed and stored. Historically, these transfers were made on the basis of the US Privacy Shield. However, in July 2020, the seminal CJEU case of Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems established that Privacy Shield did not offer sufficient protection to data subjects. As a result, Facebook (as it was then) was forced to abandon Privacy Shield and chose to rely instead on the European Commission’s Standard Contractual Clauses, plus certain additional supplementary measures, when transferring personal data to the US.

The recent decision of the DPC indicates that this was still not sufficient to protect Facebook users. This is a key point for many organisations who have – like Facebook – relied on Standard Contractual Clauses pending any other form of adequacy decision being put in place.

The DPC began investigating Facebook’s transfer practices in August 2020 and in the summer of 2022, it shared its draft findings with other EU/EEA data regulators for peer review. All agreed that the transfers breached the GDPR.

The DPC has ordered that Meta Ireland:

pays a fine of EUR 1.2 billion,
suspends any future transfers of personal data to the US (within five months from the date it was notified of the decision), and
ceases processing in the US the personal data of EU/EEA users which were unlawfully transferred (within six months from the date it was notified of the decision)

Meta has stated that it intends to appeal the decision and seek to stay the orders relating to data transfers.

Other companies transferring data between the EU and US will be eagerly anticipating the final outcome of this case, which has essentially become the ‘acid test’ in terms of the legitimacy of such transfer arrangements.

Written by

Related News, Insights & Events

Risk horizon scan: 2025

January is the optimal time for businesses to review risk registers against management plans and goals for the next 12 months.

The Scottish Law Commission’s proposed changes to the law of personal injury damages in Scotland

A look at the SLC’s recommended reforms which, if implemented, will represent one of the biggest changes in Scots law in personal injury law for decades.

Costs in personal injury claims – Where are we now?

From inflationary increases and complexity based uplifts in claimant costs to QOCS, the cost of litigation in defending people claims has increased in Scotland.

Want to hear more from us?

Subscribe here

Advice for the way we live our lives.

Burness Paull is known globally as the go-to Scottish law firm.

Guide: Doing Business in the UK

Legal insights

Changes to the EUSS scheme – The UK moves to automated settled status

Events

An introduction to diversity, equity and inclusion in the workplace

Topics

Welcome to Burness Paull.

Human and high-performing

Delivering real change for our clients, people and communities

Responsible business lies at the heart of our decision-making.

Firm news

Burness Paull advises on sale of former Virgin Hotel in Glasgow.

We believe you’re not a tiny cog in a giant machine.

Vacancies

Looking for a workplace that will value your curiosity, passion, and desire to grow?

Don't settle for standard, help us set new ones.

Knowledge & Development Lawyer | Funds

How can we help you today?

Meta fined EUR 1.2 billion by Irish Data Regulator