The transfer of personal data to the US is still posing significant risks to international organisations, as Meta (formerly Facebook) can attest to.
The Irish Data Protection Commission (DPC) has found that the Irish subsidiary of Meta breached the EU GDPR when transferring the personal data of Facebook users to the US. The breach identified by the DPC was a failure to have in place “appropriate safeguards”, which is required when transferring personal data to a non-EU/EEA country, unless an adequacy decision from the European Commission is in place. There is currently no adequacy decision in favour of the US.
Meta transfers the personal data of Facebook customers based in the EU/EEA to its US counterpart, where that data is processed and stored. Historically, these transfers were made on the basis of the US Privacy Shield. However, in July 2020, the seminal CJEU case of Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems established that Privacy Shield did not offer sufficient protection to data subjects. As a result, Facebook (as it was then) was forced to abandon Privacy Shield and chose to rely instead on the European Commission’s Standard Contractual Clauses, plus certain additional supplementary measures, when transferring personal data to the US.
The recent decision of the DPC indicates that this was still not sufficient to protect Facebook users. This is a key point for many organisations who have – like Facebook – relied on Standard Contractual Clauses pending any other form of adequacy decision being put in place.
The DPC began investigating Facebook’s transfer practices in August 2020 and in the summer of 2022, it shared its draft findings with other EU/EEA data regulators for peer review. All agreed that the transfers breached the GDPR.
The DPC has ordered that Meta Ireland:
- pays a fine of EUR 1.2 billion,
- suspends any future transfers of personal data to the US (within five months from the date it was notified of the decision), and
- ceases processing in the US the personal data of EU/EEA users which were unlawfully transferred (within six months from the date it was notified of the decision)
Meta has stated that it intends to appeal the decision and seek to stay the orders relating to data transfers.
Other companies transferring data between the EU and US will be eagerly anticipating the final outcome of this case, which has essentially become the ‘acid test’ in terms of the legitimacy of such transfer arrangements.
Written by
Related News, Insights & Events
Error.
No results.
The risk landscape in 2026: Key issues and how to manage them
18/03/2026
This event explores key risks facing your organisations and provides practical guidance on what you can do to best protect your business and ensure its resilience.
Legal privilege in Scotland and England and Wales
19/02/2026
The concept of privilege has a crucial role in the legal systems of both Scotland and England and Wales, but there are primary differences in how it works in each jurisdiction.
Reaching through the screen: FCA v HTX breaks new ground with “persons unknown” enforcement
13/02/2026
The Financial Conduct Authority took enforcement action against HTX, using “persons unknown” injunctions to pursue an offshore crypto exchange allegedly breaching UK financial promotions rules.
{name}
{properties.pageSummary}
{properties.eventName}
{properties.pageDate|date:dd/MM/yyyy}{properties.shortDescription}
{properties.headline}
{properties.pageDate|date:dd/MM/yyyy}
{properties.shortDescription}
