The transfer of personal data to the US is still posing significant risks to international organisations, as Meta (formerly Facebook) can attest to.
The Irish Data Protection Commission (DPC) has found that the Irish subsidiary of Meta breached the EU GDPR when transferring the personal data of Facebook users to the US. The breach identified by the DPC was a failure to have in place “appropriate safeguards”, which is required when transferring personal data to a non-EU/EEA country, unless an adequacy decision from the European Commission is in place. There is currently no adequacy decision in favour of the US.
Meta transfers the personal data of Facebook customers based in the EU/EEA to its US counterpart, where that data is processed and stored. Historically, these transfers were made on the basis of the US Privacy Shield. However, in July 2020, the seminal CJEU case of Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems established that Privacy Shield did not offer sufficient protection to data subjects. As a result, Facebook (as it was then) was forced to abandon Privacy Shield and chose to rely instead on the European Commission’s Standard Contractual Clauses, plus certain additional supplementary measures, when transferring personal data to the US.
The recent decision of the DPC indicates that this was still not sufficient to protect Facebook users. This is a key point for many organisations who have – like Facebook – relied on Standard Contractual Clauses pending any other form of adequacy decision being put in place.
The DPC began investigating Facebook’s transfer practices in August 2020 and in the summer of 2022, it shared its draft findings with other EU/EEA data regulators for peer review. All agreed that the transfers breached the GDPR.
The DPC has ordered that Meta Ireland:
- pays a fine of EUR 1.2 billion,
- suspends any future transfers of personal data to the US (within five months from the date it was notified of the decision), and
- ceases processing in the US the personal data of EU/EEA users which were unlawfully transferred (within six months from the date it was notified of the decision)
Meta has stated that it intends to appeal the decision and seek to stay the orders relating to data transfers.
Other companies transferring data between the EU and US will be eagerly anticipating the final outcome of this case, which has essentially become the ‘acid test’ in terms of the legitimacy of such transfer arrangements.
Written by
Related News, Insights & Events
Error.
No results.
AI in the workplace masterclass: a practical overview of what employers need to know
19/11/2025
While AI can help employers and employees perform many workplace functions, it can also pose risks in different aspects of a business. Listen to our masterclass session to learn more.
Saxon Woods Investments Ltd v Costa: directors’ duties tighten
11/11/2025
s.172 of the Companies Act 2006 requires directors always to act in the way that they consider would be most likely to promote the success of the company for the benefit of its members.
Payment clauses – still a feature of Scottish dilapidations
10/11/2025
Clear and concise wording is vital in lease agreements. Read a recent Court of Session case involving a high-value dilapidations claim for a property in Glasgow.
{name}
{properties.pageSummary}
{properties.headline}
{properties.pageDate|date:dd/MM/yyyy}
{properties.shortDescription}
