The transfer of personal data to the US is still posing significant risks to international organisations, as Meta (formerly Facebook) can attest to.

The Irish Data Protection Commission (DPC) has found that the Irish subsidiary of Meta breached the EU GDPR when transferring the personal data of Facebook users to the US. The breach identified by the DPC was a failure to have in place “appropriate safeguards”, which is required when transferring personal data to a non-EU/EEA country, unless an adequacy decision from the European Commission is in place. There is currently no adequacy decision in favour of the US.

Meta transfers the personal data of Facebook customers based in the EU/EEA to its US counterpart, where that data is processed and stored. Historically, these transfers were made on the basis of the US Privacy Shield. However, in July 2020, the seminal CJEU case of Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems established that Privacy Shield did not offer sufficient protection to data subjects. As a result, Facebook (as it was then) was forced to abandon Privacy Shield and chose to rely instead on the European Commission’s Standard Contractual Clauses, plus certain additional supplementary measures, when transferring personal data to the US.

The recent decision of the DPC indicates that this was still not sufficient to protect Facebook users. This is a key point for many organisations who have – like Facebook – relied on Standard Contractual Clauses pending any other form of adequacy decision being put in place.

The DPC began investigating Facebook’s transfer practices in August 2020 and in the summer of 2022, it shared its draft findings with other EU/EEA data regulators for peer review. All agreed that the transfers breached the GDPR.

The DPC has ordered that Meta Ireland:

pays a fine of EUR 1.2 billion,
suspends any future transfers of personal data to the US (within five months from the date it was notified of the decision), and
ceases processing in the US the personal data of EU/EEA users which were unlawfully transferred (within six months from the date it was notified of the decision)

Meta has stated that it intends to appeal the decision and seek to stay the orders relating to data transfers.

Other companies transferring data between the EU and US will be eagerly anticipating the final outcome of this case, which has essentially become the ‘acid test’ in terms of the legitimacy of such transfer arrangements.

Written by

Related News, Insights & Events

Top tips for employers facing personal injury claims

Guidance for employers on handling personal injury claims, including disclosure, insurance, stress at work, and settlement agreements, with practical tips to manage risk effectively.

Cyber attackers are shopping around for weak links in retailers’ supply chains

Retailers face rising ransomware threats as attackers target weak links in supply chains. Now’s the time to prioritise cyber resilience before tougher laws come into force.

Cyber attacks and the threat of insolvency

M&S cyber attack shows how breaches can cripple firms, risking insolvency, reputations and huge financial loss.

Want to hear more from us?

Subscribe here Subscribe here

Advice for the way we live our lives.

Burness Paull is known globally as the go-to Scottish law firm.

Guide: Doing Business in the UK

Legal insights

Scotland’s national housing emergency: One year on

Events

Junior Energy In-House Lawyers Webinar Series

Topics

Welcome to Burness Paull.

Human and high-performing

Delivering real change for our clients, people and communities

Responsible business lies at the heart of our decision-making.

Firm news

Burness Paull reinforces energy team with appointment of leading renewables lawyer

We believe you’re not a tiny cog in a giant machine.

Vacancies

Looking for a workplace that will value your curiosity, passion, and desire to grow?

Don't settle for standard, help us set new ones.