Record € 1,2 billion fine for Meta for non-GDPR-compliant data transfer to the US

Topic of a previous newsletter was the New EU – US Data Privacy Framework (“DPF”) which would act as remedy for the abolition of the “Privacy Shield” in 2020 and facilitate data transfers from and to the United States. However, negotiations between the US authorities and the EU organs have still not been completed; on the contrary, it would seem that the road to reaching an agreement is rather bumpy.

Proof of that is the record € 1.2 billion fine ruled by Irish Data Protection Commission (“DPC”) as per May 22, 2023 as a measure to stop data transfers of Facebook users from the EU to the US. The reason why Meta received such fine is because it could not provide sufficient proof that the data of Facebook users could not be accessed by US intelligence agencies. Meta was also given 5 months to stop transferring data collected by Facebook from the EU to the US and an additional 6 months for deleting the EU data already transferred to the US.

It is highly likely that Meta will appeal the decision, but in the time period set for Meta to remedy the non-compliance with the GDPR, it could be that the EU organs and the US authorities agree on a Data Privacy Framework for data transfers that would nullify it. Until then, the decision sets an example for all US companies to implement the appropriate technical and organizational measures to safeguard international transfers and to sign the corresponding Standard Contractual Clauses with their counterparties in the EU.

The press release to DPCs decision can be found here.