On 22 May 2023, the Irish Data Protection Commission (the DPC) issued a ground-breaking decision, fining Meta Platforms Ireland Limited (Meta) a staggering €1.2 billion penalty for unlawfully undertaking transfers of personal data to the United States (US).

The penalty was a result of an extensive inquiry into Facebook's data practices following the European Data Protection Board’s (EDPB) binding dispute resolution decision under Article 65 of the General Data Protection Regulation (GDPR) and it marks the largest fine ever imposed under the regulation.

The investigation focussed on Facebook's data practices, specifically on the transfers of personal data undertaken by Meta to the US while relying on the EU standard contractual clauses (SCCs) and additional supplementary measures since 16 July 2020. The DPC found that Meta’s reliance on the SCCs and supplementary measures to legitimise its data transfers to the US was not sufficient to address the requirements arising from the Court of Justice of the European Union’s Schrems II judgment.

Additionally, Meta has been ordered to cease any future transfers of personal data to the US within five months of the DPC’s decision and to bring its processing activities into compliance “by ceasing the unlawful processing, including storage, in the US of personal data” of EU and European Economic Area users, within six months of receiving the DPC’s final decision. Failure to comply within the specified timeframe may result in further penalties and legal ramifications.

The DPC's final decision aligns with the EDPB’s binding decision under Article 65(1)(a) of the GDPR, which addressed the objections raised by concerned supervisory authorities and emphasised the need for GDPR compliance through administrative fines and additional orders.

The fine sends a powerful message to organisations that the reliance on the SCCs and additional safeguards cannot fill the legal void created by the Schrems II decision in relation to transfers of personal data to the US, as a consequence of the US surveillance laws.

Overall, the decision sets a precedent for robust enforcement and underscores the importance of data protection and the far-reaching consequences for non-compliance. It further highlights the need for an adequacy decision between the EU and US to help organisations navigate through the increasingly complex puzzle of international data transfers.

The EDPB’s press release can be found here.

The DPC’s press release can be found here.

The DPC’s final decision can be found here.