Transfers to the US raise highest GDPR fine to date

For an outlook of the latest development as at July 2023 in relation to transfers to the US, please read our article about the New EU adequacy decision allowing personal data transfers to US self-certified entities!

What happened?

On 12 May 2023, the Irish Data Protection Commission (the “Irish DPC”) imposed a EUR 1.2 billion record fine on Meta Platforms Ireland (“Meta IE”) and ordered compliance measures to be taken by the latter as a result of infringements of the GDPR1 . Based on the EDPB’s binding dispute resolution decision of 13 April 20232 , the Irish DPC imposed sanctions on Meta IE because of the massive transfers of personal data from the EEA to the United States (“US”) related to the management of its Facebook platform, such transfers being considered as infringing the GDPR.

Beyond the record fine (highest fine to date under the GDPR), this decision has brought the issue of data transfers from the EEA to the US back into the spotlight.

What are the key takeaways?

Meta IE was arguing that the transfers of the Facebook EU users’ personal data to servers located in the US relied upon (i) the EU Standard Contractual Clauses (the “SCCs”) adopted by the European Commission and (ii) supplementary measures.

Since the Schrems II ruling of the Court of Justice of the European Union (“CJEU”)3 and the invalidation of the EU-US Privacy Shield Framework, the transfer of personal data from the EEA to the US has become a sensitive issue. Even if the CJEU reaffirmed the validity of the SCCs, data exporters are, however, responsible for assessing whether the legal standards in the country of the data importer allow for a level of data protection equivalent to that existing in the EU.

Where those standards are not met, data exporters must either provide additional safeguards ensuring that data subjects receive essentially equivalent protection to EU law or suspend the transfer of personal data.

The Irish DPC first found that US law does not provide an essentially equivalent level of protection to that provided in the EU, and that the SCCs relied upon by Meta IE cannot compensate for the inadequate protection.

The Irish DPC then decided that Meta IE failed to implement supplementary measures compensating for the inadequate protection provided by US law (the supplementary measures must not merely “mitigate” the deficiencies in US law). In particular, the Irish DPC criticises Meta IE for failing in its duty of care and for acting at least with the highest degree of negligence.

The fine was accompanied by an order requiring Meta IE to suspend any future data transfers to the US within five months from the date of notification of the Irish DPC’s decision (i.e. until October 2023) and cease, within six months of such date of notification (i.e. until November 2023), the unlawful processing, including storage in the US of personal data of EEA users transferred in violation of the GDPR.

What’s next?

On 22 May 2023, Meta IE already stated on Facebook that it would appeal the decision and underlined that the decision from the Irish DPC “sets a dangerous precedent for the countless other companies transferring data between the EU and US.”

It is true that for the purpose of legal certainty, it is now crucial that transfers of personal data from EEA to the US rely on a stable transfer mechanism.

As indicated in a previous publication, on 13 December 2022, the European Commission issued a first draft adequacy decision on a potential upcoming EU-US Data Privacy Framework.

On 28 February 2023, the EDPB rendered a mixed opinion on this draft adequacy decision4 . The EDPB noted the substantial improvements that the new EU-US Data Privacy Framework offers compared to the previous legal framework, in particular with respect to the introduction of the principles of necessity and proportionality, and the individual redress mechanism for EU data subjects. However, the EDPB considers that certain topics such as the “temporary bulk data collection” require further clarification, and invites the European Commission to amend the draft adequacy decision based on its Opinion.

Let’s hope that the coming months will see the adoption of an amended, solid and durable adequacy decision with respect to the EU-US Data Privacy Framework so that transfers of personal data from the EEA to the US are no longer synonymous with risks for data controllers and data subjects!

Indeed legal certainty in transfers of personal data presupposes that neither the EU-US Data Privacy Framework nor the adequacy decision mentioned above would be challenged.

Read this next:

Data Transfers: US Executive Order and EU Commission draft adequacy decision

Deadline to adopt the new EU Standard Contractual Clauses for transfers

EDPB Recommendations 01/2020 and 02/2020 on transfers of personal data after Schrems II

1 GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679).
2 Binding Decision 1/2023 on the dispute submitted by the Irish SA on data transfers by Meta Platforms Ireland Limited for its Facebook service (Art. 65 GDPR). EDPB stands for European Data Protection Board.
3 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”) – Case C-311/18, 16 July 2020.
4 EDPB Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework adopted on 28 February 2023.

Related expertise