DPC fined Meta for unlawful US data transfers

DPC fined Meta for unlawful US data transfers

The Irish supervisory authority, the Data Protection Commission (DPC), recently fined technology giant Meta a record fine of €1.2 billion for their breach of Article 46(1) of the General Data Protection Regulation (GDPR).

The fine imposed on Meta is the largest ever imposed for a breach of the GDPR and is related to Meta’s transfers of personal data to their US counterpart. This follows the Court of Justice of the European Union’s judgment in the Schrems II case that invalidated the EU-US Privacy Shield in 2020.

Article 46(1) of the GDPR requires that transfers of personal data to a third country must be subject to appropriate safeguards to protect the rights and freedoms of data subjects. For example, binding corporate rules (BCRs) or Standard Contractual Clauses (SCCs) adopted by the European Commission are considered appropriate safeguards according to the Recital 108 of the GDPR in the absence of an adequacy ruling.

However, in Meta’s case, the fine was imposed even though transfers took place on the basis of the updated 2021 SCCs and other supplemental measures implemented by Meta. The DPC found that – in the light of the assessment of the data transfers involved – not even the updated SCCs (or any other supplemental measures) could compensate for inadequate protection provided to the data subjects by US law.

In addition to the substantial fine, Meta was also ordered to suspend any future transfers of user data from the EU/EEA to the US and delete or return anything sent to the US since mid-2020.

It is worth noting that Meta has already announced its intention to appeal this decision, so watch this space for more information.

The outcome of any potential appeal process will have significant implications on the future of transatlantic data transfers, as well as providing greater clarity as to the measures companies should adopt to ensure compliance with Article 46(1) of the GDPR.

Founded by legal and data protection experts recognised by the world’s largest global information privacy community, Willans Data Protection Services provides organisations operating on a multi-national basis with EU and UK Representative solutions, Data Protection Officer services and training solutions under the GDPR.

Through its affiliation with UK law firm Willans LLP, it also provides organisations with wider advisory services concerning GDPR compliance such as GDPR audits, drafting policies, preparing legal documentation and bespoke legal advice.

Contact us for all things concerning data protection.