Irish regulators have hit Meta with the largest fine in the history of the General Data Protection Regulation (GDPR)—shining a spotlight on personal data transfers to the United States.

Key Takeaways

  • GDPR demands that organizations transferring personal data outside the European Union ensure an equivalent level of protection in the importing country. The United States is considered a particularly risky data transfer because of U.S. intelligence agencies' and law enforcement's potential access to personal information in scope of the GDPR.
  • The Irish regulators' decision is extraordinary because it demonstrates that the EU Standard Contractual Clauses (SCCs), a widely used contractual solution to protect transferred data, in addition to certain supplementary measures, are not in all cases sufficient to meet GDPR requirements in cases of high-volume data transfers.
  • Businesses should assess whether and to what extent supplementary measures may be necessary to provide an equivalent level of protection for personal data transferred to the United States.

On May 22, 2023, the Irish Data Protection Commission (IDPC) announced a nearly $1.3 billion fine against the Irish affiliate of Meta, the parent company of Facebook, for unlawfully transferring the personal data of individuals subject to the General Data Protection Regulation (GDPR). The IDPC decision could have major consequences for other platforms and companies that transfer personal data from the European Union/European Economic Area (EU) and the United Kingdom to the U.S.—even for organizations that transfer far fewer personal data to the U.S. than Meta and especially organizations transferring health-related and other sensitive personal data.

The IDPC found that Meta's reliance on the SCCs, along with supplementary measures designed to provide additional layers of safeguarding personal data when transferred to the U.S., were not sufficient to address GDPR obligations and subsequent court interpretations, particularly regarding U.S. intelligence agencies' access to personal information – a factor that courts have noted cannot be addressed by the SCCs. Notably, the imposed fine is the largest levied since the GDPR came into force in 2018. The decision notes that the size of the fine was calculated based on the volume of personal data and Meta's negligence on the matter, as well as the intent to dissuade similar infringements.

GDPR demands that organizations transferring personal data outside the EU ensure an equivalent level of protection. The Meta case underscores the critical importance of implementing adequate safeguards when transferring personal data from the EU and UK to the United States and other jurisdictions that have been determined by EU regulators to not have sufficient data privacy protections.

SCCs are a widely recognized mechanism for legitimizing international data transfers under the GDPR. They are contractual agreements that outline specific data protection obligations between the data exporter (business transferring data) and the data importer (business receiving data). SCCs are intended to provide contractual assurances that the personal data and rights of the data importer and data subjects will be adequately protected in the recipient country, even without a decision by the EU Commission certifying the recipient country's data protection regime. For example, the data exporter must alert the data importer and take all available legal action to protect the privacy of the data if there is any effort by the U.S. government to subpoena or otherwise access the data.

While SCCs are a valuable tool, the Meta case highlights that their mere existence may not be sufficient to ensure compliance. Even smaller U.S. businesses, which often rely on SCCs to conduct their data transfers, should consider whether adopting or expanding supplementary data protection measures is necessary to ensure compliance and mitigate the risk of regulatory scrutiny and enforcement actions. Such measures may include technical safeguards, encryption, pseudonymization, and limitations on government access to data. In addition, businesses should proactively conduct Transfer Impact Assessments (TIAs) when transferring personal data from the EU to help identify and address potential privacy risks and demonstrate a commitment to data protection.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.