Ireland DPA orders Meta to stop using SCCs for data transfers to the US

Ireland’s Data Protection Commission (DPC) has today announced a €1.2 billion fine for Meta following an inquiry into its Facebook service. The fine, which is the largest GDPR fine ever issued, is supplemented with an order to stop relying on European Commission standard contractual clauses (SCCs) to send data to the United States.

Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy & cybersecurity practice, and PL&B Correspondent said:

“This is a rare case of the first billion euro fine under the GDPR being the least important part of the story. The DPC’s ruling that the standard contractual clauses are not a valid mechanism to transfer personal data to the US will have a significant impact on the ability of organisations of all shapes and sizes to lawfully share and receive data from Europe. It will also kick off a race against time for lawmakers to finalise the EU-US data transfer framework before the end of the six-month transition period that the DPC has given Meta to bring its transfers into compliance.”

Andrea Jelinek, EDPB Chair, said: “The EDPB found that Meta IE’s [Meta Platforms Ireland Limited] infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”

Ireland’s DPA was instructed by the EDPB and its binding dispute resolution decision to amend its draft decision. The EDPB says that given the seriousness of the infringement, the starting point for calculation of the fine should be between 20% and 100% of the applicable legal maximum.

See: EDPB - Binding Decision 1/2023 on the dispute submitted by the Irish SA on data transfers by Meta Platforms Ireland Limited for its Facebook service (Art. 65 GDPR)

PL&B’s 36th International Conference, has a speaker from Ireland’s Data Protection Commission and the European Commission. In a separate session on the EU-US Data Privacy Framework and its implementation, there will be speakers from the US Department of Justice and from France the CNIL’s Commissioner for International Affairs.