Big fine for Meta shines spotlight on standard contractual clauses

Published: May 24, 2023

When the GDPR first came into force five years ago, the big headline-grabber was the potential for large fines – up to €20m or 4% of annual global turnover, whichever is higher. In recent months we have seen some significant penalties being applied by UK and EU supervisory authorities, and the news this week from the Irish Data Protection Commission was that it had concluded its investigation into Facebook parent company Meta and decided to issue it with an administrative fine of €1.2billion in respect of its data transfers to the US.

While the decision does not affect Meta in the UK, it does highlight the issues that face businesses when trying to find routes to sending data to the US in a GDPR compliant fashion.

The history of data transfers between the EU and the US has been a complex one. Most recently, from February 2016 to July 2020, personal data transfers to the USA from the EU were permitted under a political agreement known as the Privacy Shield. This involved US companies signing up to the Privacy Shield, which committed them to appropriate handling of personal data, with the US Trade Commission monitoring compliance. However, the Court of Justice of the European Union struck down the Privacy Shield in July 2020 following a case brought by Austrian privacy campaigner Maximillian Schrems, on the basis that the US government’s intelligence surveillance programs are not limited to what is strictly necessary and therefore infringe upon data subjects’ fundamental rights.

Following the decision, known as Schrems II, the general view was that companies could only legally continue to transfer personal data to the US on the basis of standard contractual clauses if these were accompanied by supplementary measures, such as encryption prior to transmission, or pseudonymisation. The dangers of getting this wrong are clear – in the Meta Ireland case, Meta even argued that they had used standard contractual clauses together with supplementary measures – but the Data Protection Commission found these to be unsatisfactory. In addition to the fine, Meta Ireland have been ordered to cease transfers of data and processing of data to and in the US.

This decision will make the ongoing negotiations between the EU and the US in terms of a new adequacy framework (which the UK is likely to mirror in some shape) even more key in order to reassure not only EU companies, but also UK companies with business in the EU, that transfers to the US can be carried out lawfully and in compliance with the regulations.