Ireland Fines Meta €1.2 Billion, Orders Halt of Personal Data Transfers to U.S.

Ireland’s Data Protection Commission has fined Meta €1.2 billion and ordered the company to suspend transfers of personal data to the United States within five months, finding that Meta’s transfers violation the EU’s General Data Protection Regulation. The order also requires Meta to delete EU users’ personal data unlawfully transferred to the U.S. and to bring its processing into compliance with the GDPR.

The order arises from the long-running dispute over cross-border transfers of EU residents’ personal data to the U.S. In 2013, privacy advocate (and EPIC Advisory Board member) Max Schrems filed a complaint alleging that Facebook violated EU law when it transferred personal data to the U.S., where surveillance law fails to provide adequate privacy protections or remedies for non-U.S. persons. The dispute ultimately led the European Court of Justice to invalidate both the U.S.-EU Safe Harbor Agreement (in Schrems I) and the U.S.-EU Privacy Shield Agreement (in Schrems II, a case in which EPIC participated as amicus).

Following Schrems II, Meta continued to carry out cross-border data transfers on the basis of “standard contractual clauses,” which purport to provide EU user data with protections equivalent to the GDPR when transferred to other countries. But Monday’s decision—the result of an investigation by the Irish DPC and a recent ruling by the European Data Protection Board—rejected Meta’s argument that these clauses adequately safeguard the fundamental rights of EU data subjects.

The DPC’s order could have major consequences for other platforms and companies that transfer personal data between the EU and U.S. The proposed Trans-Atlantic Data Privacy Framework may provide companies with a legal basis to continue such transfers when the European Commission’s approval is finalized, though concerns remain that the framework fails to provide EU citizens with adequate remedies for unlawful surveillance.