Incident Responsehigh

Meta GDPR Fine: €1.2 Billion for Transferring European Data to the US

Ireland's Data Protection Commission fined Meta €1.2 billion — the largest GDPR fine in history — for transferring European users' Facebook data to the US without adequate legal safeguards, after five years of regulatory proceedings.

Meta / Irish DPC·2023·2 min read

Background

GDPR restricts the transfer of EU citizens' personal data to countries without adequate data protection laws — including the United States. Meta had been transferring European Facebook data to its US servers under standard contractual clauses that the Irish DPC ultimately ruled were insufficient following the Schrems II European Court of Justice ruling.

The Attack

Meta processed EU Facebook users' data on servers in the United States under the EU-US Privacy Shield framework, which was invalidated by the Schrems II ruling in July 2020. Meta continued data transfers under Standard Contractual Clauses (SCCs). The Irish DPC conducted a multi-year investigation concluding that Meta's SCCs were insufficient given the US surveillance laws that could compel access to the transferred data. After prolonged proceedings and EU-level escalation, the final €1.2 billion fine was issued in May 2023, along with an order to suspend data transfers within 5 months.

Response

Meta appealed the fine and suspension order. The EU-US Data Privacy Framework was adopted in July 2023, providing a new legal basis for transatlantic data transfers. Meta stated it would use the framework to restart compliant data transfers. The fine and suspension order were suspended pending appeals.

Outcome

The €1.2 billion fine dwarfed all previous GDPR fines. It established that adequacy of data transfer mechanisms is not merely a paper compliance question — the actual legal landscape in the receiving country must be evaluated. The case drove the EU-US Data Privacy Framework adoption.

Key Takeaways

  1. Data transfer mechanisms must reflect actual legal protections in receiving countries, not just formal compliance documents
  2. The Schrems II ruling invalidated Privacy Shield — assess your EU data transfer legal basis immediately if you have not already
  3. GDPR cross-border data transfer compliance requires legal analysis beyond standard contractual clauses
  4. National security law provisions in receiving countries can invalidate data transfer adequacy arguments
GDPR finedata transferSchrems IIIreland DPCprivacy shield

More in Incident Response

2013critical

Target Breach IR Failure: Security Team Saw the Alerts and Did Nothing

2 min readIncident Response
2017high

GitLab Production Database Deletion: 5 Failed Backups and a Live Stream

2 min readIncident Response
2019high

British Airways GDPR Fine: The First Major Enforcement Sets the Tone

2 min readIncident Response