Facebook - Meta Ireland - no stranger to data protection claims - has been hit with the largest-ever GDPR fine. This arises from the continued transfer of a huge amount of personal data of EU citizens to the USA after the CJEU ruling in 2020 against it in the case brought by Max Schrems. That case saw the invalidation of Safe Harbour.
Even though Meta used the revised standard contractual clauses (SCCs) when they were introduced in 2021 and adopted additional supplementary measures, the Irish Data Protection Commission found that these arrangements were insufficient. So, it has issued a fine of €1.2bn and has told Meta to stop transferring data to the USA. Not surprisingly, Meta has indicated it will appeal.
This will likely cause much introspection about data transfers, with other companies believing they're safe by using the new SCCs. While this ruling doesn't directly affect the UK because of Brexit, UK laws are still harmonised with the EU. So, there's a possibility we will see a similar ruling here too.
If you need advice, contact me firstname.lastname@example.org or +44 (0) 20 7611 2338.
While Meta effected transfers on the basis of the updated Standard Contractual Clauses in conjunction with additional supplementary measures, the DPC found that these arrangements did not address the risks