Ireland's Data Protection Commission (DPC), acting as lead supervisory authority, fined Meta Platforms €1.2 billion for transferring personal data of Facebook users from the EU/EEA to the United States in violation of GDPR Chapter V. This is the largest GDPR fine ever issued. The decision followed the Schrems II judgment which invalidated the EU-US Privacy Shield in 2020.
Meta (Facebook) — GDPR Fine for EU-US Data Transfers (€1.2B)
What Went Wrong
Meta transferred EU user data to US servers where it could be accessed by US intelligence agencies under FISA Section 702 and EO 12333. After Schrems II invalidated Privacy Shield, Meta continued US transfers relying on Standard Contractual Clauses without implementing adequate supplementary measures to protect EU data from US surveillance.
Lessons Learned
International data transfers require active monitoring of transfer mechanism validity. Post-Schrems II, SCCs alone are insufficient for US transfers without Transfer Impact Assessments (TIAs). Organizations must assess whether destination country surveillance laws undermine SCC protections.
Source:
Official Enforcement Record ↗