Close
Login to MyACC
ACC Members


Not a Member?

The Association of Corporate Counsel (ACC) is the world's largest organization serving the professional and business interests of attorneys who practice in the legal departments of corporations, associations, nonprofits and other private-sector organizations around the globe.

Join ACC

What should in-house counsel should know in the wake of the mega fine - 1.2 billion euros – that the Irish Data Protection Commission (DPC) levied against Meta on May 22, 2023 in connection with the company’s transfer of personal information between Europe and the United States? The DPC also ordered Meta Ireland to stop transfers of personal data to the US within five months, and to cease the unlawful processing in the US of personal data of users from the European Union (EU) or European Economic Area (EEA) that was transferred in violation of the EU General Data Protection Regulation (GDPR). Meta announced it would appeal the decision. Beyond Meta, this decision highlights the regulatory landmine that businesses face when transferring personal data between Europe and the United States. 

The Post-Privacy Shield Limbo

This is not the first enforcement action that Meta faced from the DPC in connection with the company’s processing of personal data. In 2022, the DPC imposed more than 600 million euros in fines on Meta under the GDPR, relating to other data processing issues. The fine announced in May 2023 spotlights the lack of reliable frameworks for companies to transfer personal data between Europe and the United States. 

In its 2020 “Schrems II” decision, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, considering that this framework didn’t sufficiently ensure compliance with GDPR. A key concern for the court was US laws allowing public authorities to access and use personal information under surveillance programs. The court considered that the limitations on the protection of personal data arising from such laws were not sufficiently circumscribed.

After Schrems II, a remaining basis for transatlantic transfers of personal data was the Standard Contractual Clauses, the set of model contractual clauses that the European Commission issued and that are available for inclusion in contracts that involve transfers of data from controllers or processors in the EU/EEA (European Union/European Economic Area) to controllers and processors established outside that zone. It is on the basis of such SCCs that Meta was conducting the data transfers that gave rise to the 2023 fine. This leaves businesses in the dark regarding which legal basis and operational measures they can rely upon to transfer personal data from the EU to the US.

What to Watch

Following the invalidation of Privacy Shield, discussions have been ongoing between US and EU authorities toward a new Trans-Atlantic Data Privacy Framework that would place new limits on US intelligence authorities’ access to data, establish a redress mechanism including a Data Protection Review Court, and setting obligations for companies that process data transferred from the EU. In October 2022, US President Biden issued an Executive Order meant to advance a new EU-US framework by introducing new safeguards and control over data collection by US intelligence agencies, and a mechanism for individuals to redress their privacy concerns. 

The recent fine against Meta highlights the relevance of the current discussions toward a new framework. The issue seems increasingly important, at a time when many businesses routinely process large volumes of personal data. Beyond issues related to surveillance programs and national security, new technology available to businesses to process personal information appears likely to render the issue more controversial, and to influence regulatory trends. Artificial Intelligence and other tools introduce new risks and concerns when it comes to how businesses process personal data. 

In the meantime, below are a few steps that in-house counsel should consider taking:

  • Review their organization’s practices and agreements regarding the processing and transfer of personal data outside the EU/EEA to countries that have not been recognized as providing “equivalent safeguards” under Article 46 of GDPR;
  • Assess the legal basis on which the business transfers personal data from the EU/EEA;
  • Review the necessity of transferring personal data from Europe to the US, and the possibility of localizing personal data in Europe; and
  • Monitor the evolution of the EU-US discussions toward a new framework, and whether European courts and authorities will view the framework as sufficient (another decision in the line of Schrems II could challenge the sufficiency of the new framework).

Learn More

Quick Overview: Meta Faces Record GDPR Fine, by Bartosz Marcinkowski, Partner at Domański Zakrzewski Palinka (May 31, 2023)
Meta Fined EUR 1.2 Billion for Violating GDPR, by Charlotte H N Perowne, Huw Beverley-Smith, Jeanine E Leahy, from Faegre Drinker Biddle & Reath LLP (May 22, 2023) (faegredrinker.com)
Meta Ireland fined record €1.2bn and ordered to suspend EU-US data transfers, by Debbie Heywood, from Taylor Wessing (May 22, 2023) (taylorwessing.com)
Irish Regulator Fines Meta 1.2 Billion Euros and Orders it to Cease Data Transfers to the U.S. | Privacy & Information Security Law Blog (May 22, 2023) (huntonprivacyblog.com)
Key Takeaways from the Irish DPC and EDPB decisions on Facebook Data Transfers, by Ruth Boardman, from Bird & Bird (May 23, 2023) (twobirds.com)
Meta fined GDPR-record 1.2 billion euros in data transfer case, by Jedidiah Bracy (iapp.org)
FAQs – EU-U.S. Data Privacy Framework Updates (1-4) | Privacy Shield
EU-US data transfers: key lessons from Meta’s record-breaking GDPR fine, by Samantha Gilbert - Lexology Pro
Meta’s response to the fine: Our Response to the Decision on Facebook’s EU-US Data Transfers | Meta (fb.com)

Connect with In-house Peers

This page was published on May 24, 2023 and updated on May 26, 2023.

Region: Global, Europe, European Union, United States
The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.

You may also be interested in

ACC
ACC Global Headquarters
1001 G Street NW
Suite 300W
Washington, D.C. 20001 USA

Contact Directory

Explore ACC
Privacy & Other Policies © 1998-2024, Association of Corporate Counsel. All Rights Reserved.

This site uses cookies to store information on your computer. Some are essential to make our site work properly; others help us improve the user experience.

By using the site, you consent to the placement of these cookies. For more information, read our cookies policy and our privacy policy.

Accept