Meta, the owner of Facebook, has received a €1.2bn (£1bn) from Ireland’s Data Protection Commission (DPC) for failing to protect user data when it gets transferred from Europe to the US.

The fee is the biggest issued under the GDPR, the regulations of which set the standards that companies must adhere to when sending data beyond EU borders.

Meta have said they will appeal against the decision, calling it “unjustified and unnecessary”. Standard Contractual Clauses (SCCs) are at the heart of the ruling – these are the legal contracts that the EC formulates to see that private user data is afforded the same level of protection outside of Europe as within it.

However, anxieties linger over the actual standard of this protection. Critics say that European data is put at risk when it enters the US, where privacy laws are not as tight, and where the US government could gain access to private information.

Many big organisations send data all around the world on a daily basis, whether it’s information on email addresses, contact details or financial info. Each of these transfers is dependent on SCCs.

Facebook’s president Nick Clegg said:

“We are…disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.

”This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US”

Caitlin Fennessy, of the International Association of Privacy Professionals, said:

”The size of this record-breaking fine is matched by the significance of the signal it sends.

”Today’s decision signals that companies have a whole lot of risk on the table. It could make EU companies demand US partners stored data within Europe - or switch to domestic alternatives”, she added.

The European Court of Justice (ECJ) has often highlighted US shortcomings in comparison to data protection standards in Europe. In 2020, the ECJ issued a ruling that invalidated a transfer deal between Europe and the States. This ruling was followed up by the ECJ saying that transferring data to any third country was legitimate as long as “adequate” levels of data protection could be guaranteed. Now Meta have been found guilty of failing to adhere to those standards.

Austrian privacy campaigner and lawyer, Max Schrems has long been locked in a battle with the social media giant for its failure to protect his privacy rights.

Responding to the latest fine, Mr Schrems expressed his happiness at the decision “after ten years of litigation,” but said that the total could have been far greater.

”Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems,” Schrems said.


Securing the digital supply chain

As data protection frameworks evolve worldwide, it’s never been more important for business owners to stay on top of best practice when it comes to handling personal and privacy data.

The issues central to this debate fall under the microscope in the #RISK Supply Chain zone supported by the largest international Trade Group on LinkedIn, part of the Security Theatre at #RISK London.

Across two days at #RISK London, #RISK Supply Chain zone attendees can follow curated content on the key topics impacting supply chains, and what measures businesses are taking to adapt in these challenging times.

Click to learn more

Risk is now everyone’s business

Risk is now everyone’s business

Taking place October 18 and 19, #RISK London brings high-profile subject-matter experts together for a series of keynotes, engaging panel debates and presentations dedicated to breaking down the challenges and opportunities that businesses face in times of unprecedented change.

Learn more about #RISK London



“#RISK is such an important event as it looks at the broad perspective or risk. Risks are now more interconnected and the risk environment is bigger than ever before.”

Michael Rasmussen, GRC Analyst & Pundit, GRC 20/20 Research


Register your place at #RISK London today