Ireland's Data Protection Commission fined Meta €1.2 billion for continuing to transfer European Facebook users' data to the United States without adequate safeguards — the largest GDPR penalty ever issued.
The decision, issued following the EDPB's binding dispute-resolution process, found that Meta's reliance on standard contractual clauses did not address the risks to EU users' data identified by the Court of Justice in its 2020 Schrems II ruling.
Beyond the fine, Meta was ordered to suspend future transfers and to bring its processing into compliance — an obligation that was ultimately eased by the arrival of the EU–US Data Privacy Framework weeks later.
The case remains the clearest illustration of transfer risk: even the largest companies cannot paper over a transfer mechanism that fails to deliver 'essentially equivalent' protection.
The information contained within this resource does in no way constitute legal advice. Any person who intends to rely upon or use this information is solely responsible for independently verifying it and obtaining independent expert advice if required.
Need to act on this?
We advise on GDPR compliance, transfers, AI and breach response.