Transfers of EU citizens' data outside of the EU is treated as a restricted transfer by the GDPR.
The GDPR contains prescriptive requirements of the safeguards and measures which must be put in place before making a restricted transfer to ensure the personal data is transferred to a country or organisation which protects the personal data to the same standard achieved by the GDPR.
One such measure is standard contractual clauses (SCCs), a set of standardised contractual clauses produced by the European Commission containing binding obligations to protect personal data.
The purpose of SCCs is to ensure that personal data transferred across the Atlantic receives equivalent protection afforded by the GDPR.
Meta sought to rely upon SCCs when making the restricted transfer of personal data from the EU to the US concerning its Facebook service.
The EDPB found that the use of the SCCs by Meta did not sufficiently protect personal data to an equivalent standard achieved by the GDPR – primarily due to the US' extensive surveillance laws, which permit US intelligence agencies to access personal data for matters of national security.
In addition to the fine, the EDPB has ordered Meta to bring its data transfers into compliance with the GDPR.