On 7 July 2022, the Irish Data Protection Commission (Irish DPC) issued a draft decision to prohibit Facebook owner Meta from transferring personal data from Europe to the United States.
That draft decision was issued further to an “own volition” inquiry initiated by the Irish DPC regarding Meta’s transfer of personal data to the U.S.
Pursuant to the GDPR, data exporters shall put in place appropriate safeguards for transfers of personal data to countries or international organisations located outside the EEA.
Such a transfer of personal data may take place where the European Commission has decided that the third country or the international organisation in question ensures an adequate level of protection, by issuing an adequacy decision. In such cases, transfers of personal data to that third country or international organisation may take place without the need to implement any further measures1.
In case no adequacy decision has been issued, data exporters may rely on another mechanism provided by the GDPR to transfer the personal data, such as the Standard Contractual Clauses adopted by the European Commission (SCCs), binding corporate rules or an approved certification mechanism together with binding and enforceable commitments2.