How US Companies Balance GDPR Compliance with International Data Transfers

September 13, 2023

In May, the Irish Data Protection Commission levied a hefty $1.3 billion fine against Meta — the parent company of Facebook and Instagram — for transferring data from Ireland to the U.S. in a manner that was not compliant with the EU’s General Data Protection Regulation (GDPR). Trans-Atlantic data transfers to the U.S. have been a rather nebulous prospect since 2020 when the Court of Justice of the European Union nullified the EU-U.S. Privacy Shield, which outlined rules for consumer data transfers outside of Europe.

However, in July, we saw the adoption of the long-awaited EU-U.S. Data Privacy Framework (DPF) commenced, which addressed concerns related to U.S. intelligence access to European consumer data and created the Data Protection Review Court that will address consumer complaints should intelligence agencies gain access to EU consumer data. Now, companies that earn DPF certification can legally transfer consumer data to the U.S.