Meta has been fined $1.3 billion (\u20ac1.2 billion) by the Irish Data Protection Commission (DPC) for violating the terms of the EU\u2019s GDPR by continuing to transfer EU users\u2019 data to the US without adequate safeguards.Meta has failed to \u201caddress the risks to the fundamental rights and freedoms" of Facebook's European users, the DPC said in a statement. In addition to the fine, Meta has been given five months to stop the transfer of Facebook data to the US via so-called standard contractual clauses (SCCs).SCCs have been used by companies to transfer EU data to the US since the Court of Justice of the European Union (CJEU) ruled that the Privacy Shield agreement that was in place to facilitate the flow of data did not sufficiently protect data from US spy agencies. The ruling, in 2020, struck down the agreement and tightened requirements around the use of SCCs, a separate legal tool that was also being widely used by companies to transfer data to the US.Ireland's DPC noted that in its ruling to strike down Privacy Shield and tighten rules around SCCs, the CJEU said that "Data controllers or processors that intend to transfer data based on SCCs must ensure that the data subject is granted a level of protection essentially equivalent to that guaranteed by the General Data Protection Regulation (GDPR) and the EU Charter of Fundamental Rights (CFR)."However, the DPC said that Meta's SCCs do not protect EU citizens' data from US government mass surveillance programs, potentially calling into question the ability of any company to transfer EU citizens' data to the US.Among other issues, "There were no avenues for either EU or US data subjects to be informed of whether their personal data was being collected or further processed, and no opportunities to obtain access, rectification, or erasure of data," the DPC said.The \u201dfundamental conflict of law\u201d that exists between the US government\u2019s rules on access to data and the privacy rights of Europeans is not one that Meta or any other business could resolve on its own, Nick Clegg, former leader of the UK's Liberal Democrats political party and current Meta president of global affairs, and Jennifer Newstead, chief legal officer, wrote in a blog post.He further said that the company was \u201cdisappointed to have been singled out\u201d when thousands of other companies had been using the same SCCs \u00a0and, as a result, Meta will appeal the ruling in addition to what the company described as an \u201cunjustified and unnecessary fine.\u201dThe fine is the largest imposed by a European regulator, eclipsing the $877 million (\u20ac746 million) levied against Amazon in 2021 for similar privacy violations.The requirement to stop the storage of the personal data of EU individuals that it transferred unlawfully is a massive undertaking to carry out, financially, technically and logistically, said Nigel Jones, co-founder of\u00a0 Privacy Compliance Hub, a provider of \u00a0privacy compliance products. \u00a0It\u2019s difficult to see how Meta can cease the transfers and bring its processing within the law in the time given.\u00a0\u201c[Meta\u2019s] only commercially viable option appears to be to appeal to the courts in an attempt to further delay implementation of the decision,\u201d he said. \u201cIn the meantime it will hope that the EU and the US can agree a mechanism known as the Data Privacy Framework that will enable Meta and other companies to legally transfer the data of EU individuals to the US.\u201dReplacing Privacy Shield with a new data transfer agreementTwo years after Privacy Shield was ruled invalid, in October 2022, US President Joe Biden\u00a0signed an executive order\u00a0that implemented rules for the\u00a0Trans-Atlantic Data Privacy Framework, the new EU-US data transfer agreement.However, while the EU Commission concluded in December 2022 that the framework provides privacy safeguards comparable to those of the EU, there is still a number of legislators that need to weigh in on the agreement before it can finally be approved.Once the European Data Protection Board (EDPB) has given its approval, the EU Commission must then seek approval from a committee comprising representatives from EU member states, as well as the European Parliament, which has a right of scrutiny over adequacy decisions. Only then can the Commission proceed with formally adopting the legislation.If passed, the framework will mean US companies will have to agree to comply with a detailed set of privacy regulations, including the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties. The regulations essentially are supposed to ensure that data flow between the US and EU adheres to the EU's\u00a0GDPR privacy regulations.