Briefing Pack: SCC Enforcement, CBPR Certifications, and Data Localization Fines

1) Meta Ireland’s Record SCC Enforcement (May 2023)

The Irish Data Protection Commission (DPC) concluded that Meta Platforms Ireland continued transfers of EU user data to the U.S. on the basis of Standard Contractual Clauses (SCCs) without implementing supplemental measures sufficient to offset U.S. surveillance risks identified in Schrems II.
The DPC imposed an administrative fine of €1.2 billion and ordered Meta to suspend EU-U.S. personal data transfers within five months and to bring historical transfers into compliance within six months.
The decision followed a binding instruction from the European Data Protection Board (EDPB) after its Article 65 dispute-resolution procedure, underscoring that failures to operationalize SCC safeguards can now trigger blockbuster penalties.
Compliance takeaways: conduct granular transfer-risk assessments, map onward disclosures to U.S. service providers, and document any encryption, pseudonymization, and policy controls that specifically address FISA 702 and EO 12333 access risks.

Sweden’s Authority for Privacy Protection (IMY) investigated websites using Google Analytics after Schrems II and found that SCCs plus Google’s standard controls did not adequately prevent U.S. government access.
Tele2 was fined SEK 12 million (about €1.0 million) and ordered to stop Google Analytics, while CDON received a SEK 300,000 fine; IMY issued warnings to Coop and Dagens Industri.
IMY emphasized that IP address truncation and Google’s contractual promises were insufficient supplemental measures because U.S. intelligence services could potentially re-identify individuals through other data elements.
Compliance takeaways: evaluate whether analytics tools export full IP/device data outside the EEA; if so, prefer EU-hosted analytics or deploy robust proxying and field-level pseudonymization before transfer.

The Global Cross-Border Privacy Rules (CBPR) Forum—successor to the APEC CBPR system—approved BBB National Programs (BBBNP) as the first Accountability Agent authorized to certify U.S. companies under the Global CBPR and Privacy Recognition for Processors (PRP) frameworks.
BBBNP’s approval means organizations can obtain Global CBPR certifications that are recognized across participating economies (currently the U.S., Canada, Mexico, Japan, South Korea, Singapore, the Philippines, and Chinese Taipei), with the Forum preparing to onboard additional jurisdictions.
Certification requires demonstrable compliance with baseline privacy commitments: notice, choice/consent where appropriate, data security proportional to risk, access and correction rights, and accountability for onward transfers.
Compliance takeaways: firms with Asia-Pacific data flows can leverage Global CBPR/PRP certification as an interoperability signal, but should align controls with GDPR/CCPA obligations to avoid siloed programs.

The Cyberspace Administration of China (CAC) fined Didi Global approximately RMB 8.026 billion (about USD 1.2 billion) for “illegal collection and use of personal information” and for transferring data abroad without performing required security assessments and localization steps under China’s Cybersecurity Law and Data Security Law.
CAC found that ride-hailing data—including precise geolocation, facial recognition data, and screenshots—was exported to overseas data centers despite Didi’s status as a critical information infrastructure operator (CIIO), which triggers strict localization duties.
The penalty illustrated China’s willingness to combine data localization breaches with broader security violations to reach billion-dollar fine levels, and it led Didi to delist from the NYSE and undertake a comprehensive remediation program.
Compliance takeaways: multinationals handling Chinese user data should inventory any remote-access channels from abroad, complete CAC transfer risk assessments, and segregate China-hosted datasets with independent access controls and key management.

Moscow’s Tagansky District Court fined Apple 400,000 rubles for failing to localize Russian users’ personal data on servers located in Russia, enforcing Federal Law No. 242-FZ’s localization mandate.
The same court previously issued larger fines (e.g., 18 million rubles against WhatsApp in 2022) and continues to block or fine services that do not submit localization notices to Roskomnadzor, underscoring the operational risk of non-compliance.
Compliance takeaways: companies offering services to Russian residents need a documented localization architecture (Russian-hosted data centers or approved local cloud providers), a retention schedule aligned with Russian law, and readiness for Roskomnadzor inspections and court filings.

Irish DPC press release on the Meta SCC decision (May 22, 2023): https://www.dataprotection.ie/en/newsroom/dpc-announces-decision-meta-ireland-impose-administrative-fines-and-ban-personal-data-transfers-usa
EDPB binding decision summary related to Meta case: https://edpb.europa.eu/news/news/2023/edpb-adopts-binding-decision-concerning-meta_en
IMY Google Analytics decisions (July 3, 2023): https://www.imy.se/en/news/decisions-on-google-analytics
BBB National Programs announcement of Global CBPR/PRP Accountability Agent approval (Mar. 28, 2024): https://bbbprograms.org/programs/bbb-national-programs-global-privacy-division
CAC Administrative Penalty Decision against Didi (July 21, 2022): http://www.cac.gov.cn/2022-07/21/c_1658120771708587.htm
Reuters coverage of Russian data localization fines (Aug. 15, 2023): https://www.reuters.com/world/europe/russia-fines-meta-apple-data-storage-violations-2023-08-15/