The decision is only binding on Meta's Irish entity and the DPC points out that it is not within its power to make an order to suspend or prohibit transfers to the US generally. However, the message emanating from the EDPB is loud and clear – it has said that the level of the fine should be a "strong signal to organisations that serious infringements have far-reaching consequences".
While Big Tech will undoubtedly be first in line for any further enforcement action around data transfers, the implications are not limited to Big Tech. Meta, according to a statement issued by Nick Clegg and its Chief Legal Officer, has been "singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe". The organisational, technical and legal measures that Meta had implemented were extensive (e.g., policies, encryption of data in transit and challenging government requests for access) but they were nevertheless deemed to be insufficient: they could not prevent non-court supervised access to a user’s data without the user's knowledge, which the US section 702 Foreign Intelligence Surveillance Act (FISA) downstream programme PRISM allows. To compensate for the deficiencies of US law, a data exporter "must not merely “mitigate” the deficiencies in US law…but must ensure that data subjects receive essentially equivalent protection to EU law". If the extensive supplementary measures implemented by Meta are not considered to be capable of compensating for the inadequate protection offered by US law, what options are left for other businesses?
Some businesses can show that, in practice, problematic legislation will not apply to their transferred data. The decision is less troublesome for them in that the DPC highlighted that the EDPB Supplemental Measures Recommendations do not exclude a risk-based approach. In Meta's case, the DPC decided that Meta could not rely on a risk-based approach because it could not show that in practice there would be no actual access by surveillance authorities.
Nevertheless, if a company with Meta's resources cannot make up for the privacy shortcomings of US law, it is clear this is a situation that companies cannot address alone and that a political solution is needed.