Data Transfer Fines: Lessons from Recent Cases

Data transfer fines are no longer just a Big Tech problem. Since 2023, regulators have issued more than €2 billion in penalties tied to cross-border data flows, with Meta, TikTok, and Uber as the clearest examples.

If I had to boil the article down to the main lesson, it would be this: a signed contract is not enough if your data setup still lets people outside the EEA access personal data without the right legal steps. Regulators are checking three things over and over:

• Where the data goes
• Who can access it
• Whether the company can prove its safeguards work in practice

For me, the biggest takeaways are simple:

• SCCs alone do not fix transfer risk
• TIAs now matter in almost every non-adequate-country transfer
• Government-access risk in the U.S. and China keeps showing up in enforcement
• Orders to stop transfers can hurt just as much as the fine
• Even normal form flows into CRMs, support tools, and analytics platforms can count as transfers

Here’s the short version of the recent cases:

• Meta was fined €1.2 billion in May 2023 for EU-U.S. transfers that regulators said SCCs and added safeguards did not fix
• Uber was fined €290 million in July 2024 over transfers of driver data, including sensitive data, without the right transfer mechanism for more than 2 years
• TikTok was fined €530 million in April 2025 for access risk tied to China and for not clearly telling users about that access path

What should you do right now?

• Map every tool that receives form data
• Check whether any vendor or support team outside the EEA can access it
• Review SCCs, TIAs, and any extra technical steps
• Limit the fields you send
• Recheck transfer paths every quarter

In other words: if you collect EU lead or user data, your routing setup is now a legal issue, not just a tech choice.

TikTok fined 530m by Irish data watchdog over the transfer of personal to China

sbb-itb-5f36581

The Rules Regulators Used in Recent Cases

Recent cases show that regulators aren't just citing the rules. They're checking whether companies applied them the right way. In these actions, enforcement leaned on Chapter V of the GDPR: Article 44 sets the main rule, while Articles 45–49 lay out the transfer tools and the limited exceptions. The derogations under Article 49 are narrow. They apply to isolated cases, not routine data transfers.

SCCs, Supplementary Measures, and Transfer Impact Assessments

Regulators now treat SCCs as a starting point, not the whole answer. If the law in the receiving country undercuts those clauses, SCCs alone don't fix the problem. That comes up when local laws - such as U.S. FISA Section 702 or China's National Intelligence Law - let government authorities access data without a meaningful legal remedy. In that situation, the data importer may not be able to comply with the SCC terms.

So what do regulators expect on top of SCCs? Usually, two things:

• A Transfer Impact Assessment (TIA): a written, case-by-case review of whether the destination country's legal system lets the importer keep the promises made in the SCCs
• Supplementary technical measures when the TIA shows a gap: most often end-to-end encryption with decryption keys kept ONLY inside the EEA, pseudonymization at the source, or dataset segmentation

That failure pattern sits behind both the fine and the corrective order.

How Regulators Set Fine Amounts and Corrective Orders

When regulators set fines, they look at severity, duration, cooperation, mitigation, and data sensitivity. Those factors help explain why Meta, TikTok, and Uber faced very different outcomes even though the same legal framework applied.

The dollar amount gets attention, sure. But in practice, the operational order can hit harder. Regulators can suspend transfers, require deletion, or push a company to switch vendors. For SaaS and marketing teams, that can mean a compliance miss shuts down a core tool overnight - not just lands a fine.

Case Study: Meta's Record Fine for EU-U.S. Data Transfers

In May 2023, the Irish DPC fined Meta Platforms Ireland €1.2 billion and ordered it to stop future EU-U.S. transfers within five months. It also ordered Meta to stop unlawful U.S. processing and storage of EU/EEA data that had already been transferred within six months. For teams that send form data into U.S.-hosted tools, the message is plain: vendor contracts on their own don't fix transfer risk.

What Regulators Found Meta Got Wrong

The DPC said Meta breached Article 46 by continuing EU-U.S. transfers after Schrems II. In the DPC's view, the 2021 SCCs and Meta's extra safeguards did not deal with the risk of access under U.S. surveillance law.

"U.S. law does not provide a level of protection that is essentially equivalent to that provided by EU law." - Data Protection Commission

The EDPB also said that "Meta IE committed the infringement at least with the highest degree of negligence." That's the part form teams should pay close attention to. The issue wasn't just paperwork. Regulators looked at the transfer setup itself and found it fell short. The same pattern shows up in other recent cases.

What Form-Based Teams Should Take Away

"The analysis in this Decision exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR." - Data Protection Commission

If your team routes EU form data to U.S.-based providers that could face FISA 702 access requests, treat this as a warning shot. A good starting point looks like this:

• Keep a transfer inventory
• Run TIAs that focus on government-access risk
• Use end-to-end encryption or pseudonymization
• Export only the fields you need

Meta is the clearest example. But the same weak spots in cross-border transfers keep appearing elsewhere too.

TikTok, Uber, and the Patterns Behind Recent Fines

Meta's case isn't an outlier. TikTok and Uber show the same pattern in different ways: access risk, weak safeguards, and poor documentation.

TikTok: Transfers, Transparency, and High-Risk Destinations

In April 2025, the Irish DPC imposed two administrative fines on TikTok totaling €530 million for transfer and transparency failures tied to EU user data that could be accessed by personnel in China. One point mattered a lot: storing data outside China did not remove the access risk. The DPC's concern wasn't whether Chinese authorities had in fact accessed the data. It was whether TikTok could rule out the theoretical possibility of access under China's National Intelligence Law. It couldn't.

The DPC also found that TikTok did not tell users that their data could be accessed from China. That was a separate transparency violation under Article 13. And TikTok's technical safeguards didn't satisfy regulators.

Uber shows a similar issue when the problem is missing transfer controls, not just weak ones.

Uber: Sensitive Data Transfers and Documentation Gaps

The Dutch Data Protection Authority (AP) fined Uber €290 million in July 2024, covering a period of two years and three months - from August 2021 to November 2023. The investigation started after a complaint from more than 170 French drivers.

Uber treated its U.S. parent's direct GDPR exposure as if that replaced transfer safeguards. Regulators didn't buy that. The data at issue included location, ID, medical, and criminal-conviction data. Those categories come with much higher regulatory risk.

Uber also said that because drivers sent data straight to U.S. servers, no "transfer" from Uber B.V. took place. The AP rejected that argument. It ruled that Uber B.V. was the effective exporter because it determined the context of the processing. Uber has since joined the EU-U.S. Data Privacy Framework.

Failure Points That Appear Across All Three Cases

Across all three cases, regulators rejected paper compliance that didn't match the actual transfer chain. Meta used SCCs that couldn't stand up to scrutiny. TikTok relied on technical safeguards that couldn't remove the theoretical government-access risk. Uber used nothing for more than two years because of a mistaken reading of GDPR scope.

That's the pattern: enforcement hits the gap between stated safeguards and actual data flows.

For form-based teams, this matters fast. A lead may look simple at the point of collection, but the moment it moves through a third-party stack, it can turn into a transfer problem. That's the operational lesson for teams that collect leads through forms and route them into third-party systems.

Compliance Steps for Teams That Collect Data Through Forms

The examples above point to the same issue: the data route itself, not just the signed contract, led to the violation. For teams that collect leads through forms, that means one thing first: map every path the data takes before it leaves your stack. Then map every system that touches the form.

Map Every System That Receives Lead Data Before Adding New Tools

Before you connect a new CRM, enrichment service, analytics integration, or any other vendor to your forms, write down:

• where the system is hosted
• what legal mechanism covers the transfer
• whether the form includes any sensitive fields
• which subprocessors, backup providers, or support teams could also reach that data

"The real test is whether your architecture makes the transfer terms enforceable."

This matters a lot with third-party tracking scripts and enrichment tools that fire the moment someone submits a form. Those tools can send data out on autopilot, and in many cases the marketing team doesn’t even notice it’s happening. Once you can see the full route, tighten access so each destination only gets what it needs.

Use Technical Controls to Limit What Leaves the Original Jurisdiction

After you map the route, cut down what leaves the original jurisdiction. If the architecture still allows open access, the contract won’t save you.

Collect only the fields you need. Encrypt data in transit and at rest. Pseudonymize data when you can. Limit access by role. Route EEA submissions only to approved destinations.

Reform can support this setup. Its conditional routing and integration settings can help send submissions to approved systems. But the legal work still sits with the business: running TIAs, checking whether a vendor’s DPF certification is still active, using the right SCC module when needed, and keeping privacy notices current. Reform is a tool, not a compliance program.

And there’s the catch: those controls don’t stay useful on their own. Teams need to review them on a regular basis.

Conclusion: Transfer Compliance Requires Regular Review, Not a One-Time Fix

The cases here show the same pattern: paper safeguards didn’t match the way data actually moved.

For marketing and SaaS teams, the message is simple. Review your transfer paths at least quarterly. Check that vendor DPF certifications are still active. Update your TIAs when destination-country laws change. Treat transfer compliance like a routine review, not a one-and-done launch task.

FAQs

What counts as a data transfer under GDPR?

Under the GDPR, a data transfer takes place when personal data is sent from an organization in the EU/EEA to a country outside the EU/EEA, or when that data is made accessible there.

That can mean syncing customer data to a non-EU CRM, using an analytics platform that stores data on servers in a third country, or giving remote support access to team members based outside the EU. But here's an important line: a purely theoretical risk of access on its own does not count as a transfer.

When do SCCs require a TIA?

A Transfer Impact Assessment (TIA) is required before personal data is sent outside the EEA when the transfer relies on Standard Contractual Clauses (SCCs) or another Article 46 safeguard.

Put simply, a TIA comes into play when all of these points are true:

• The data is subject to GDPR
• The recipient is in a third country
• The destination does not have an adequacy decision
• The transfer relies on an Article 46 safeguard, such as SCCs

A TIA is not needed if the destination already has an adequacy decision in place. It also isn't needed when the transfer relies on an Article 49 derogation instead of Article 46 safeguards.

Could my CRM or analytics setup create transfer risk?

Yes. Your CRM or analytics setup can create transfer risk if it sends data across borders without a valid legal mechanism.

If EU customer data is stored or processed in a third country, such as the United States, you may need DPF status or SCCs backed by a TIA. A contract by itself may not be enough. Regulators may also expect technical safeguards, such as encryption.

Related Blog Posts

• SCC Challenges After Schrems II: What to Know
• Key Compliance Requirements for Vendor Data Transfers
• EU Court Cases on Data Transfer Violations: Lessons
• GDPR and Data Transfers: Tech Solutions Explained