The Irish Data Protection Commission (DPC) has imposed a €17 million ($18.6 million) financial penalty on Meta to resolve violations of the General Data Protection Regulation (GDPR) related to a string of Facebook data breaches in 2018.
Facebook, and its parent company Meta, have their European headquarters in Ireland, which means the DPC is responsible for investigating complaints and data breaches. Between June 7, 2018, and December 4, 2018, Meta/Facebook notified the DPC about 12 data breaches that involved the personal data of up to 30 million Facebook users. The DPC opened a security-related inquiry in 2018 to determine whether Meta/Facebook had complied with Articles 5(1)(f), 5(2), 24(1), and 32(1) of the GDPR related to the processing of the personal data of EU citizens.
This week the DPC announced its final decision and said its investigation determined Meta platforms infringed Articles 5(2) and 24(1) of the GDPR. The DPC found that Meta Platforms did not have appropriate technical and organizational measures in place to allow the company to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve data breaches.
While the DPC is the lead investigator, Meta/Facebook engages in cross-border processing of data, which means all other supervisory authorities in the EU were involved as co-decision makers. All but two of the supervisory authorities agreed with the DPC’s decision. The DPC engaged with the two supervisory authorities that raised objections and achieved consensus.
“This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information,” said a spokesperson for Meta. “We take our obligations under the GDPR seriously and will carefully consider this decision as our processes continue to evolve.”
This is not the first financial penalty to be imposed on Meta companies by the DPC for violations of the GDPR. Last year, the DPC imposed a €225 million ($267 million) financial penalty for the failure to comply with GDPR transparency rules with respect to the Meta-owned instant messaging platform WhatsApp., and another draft decision last year suggested a penalty in the range of €28-€36 million ($30.8-$39.6 million) for the tech giant in a draft decision made against the company late last year. While these GDPR penalties are substantial, they are small change for Meta. In the last quarter of 2021 alone, Meta generated $32.6 billion in ad revenue.
The DPC has been criticized for its handling of GDPR complaints and the length of time it takes to investigate potential GDPR violations, especially complaints about big tech firms. The DPC stated in its report that 65% of all cross-border complaints that it has handled since 2018 have now been concluded, including 82% of complaints it received in 2018 and 75% of complaints it received in 2019.