Irish Watchdog Fines Meta $19m Over Data Breach

Facebook parent company Meta Platforms has been fined €17m ($19m) by Ireland’s data regulator.

The decision by the Data Protection Commissioner (DPC) was based on the results of an inquiry into twelve data breach notifications received by the DPC between June 7 2018 and December 4 2018. 

The probe examined how far Meta Platforms had complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) regarding the processing of personal data relevant to the breach notifications. 

In a statement released Tuesday, the DPC said that the inquiry had found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR.  

“The DPC found that Meta Platforms failed to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches,” said the DPC.

A spokesperson for Meta Platforms said that its “processes continue to evolve” and that the company would “carefully consider Tuesday’s decision.” 

The spokesperson said that “the fine is about record-keeping practices from 2018 that we have since updated” and that it did not signal a “failure to protect people’s information.”

Due to the cross-border data processing under examination in the inquiry, the DPC’s decision was subject to the co-decision-making process outlined in Article 60 GDPR, meaning all other European supervisory authorities weighed in as co-decision-makers.

The Irish data watchdog said that two European supervisory authorities had raised objections to the DPC’s draft decision on the matter, but that consensus had been reached through further engagement.

Consequently, the DPC said its decision “represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.”

On Tuesday, the DPC separately published a statistical report on how cross-border complaints should be handled under the GDPR’s One-Stop-Shop mechanism.

The DPC is no stranger to fining social media giants. For example, the commission fined WhatsApp $247m in September 2021 for failing to comply with GDPR transparency regulations and slapped a $547k penalty on Twitter in December 2020 for being too slow to notify Android cellphone users of a data breach.

Leave a Reply