Series of Facebook Data Breaches Results in €17m GDPR Fine for Meta
In Ireland the Data Protection Commission (DPC) has sanctioned a €17m ($18.6m) fine related to breaches of the General Data Protection Regulation (GDPR) and a range of Facebook data breaches during 2018 against parent company Meta.
The fine is linked to twelve data breaches that impacted the private data of approximately 30 million Facebook users between June 7, 2018, and December 4, 2018. Once Meta notified the DPC in relation to this a a security-related inquiry was launched in 2018 to ascertain if Meta/Facebook had acted in adherence with Articles 5(1)(f), 5(2), 24(1), and 32(1) of the GDPR connected to the processing of the personal data of EU citizens.
This week the DPC announced its final decision and said its investigation determined Meta platforms infringed Articles 5(2) and 24(1) of the GDPR. The DPC found that Meta Platforms did not have appropriate technical and organizational measures in place to allow the company to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve data breaches.
Due to the fact that Meta/Facebook is involved in cross-border processing of data all EU supervisory authorities were involved as co-decision makers, while Ireland’s DPC is the lead investigator. The decision reached by the DPC was approved by all but two of the supervisory authorities. This meant that the DPC conducted talks with the two supervisory authorities in question and were able to reach an agreeable consensus.
A Meta spokesperson said: “This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously and will carefully consider this decision as our processes continue to evolve.”
Meta companies have been financially sanctioned by the DPC for violations of the GDPR in the past. IN 2021 the group was subjected to a €225m ($267m) fine due to the failure to adhere with GDPR transparency rules related to the Meta-owned instant messaging platform WhatsApp. Though the penalties seem massive, that is a small proportion of $32.6bn in ad revenue that Meta reported in just the final quarter of 2021.