Meta hit with €17 million fine over multiple GDPR breaches

Ireland’s Data Protection Commission (DPC) has hit Meta with a €17 million (£14 million) fine over multiple breaches of GDPR.

The DPC said the decision followed an inquiry into a series of 12 data breach notifications it received between 7 June 2018 and 4 December 2018. The inquiry looked at the extent to which Meta complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the 12 breach notifications.

Following the inquiry, the DPC found that Meta infringed Articles 5(2) and 24(1) GDPR. It found the company failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the 12 data breaches.

Since the processing under examination constituted “cross-border” processing, the DPC said its decision was subject to the co-decision making process outlined in Article 60 GDPR and all of the other European supervisory authorities were engaged as co-decision-makers.

The Irish data regulator has been accused in the past of being the “bottleneck” of GDPR enforcement with 160 unresolved complaints. Campaigners claimed that it was hindering pan-European data protection enforcement as a result, with 98% of 164 cases remaining unresolved.

“While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned,” stated the DPC. “Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.”

A Meta spokesperson told IT Pro: “This fine is about record-keeping practices from 2018 that we have since updated, not a failure to protect people's information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.”

To put the €17 million fine into perspective, Facebook’s main Irish subsidiary paid an additional €35 million to settle outstanding tax matters in 2020, and the company put over €1 billion aside to cover potential fines from regulatory investigations, according to the Irish Times. Its corporate tax liability rose to €266.3 million from €173.2 million. Its revenue jumped by €6.3 billion to €40.6 billion at Facebook Ireland in 2020, while pre-tax profits rose to €890 million compared to €482 million the previous year.

The amount the company set aside for potential administrative fines from investigations conducted by data protection authorities more than tripled from €302.3 million to €1.02 billion. The company predicted that regulatory matters would be resolved within the next two years.