Meta hit with €17 million fine over multiple GDPR breaches
The social media giant set aside over €1 billion in November to help it cope with potential fines arising from data protection investigations


Ireland’s Data Protection Commission (DPC) has hit Meta with a €17 million (£14 million) fine over multiple breaches of GDPR.
The DPC said the decision followed an inquiry into a series of 12 data breach notifications it received between 7 June 2018 and 4 December 2018. The inquiry looked at the extent to which Meta complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the 12 breach notifications.
Following the inquiry, the DPC found that Meta infringed Articles 5(2) and 24(1) GDPR. It found the company failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the 12 data breaches.
Since the processing under examination constituted “cross-border” processing, the DPC said its decision was subject to the co-decision making process outlined in Article 60 GDPR and all of the other European supervisory authorities were engaged as co-decision-makers.
The Irish data regulator has been accused in the past of being the “bottleneck” of GDPR enforcement with 160 unresolved complaints. Campaigners claimed that it was hindering pan-European data protection enforcement as a result, with 98% of 164 cases remaining unresolved.
“While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned,” stated the DPC. “Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.”
A Meta spokesperson told IT Pro: “This fine is about record-keeping practices from 2018 that we have since updated, not a failure to protect people's information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.”
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
RELATED RESOURCE
Solving big data challenges with Multi-Cloud Data Services for Dell EMC PowerScale
Achieve cost-effective performance at scale and leverage multiple public clouds at the same
To put the €17 million fine into perspective, Facebook’s main Irish subsidiary paid an additional €35 million to settle outstanding tax matters in 2020, and the company put over €1 billion aside to cover potential fines from regulatory investigations, according to the Irish Times. Its corporate tax liability rose to €266.3 million from €173.2 million. Its revenue jumped by €6.3 billion to €40.6 billion at Facebook Ireland in 2020, while pre-tax profits rose to €890 million compared to €482 million the previous year.
The amount the company set aside for potential administrative fines from investigations conducted by data protection authorities more than tripled from €302.3 million to €1.02 billion. The company predicted that regulatory matters would be resolved within the next two years.
Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.
-
CISA issues warning in wake of Oracle cloud credentials leak
News The security agency has published guidance for enterprises at risk
By Ross Kelly
-
Reports: White House mulling DeepSeek ban amid investigation
News Nvidia is caught up in US-China AI battle, but Huang still visits DeepSeek in Beijing
By Nicole Kobie
-
Latest Meta GDPR fine brings 12-month total to more than €1 billion
News Meta was issued with two hefty GDPR fines for “forcing” users to consent to data processing
By Ross Kelly
-
"Unacceptable" data scraping lands Meta a £228m data protection fine
News The much-awaited decision follows the scraping of half a billion users' data and received unanimous approval from EU regulators
By Rory Bathgate
-
Meta notifies around 1 million Facebook users of potential compromise through malicious apps
News The vast majority of apps targeting iOS users appeared to be genuine apps for managing business functions such as advertising and analytics
By Connor Jones
-
Facebook business accounts hijacked by infostealer malware campaign
News Threat actors are using LinkedIn phishing to seize business, ad accounts for financial gain
By Rory Bathgate
-
Meta begins encrypting Facebook URLs, nullifying tracking countermeasures
News The move has made URL stripping impossible but will improve analytics
By Rory Bathgate
-
Meta says Apple's iOS privacy changes will cost it $10 billion in 2022
News The company's CFO suggests Google "faces a different set of restrictions" because it pays Apple to remain the default iOS search engine
By Bobby Hellard
-
Google, Facebook fined €210 million for making it difficult for users to reject cookies
News Data regulator CNIL gives companies three months to provide a system for refusing cookies that is as easy as single click consent
By Zach Marzouk
-
Meta makes 2FA mandatory for high-risk users
News Journalists and activists must adopt extra protective measure under new rule
By Danny Bradbury