On March 15, 2022, Ireland’s Data Protection Commission (DPC) announced a decision to impose a €17 million fine on Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) for violation of the General Data Protection Regulation (GDPR).
Back in 2018, the DPC became aware of potential violations of the GDPR after receiving twelve data breach complaints between June 7, 2018, and December 4, 2018, and launched an investigation.
The DPC examined how Meta complied with the GDPR requirements regarding Articles 5(1)(f), 5(2), 24(1), and 32(1) in relation to the processing of personal data relevant to the twelve breach notifications.
The DPC’s investigation
As the investigation involved individuals from a number of EU states, the processing of personal data in this matter constituted as cross-border processing.
Accordingly, the DPC engaged other European data protection authorities in the decision-making process, as outlined in Article 60 GDPR.
The investigation uncovered infringements of Article 5(2) and Article 24(1) GDPR, stating that Meta failed to implement appropriate technical and organizational measures to demonstrate security measures implemented to protect personal data of EU users regarding the reported personal data breaches.
The collective decision
German and Polish supervisory authorities raised a few objections regarding the DPC’s decision.
However, they reached a consensus on the matter issuing the decision that represents the collective views of supervisory authorities throughout the EU issuing a €17 million fine to Meta Platforms.
It is still unknown if Meta will appeal the decision. However, a spokesperson for Meta stated,
“This fine is about record-keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.”
Ireland’s DPC is the lead supervisory authority responsible for overseeing the compliance of Google, Facebook, Apple, and Microsoft, among other tech companies since all have their headquarters in Ireland.
This is the third steep fine issued to the Meta-owned company by the DPC, following the €225 million fine to WhatApp, and €450,000 fine to Twitter, after DPC was often criticized for not adequately dealing with a bottleneck of GDPR complaints, regarding the number of unresolved complaints against Big Tech companies.
This might be a sign of DPC’s effort to calm some of those critics and show its determination to follow through with investigations of tech companies in Ireland.
DPC’s official statement
For more information read the official DPC’s statement: Data Protection Commission announces decision in Meta (Facebook) inquiry