Ireland’s Data Protection Commission (DPC) has announced a final decision related to an inquiry into 12 data breaches reported by Facebook in 2018. Facebook’s parent company, Meta, has been fined €17 million ($18.6 million) for infringing on Articles 5(2) and 24(1) of the EU’s General Data Protection Regulation (GDPR).
Meta and Facebook have their European headquarters in Dublin, Ireland, which makes the DPC the lead investigator of complaints and data breaches. Between June 7, 2018, and December 4, 2018, the DPC was notified about 12 data breaches at Facebook. The DPC launched an inquiry in 2018 in response to those data breaches and sought to establish if there had been violations of Articles 5(1)(f), 5(2), 24(1), and 32(1) of the GDPR.
“As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR. The DPC found that Meta Platforms failed to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches,” explained the DPC.
While the DPC was the lead supervisory authority in the investigation, all other supervisory authorities were co-decision makers. When the draft decision was announced, the DPC said 2 supervisory authorities had raised objections, which the DPC was able to resolve to reach a consensus for its final decision.
Meta sought to downplay the financial penalty and confirmed the fine was not imposed over the failure to protect the privacy of Facebook users. “This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information,” said a Meta spokesperson. “We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.”
The financial penalties for GDPR violations can be substantial and are capped at €20 million or 4% of global annual turnover, whichever is greater. For a company the size of Meta, which had ad revenues of 32 billion dollars in the last quarter of 2021 alone, the maximum fine would have been considerable. The fine is in line with the penalty imposed on Twitter in 2020 for administrative failures related to its data breach, which saw a financial penalty of €450,000 ($550,000) imposed. The financial penalty for Meta was also due to administrative failures. The higher turnover and the 12 data breaches – as opposed to the single breach at Twitter – are likely to have been considered when determining an appropriate financial penalty.
Many tech firms have their EU headquarters in Ireland. The DPC has been criticized for its handling of GDPR complaints and is being sued by Irish Council for Civil Liberties (ICCL) senior fellow Dr. Johnny Ryan over a delay in investigating Google over its real-time bidding system. Dr Ryan has also filed a complaint with the European Commission over the failure to monitor the application of GDPR by EU member states. There are still many outstanding complaints against Facebook that allege GDPR violations, and other tech firms that have their HQ in Ireland.
When the DPC announced the Meta GDPR fine, it also drew attention to a statistics report that has been released on the cross-border complaints it has received between May 25, 2018, and December 31, 2021. The report shows the DPC has received 1,150 valid cross-border complaints and has so far resolved 65% in its capacity as lead supervisory authority, including 82% of the complaints from 2018 and 75% of the complaints from 2019. The DPC explained in the report that a large percentage of the complaints remain open because of an ongoing inquiry, and will be closed when the inquiries are concluded.