The Irish Data Protection Commissioner has fined Facebook parent Meta €17m for failing to adequately protect users’ data.
The decision follows an inquiry by the Data Protection Commissioner (DPC) into 12 data breach notifications received by the regulator between June and December 2018.
The regulator said Meta “failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data”.
The DPC’s decision represents the first time that Article 60 of the GDPR, which requires all European supervisory authorities to act as co-decision-makers, has been used to resolve a data protection case.
Objections to the DPC’s draft decision were raised by two European supervisory authorities, but consensus was achieved through further engagement between the DPC and the supervisory authorities concerned.
“Accordingly, the DPC’s decision represents the collective views of the DPC and its counterpart supervisory authorities throughout the EU,” said the Irish Data Protection Commissioner.
A Meta spokesperson said: “This fine is about record-keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.”
“This fine is about record-keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve”
Meta spokesperson
The DPC is the lead regulator for Facebook in the European Union and has primary responsibility for investigating data protection breaches by Facebook and other big tech companies with European headquarters in Dublin.
It has several other investigations into Meta underway.
The Irish High Court dismissed a legal challenge by Facebook in May 2021 against a draft decision by the DPC to suspend Facebook Ireland’s transfer of data about European residents to the US.
The DPC’s decision, which is expected to be finalised within months, follows complaints by NYOB, run by Austrian lawyer Max Schrems, challenging the legal basis used by Facebook to transfer data to the US.
The DPC imposed a fine of €225m on WhatsApp in September 2021, one of the largest fines to date over allegations that WhatsApp had failed to discharge its transparency obligations with regard to the provision of information to users and non-users of its service.
The DPC also submitted a draft decision into an inquiry against Instagram, also owned by Meta, over the processing of personal data of children to European data protection authorities in December 2021, which is awaiting a final decision.
In April 2021, the regulator launched an inquiry following international media reports that a collated dataset of Facebook users’ personal data, containing records of 533 million Facebook users, had been made available on the internet.
