Meta has been slapped with a €17 million ($18.6 million) financial penalty that resolves violations of the General Data Protection Regulation (GDPR) related to a series of Facebook data breaches reported to Ireland’s Data Protection Commission (DPC) in 2018.
The DPC was the lead investigator as the headquarters of Meta/Facebook is in Dublin, although since Meta and Facebook engage in cross-border data processing, all other EU supervisory authorities were co-decision makers. Two supervisory authorities raised objections to the DPC’s draft decision, but those issues were resolved. It is unclear if the objections had any impact on the amount of the financial penalty.
The DPC launched an investigation of the security of Meta platforms in 2018 after receiving notifications about 12 data breaches between June 7, 2018, and December 4, 2018. Across those 12 incidents, the personal data of up to 30 million Facebook users were exposed. The investigation sought to determine whether there had been any infringement of GDPR Articles 5(1)(f), 5(2), 24(1), and 32(1).
It has taken more than 3 years for a final decision to be announced but the DPC has now confirmed that the Meta platforms did not have appropriate technical and organizational measures in place to allow the Meta to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, which infringed GDPR Articles 5(2) and 24(1).
Meta has downplayed the fine, pointing out that the financial penalty was not imposed for the failure to protect the data of Facebook users. The fine was imposed for its record-keeping practices, which have since been updated.
The financial penalty may appear small considering the maximum penalty for a GDOPR violation is €20 million or 4% of global annual turnover, whichever is greater, especially considering Meta’s revenue for 2021 was $117.929 billion. The financial penalty was however considerably larger than the penalty imposed on Twitter in December 2020 (€450,000 / $495,000), which was also related to an unintentional data breach.
The DPC has also published a statistical report on its handling of cross-border complaints under the One-Stop-Shop mechanism, where one supervisory authority takes the lead in investigations of complaints and data breaches that affect EU citizens in multiple EU member states. The DPC has been criticized for the speed that those cases are handled and for the extent of its investigations.
The report confirmed that the DPC has received 1,150 valid cross-border complaints, 84% of which as the lead supervisory authority 16% as a concerned supervisory authority. 65% of the cross-border complaints handled by the DPC as the lead supervisory authority since 2018 have been concluded, including 82% of those received in 2018 and 75% of those received in 2019. A large number of the open cross-border complaints from 2018 and 2019 are linked to an inquiry and will be concluded when the inquiry is finalized.