The Republic of Ireland’s Data Protection Commission (DPC) has fined Facebook parent company Meta €17 million (US$18.6 million) for violating multiple articles of the GDPR (General Data Protection Regulation) related to a series of 12 data breach notifications that occurred in the latter half of 2018.
The GDPR is an EU regulation that sets comparatively strict standards for the management, processing and protection of user data that went into effect in May 2018. Specifically, the DPC stated, the company failed to institute measures that would allow it to demonstrate compliance with GDPR regulations, under Articles 5(2) and 24(1).
“The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches,” the DPC said.
The practices under examination by the DPC involved cross-border processing of personal data, and so according to GDPR rules, all of the other European supervisory authorities were consulted, the DPC added.
The GDPR applies to almost all companies that handle the personal data of European residents, or have a physical presence in an EU country. Information explicitly covered by the GDPR includes names and addresses, health data, web identifiers like cookies, racial data, sexual orientation and political opinions. Critically, it also applies to third-party vendors providing services to companies subject to the law — meaning they have to be GDPR-compliant, as well, in order to avoid fines for the company directly subject to the law.
GDPR fines are determined by a multifactor legal test, which takes into account the gravity and nature of the infraction, whether it was intentional or negligent, what category of data was affected and more. Specific guidelines are provided for offenses under certain chapters of the GDPR, which are capped at either €10 million or 2% of a company’s worldwide income from the previous year, whichever is higher, for lesser infractions, or €20 million or 4% of last year’s income for more serious violations.
The €17m fine levied against Meta is the 11th largest ever handed out for violating the GDPR, according to list maintained by email security vendor Tessian. While the fine pales in comparison to the largest ever handed out — that distinction belongs to a €746 million levy against Amazon in 2021, for violating cookie handling policies — the Meta family of companies has previously earned larger fines than the one announced today, including a €255 million penalty for insufficiently well-defined privacy policies at WhatsApp issued by Ireland in 2021, and €60 million last June from French authorities for failing to obtain proper cookie consent from Facebook users.