The Irish Data Protection Commission (DPC) has imposed a €17 million fine on Meta, the parent of Facebook.
The decision follows an inquiry into a series of 12 data breach notifications the commission received between June and December 2018.
The investigation concluded that Meta infringed Articles 5(2) and 24(1) of the General Data Protection Regulation (GDPR), which allows for penalties of up to 4 per cent of a company’s annual revenues.
The DPC found that Meta Platforms failed to have appropriate technical and organisational measures in place that would allow it to readily demonstrate the security measures that it implemented in practice to protect EU users' data, in the context of the 12 personal data breaches.
Despite objections from regulators in Germany and Poland, this marks the first time that issues have been resolved under Article 60 of the GDPR, which focuses on co-operation between different regulators, rather than progressing to Article 65, which considers dispute resolution.
“The DPC’s decision represents the collective views of both the Data Protection Commission and its counterpart supervisory authorities throughout the EU,” it said.
The DPC is Facebook's lead regulator in the European Union and is therefore charged with investigating suspected breaches of GDPR rules. It also leads on investigations into many other leading tech companies due to them having their European headquarters in Dublin.
“This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve,” said a spokeswoman for Meta.
This isn’t the only investigation into Meta/Facebook undertaken by the DPC. It has also suggested a penalty of between €28 million and €36 million for the tech giant in a draft decision made against the company late last year.
The commission has been investigating claims by the organisation NOYB that Facebook has “bypassed the GDPR” by changing terms and conditions for users so that it no longer needs consent to process personal data. It is alleged it has done this by relabelling agreements on data use as a “contract”.
Facebook said in its most recent annual report that it expects that DPC investigation into Meta to conclude in the “first half of 2022”,
In addition, the European arm of Meta-owned WhatsApp secured permission from a High Court judge late last year to challenge the Data Protection Commission's decision to fine it €225 million over alleged breaches of data protection rules. It is also investing Instagram, which Facebook acquired in 2012 in a $1 billion deal.