In 2018, the Irish Data Protection Commission (DPC) was alarmed that Facebook notified it of 12 separate data breaches between June and December, TechCrunch reported. It is reported that these incidents affected as many as 30 million users. In response, the DPC launched an investigation, and now Facebook’s parent company Meta has been fined 17 million euros.
The DPC concluded from its investigation into the breach that Meta violated Europe’s General Data Protection Regulation (GDPR). According to a DPC press release, the agency identified 12 data breach notifications that occurred between June and December 2018. “As a result of the investigation, the DPC found that Meta Platforms failed to develop appropriate technical and organizational measures to enable it to readily demonstrate the security measures it implemented in practice to protect the data of EU users,” the DPC said in its press release.
In a statement to TechCrunch, Meta said it opposed characterization of the fine as being related to the breach itself. “This fine is about record-keeping practices in 2018, which we have since updated, not about failing to protect users’ information. We take our obligations under the GDPR seriously and will consider this decision carefully as our processes continue to evolve. ”
According to TechCrunch, the initial draft decision in Ireland was opposed by two authorities. However, it did not reveal who those agencies were and whether their objections actually influenced the DPC’s final decision.
Meta is quick to point out that this has something to do with record-keeping practices, but it’s not a small issue. In fact, adequate record keeping is a bit of a constant problem for the company. Last year, Facebook was at the center of a data breach that affected 533 million accounts and users in 106 countries. Sometime after that, Facebook noted that those affected would not be notified.
Last month, Meta paid a $90 million settlement over a lawsuit filed in 2012 that accused Facebook of tracking the data of its users — even after they cancelled their accounts. The settlement also requires Meta to delete all data erroneously collected during this period. Last year, Meta’s messaging service WhatsApp was fined $267 million by the DPC for mishandling its users’ personal data. But the service’s privacy policy has been targeted by lawmakers for its lack of transparency in collecting users’ consent to share data.
Companies found not to comply with GDPR rules can be fined up to 4% of their annual revenue. Meta’s fines are significantly lower than the maximum amount.