According to TechCrunch, Ireland’s Data Protection Commission (DPC) was disturbed in 2018 when Facebook notified the commission of 12 distinct data breaches affecting up to 30 million users between June and December. The DPC launched an investigation, and Meta, Facebook’s parent company, has now been fined 17 million euros ($18.6 million USD).
Following its examination into the breaches, the DPC ruled that Meta violated Europe’s General Data Protection Regulation (GDPR). The DPC discovered 12 data breach alerts that happened between June and December 2018, according to its press release. « As a result of its investigation, the DPC discovered that Meta Platforms did not have appropriate technical and organizational measures in place that would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, » the DPC stated in a press release.
A Meta representative told TechCrunch that any depiction of the fine as being related to the breaches was incorrect:
This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.
Two authorities objected to Ireland’s initial draft ruling, according to TechCrunch. It did not, however, reveal who those authorities were or whether their objections had any effect on the DPC’s final judgment.
Meta is eager to point out that this is connected to record-keeping practices, but this isn’t a trivial issue. In fact, adequate record-keeping appears to be a recurring issue for the organization. Last year, Facebook was at the center of a data hack that affected 533 million accounts from 106 countries. After that, Facebook stated that people affected will not be told, stating that they were unsure which users to notify and that there wasn’t much they could do about their data being public.
Last month, Meta paid a $90 million settlement in connection with a complaint filed in 2012 that claimed Facebook of following its users’ data even after they signed out of their accounts. Meta was also ordered by the settlement to erase all of the data that had been improperly gathered during that time. The DPC penalized Meta’s messaging app WhatsApp $267 million last year for misusing its consumers’ personal data. However, lawmakers criticized the service’s privacy policy for its lack of transparency in obtaining user agreement to share data.
A corporation that fails to comply with GDPR requirements faces a fine of up to 4% of its yearly sales. Meta’s fine is significantly less than the maximum allowed.