Data Protection Commission issues fine of €17m on Meta

March 17, 2022

The DPC has adopted a decision imposing a fine of €17m on Meta Platforms Ireland Limited (formerly Facebook Ireland Limited).

The decision follows an inquiry by the DPC into a series of twelve data breach notifications it received in the six month period between 7 June 2018 and 4 December 2018.  The inquiry examined the extent to which Meta Platforms complied with the requirements of Articles 5(1)(f), 5(2), 24(1) and 32(1) of the GDPR in relation to the processing of personal data relevant to the twelve breach notifications.

As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) of the GDPR.  The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.

Because the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the co-decision-making process outlined in Article 60 GDPR and all other European supervisory authorities were engaged as co-decision-makers.  While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned.  Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU. 

Since May 2018, the DPC has received and concluded a significant number of cross-border complaints as the EU/EEA lead supervisory authority for the large number of technology and internet platform companies with EU headquarters in Ireland. Therefore it has published a statistical report on handling cross-border complaints under the GDPR’s One-Stop-Shop mechanism.