Ireland’s Data Protection Commission (DPC) this week announced it fined Meta €17 million for failing to comply with Europe’s privacy laws in connection with multiple data breaches the company suffered in 2018.
The decision follows a DPC inquiry into a series of data breach notifications received between June 7, 2018 and Dec. 4, 2018, according to the announcement.
The inquiry examined the extent to which Facebook’s parent company, Meta Platforms, complied with the requirements outlined in Europe’s General Data Protection Regulation (GDPR). Specifically, investigators found that Meta failed to protect customers’ personal data as outlined in several articles of the GDPR.
“The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches,” the privacy watchdog says.
While two supervisory authorities initially raised objections with the decision, the DPC ultimately found consensus with these watchdogs. The DPC said its decision “represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.”
Meta, which owns both Facebook and the messaging service WhatsApp, maintains that it hadn’t failed to protect users’ personal information.
“This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information,” the company said in a statement to The Associated Press.
“We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.”
Earlier this year, French data protection regulator CNIL fined Google and Facebook a combined €210 million for not giving users an easy way to reject tracking cookies, which meant failing to comply with the country’s data protection laws.
And in July 2021, it was reported that Facebook engineers used their privileges to access users’ private data.