The Irish Data Protection Commission (DPC) fined Meta’s Irish subsidiary 17 million euros (U.S. $18.6 million) on Tuesday for a series of personal data breaches that took place nearly four years ago.
The penalty against Meta Platforms Ireland (formerly Facebook Ireland) followed an inquiry by the Irish DPC into 12 data breach notifications it received between June 7, 2018, and Dec. 4, 2018.
The data regulator found Meta infringed Articles 5(2) and 24(1) of the European Union’s General Data Protection Regulation (GDPR) by processing personal data unlawfully and failing to have appropriate technical and organizational measures in place to secure the data.
“This fine is about record-keeping practices from 2018 that we have since updated, not a failure to protect people’s information,” said a Meta spokesperson in an emailed statement. “We take our obligations under the GDPR seriously and will carefully consider this decision as our processes continue to evolve.”
Despite initial objections from regulators in Germany and Poland, the decision marks the first time issues have been resolved under Article 60 of the GDPR, which focuses on cooperation between different regulators. The Irish DPC’s cases against Twitter and WhatsApp progressed to Article 65, which considers dispute resolution and is overseen by the European Data Protection Board, the EU’s overarching GDPR regulator.
“The DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU,” the regulator said in a press release.
In October, the Irish DPC’s draft decision outlining its plans to fine Facebook between €28 million and €36 million (U.S. $31 million and $39 million) for GDPR breaches was leaked by privacy campaigner Max Schrems, who appealed for other European data protection authorities to reject it for being too lenient.
The company itself is prepared for stiffer penalties. Meta’s Irish accounts made public at the end of last year show it has made a provision of €1.026 billion (U.S. $1.1 billion) for potential data fines in 2022.
The Irish DPC on Tuesday separately published a statistical report on its handling of cross-border complaints under the GDPR’s one-stop shop mechanism. The report showed Meta accounted for 39 percent of the total 969 cross-border complaints the regulator received as lead supervisory authority (30 percent Meta, 9 percent WhatsApp) through the end of 2021.