The Irish Data Protection Commission (DPC) has fined Facebook’s parent company, Meta, €17 million ($18.6 million) for a series of past data breaches.
The security flaws in question, which appear to have impacted up to 30 million Facebook users, trace back many years and were reported to the Irish regulator by Facebook in 2018.
The DPC, which is Meta/Facebook’s privacy watchdog in the European Union, launched this security-related investigation in late 2018 after receiving 12 data breach reports from the internet giant between June 7, 2018, and December 4, 2018.
Failure to report
The General Data Protection Regulation (GDPR), used by the European Union and active since May 2018, requires data controllers to promptly report leakage or theft of personal information to a regulatory agency if the information leak is considered a danger to people. It is recommended that the most significant breaches be reported within 72 hours.
In a press release following the announcement that it had reached a final decision, the DPC said that with regard to the processing of personal information appropriate to the twelve breach notices, the inquiry evaluated the degree to which Meta Platforms abided by the demands of GDPR Articles 5(1)(f), 5(2), 24(1), and 32(1).
As a consequence of its investigation, the DPC determined that Meta Platforms violated GDPR Articles 5(2) and 24(1).
In the context of the twelve personal data breaches, the DPC determined that Meta Platforms failed to have in place suitable technological and organizational mechanisms that would enable it to quickly show the security measures that it employed to secure EU users’ data.
A Meta representative responded to the DPC’s punishment with a statement that attempted to downplay the incident as an instance of historically sloppy record-keeping.