Enforcement
EN

Meta Platforms Ireland Limited: Insufficient technical and organisational measures to ensure information security

€17,000,000 fine - Data Protection Authority of Ireland

Mar 15, 2022 Source

Content

The Irish DPA (DPC) has imposed a fine of EUR 17 million on Meta Platforms Ireland Limited (former Facebook Ireland Limited). The decision is based on twelve notifications of data breaches that occurred between June 7, 2018 and December 4, 2018. The outcome of the DPC's investigation revealed that Meta had violated Article 5 (2) GDPR and Article 24 (1) GDPR. In the course of its investigation, the DPC found that Meta failed to demonstrate that it had taken appropriate technical and organizational measures to protect the data of EU users. The fine proceedings involved cross-border data processing, which is why the decision was subject to the co-decision procedure under Art. 60 GDPR involving all other European supervisory authorities as co-decision-makers. Although two European DPAs objected to the DPC's draft decision, a consensus was ultimately reached. Accordingly, the DPC's decision reflects the collective views of the DPC and the other European DPAs.

GDPR Articles: Art. 5 (2) GDPR, Art. 24 (1) GDPR
Industry: Media, Telecoms and Broadcasting

Key Excerpts from Decision

Data Protection Commission announces decision in Meta (Facebook) inquiry 15th March 2022 The DPC has today adopted a decision, imposing a fine of €17m on Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) (“Meta Platforms”). The decision followed an inquiry by the DPC into a series of twelve data breach notifications it received in the six month period between 7 June 2018 and 4 December 2018. The inquiry examined the extent to which Meta Platforms complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the twelve breach notifications. As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR. The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches. Given that the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the co-decision-making process outlined in Article 60 GDPR and all of the other European supervisory authorities were engaged as co-decision-makers. While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned. Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU. Separately, the DPC has today published a statistical report on handling cross-border complaints under the GDPR’s One-Stop-Shop mechanism (see link below). https://www.dataprotection.ie/en/news-media/press-releases/dpc-publishes-statistical-report-handling-cross-border-complaints-under-gdprs-one-stop-shop-oss

View Full Original Decision (English)