Meta has been fined €17 million (about £14.2 million) for twelve breaches of EU data protection rules.
The tech giant, formerly known as Facebook, violated several GDPR (General Data Protection Regulation) requirements, and more than 30 million people have been affected.
According to the Irish DPC (Data Protection Commissioner), which investigated the breaches, Meta failed to implement appropriate technical and organisational measures to protect EU users’ personal data.
The DPC began its inquiry in 2018 – shortly after the GDPR took effect – after it received a dozen breach notifications from Facebook.
Ireland regulates Meta because the organisation’s EU headquarters are based in the country.
What rules did Facebook break?
The DPC noted that Facebook (as it was known at the time) breached Articles 5(1), 5(2), 24(1) and 32(1) of the GDPR.
Articles 5(1) and 5(2) state that personal data must be processed lawfully, fairly and in a transparent manner, and that the data controller must be able to demonstrate that it is doing so.
Articles 24(1) and 32(1) state that organisations must implement appropriate technical and organisational measures to protect personal data.
The GDPR doesn’t contain mandate the use of specific measures, but it says that personal data should be encrypted or pseudonymised where appropriate.
Additionally, it states that organisations must be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
Organisations should also regularly test, assess and evaluate the effectiveness of these measures.
Facebook’s failure to adopt these measures doesn’t necessarily mean that personal data was breached. Rather, it was found to have inadequate documentation, which could have resulted in poorly implemented controls.
A spokesperson for Meta highlighted this in its response, suggesting that the violations were simply a matter of “record keeping practices”.
They added that these were historical breaches – dating back to 2018 – and that Meta’s practices were now GDPR compliant.
“We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve,” the spokesperson said.
What does this mean for GPDR enforcement?
When the GDPR took effect in 2018, there were suggestions that it would revolutionise the information security landscape and that fines such as this would be the norm.
People were warned that if they didn’t meet the GDPR’s strict requirements, they could face huge fines that would put them out of business.
However, it has been almost four years since the Regulation was introduced, and incidents such as the Meta fine remain a noteworthy exception to GDPR enforcement.
But this is only true if you are looking exclusively for huge breaches at well-known organisations. Beyond those headline-grabbing stories, we have seen hundreds of penalties issued on a more modest scale.
According to IT Governance’s figures, there were at least 429 GDPR fines issued in 2021, and the median penalty was €2,000.
These stories often aren’t reported on, but they prove that enforcement action is occurring regularly and that organisations must continue to monitor their GDPR compliance status.
You can find out more about GDPR enforcement by downloading our free 2021 GDPR Fines Report.
This guide contains a full list of GDPR fines issued last year (in both the EU and the UK), alongside information on why each penalty was levied.
You’ll also discover the most common types of breach that resulted in fines, and find tools that you can use to bolster your data protection practices.