Irish data protection authorities fined Meta 17 million euros

[German]The Irish Data Protection Authority (DPC) has just fined Meta (formerly Facebook) €17 million. This fine stems from several data protection breaches by Facebook in the past.


This is according to a press release issued by the Authority on the decision to fine Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) ("Meta Platforms") EUR 17 million. The decision followed an investigation by the DPC into a series of twelve data breach notifications received by the company in the six-month period between June 7, 2018 and December 4, 2018. 

Investigation following data breaches

The investigation assessed Meta Platforms' compliance with the requirements of Articles 5(1)(f), 5(2), 24(1), and 32(1) of the General Data Protection Regulation (GDPR) with respect to the processing of personal data relevant to the twelve data breach notifications. As a result of his investigation, the Data Protection Officer found that Meta Platforms violated Article 5(2) and Article 24(1) of the GDPR. The DPO found that Meta Platforms failed to take appropriate technical and organizational measures to protect personal data. Meta arguably failed to demonstrate that it had such security measures in place in connection with the twelve data breaches.

Decision based on "cross-border" processing

The DPC points out that the processing under review was "cross-border processing." This made the decision of the Irish DPC subject to the co-decision procedure of all other European supervisory authorities under Article 60 GDPR.

Two of the European supervisory authorities objected to the DPO's draft decision. However, consensus was reached through further discussions between the DPO and the supervisory authorities concerned.  Accordingly, the DPC's decision represents the collective opinion of both the DPC and the relevant supervisory authorities in the EU.

The DPC published a statistical report on the handling of cross-border complaints under the One-Stop-Shop mechanism of the General Data Protection Regulation with data of interest.

Statement from Meta

Meta issued its own statement to AP about the case in question via email. It states:


This fine is about recording practices from 2018 that we have since updated, not a failure to protect people's data. We take our obligations under the General Data Protection Regulation seriously and will carefully review this decision as our processes evolve.

Cookies helps to fund this blog: Cookie settings

This entry was posted in General and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *