Skip to main content

Ireland fines Meta for bad record-keeping

Ireland fines Meta for bad record-keeping


The 2018 data breaches affected up to 30 million Facebook users

Share this story

An image of the Meta logo.
Illustration by Alex Castro / The Verge

In 2018, Ireland’s Data Protection Commission (DPC) was alarmed when Facebook notified the commission, between June and December, of 12 separate data breaches that affected up to 30 million users, TechCrunch reports. The DPC began to investigate and now Meta, Facebook’s parent company, has been fined 17 million euros ($18.6 million USD).

The DPC concluded from its investigation into the breaches that Meta violated Europe’s General Data Protection Regulation (GDPR). According to its press release, the DPC identified 12 data breach notifications that occurred between June and December 2018. “As a result of its inquiry, the DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data,” the DPC said in its press release.

In a statement to TechCrunch, a Meta spokesperson objected to any characterization of this fine being related to the breaches themselves:

This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.

Ireland’s initial draft decision was objected by two authorities, TechCrunch reported. However, it did not disclose who those authorities were and whether their objections actually affected the DPC’s ultimate decision.

Meta is quick to point out this is related to record-keeping practices, but that’s not a minor problem. In fact, adequate record-keeping kind of feels like a consistent problem for the company. Last year, Facebook was at the center of a data leak that affected 533 million accounts that affected users from 106 countries. Sometime after that, Facebook noted that those affected wouldn’t be notified, saying they weren’t confident about which users to notify and not much could be done about their data being online.

Last month, Meta paid a settlement of $90 million with a lawsuit filed in 2012 that accused Facebook of tracking the data of its users even after they’ve logged out of their accounts. The settlement also required Meta to delete all of the data wrongfully collected during that time. Last year, Meta’s messaging service WhatsApp was fined $267 million by the DPC for mishandling the personal data of its users. But the service’s privacy policy was targeted by lawmakers for its lack of transparency with gathering consent from users to share data.

A company found to not comply with GDPR rules is subject to a fine of up to 4 percent of its annual revenue. Meta’s fine is substantially less than the maximum amount.