In 2018, Ireland’s Data Protection Commission (DPC) was alarmed when Facebook notified the commission, between June and December, of 12 separate data breaches that affected up to 30 million users, TechCrunch reports. The DPC began to investigate and now Meta, Facebook’s parent company, has been fined 17 million euros ($18.6 million USD).
The DPC concluded from its investigation into the breaches that Meta violated Europe’s General Data Protection Regulation (GDPR). According to its press release, the DPC identified 12 data breach notifications that occurred between June and December 2018. “As a result of its inquiry, the DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data,” the DPC said in its press release.
In a statement to TechCrunch, a Meta spokesperson objected to any characterization of this fine being related to the breaches themselves:
This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.
Ireland’s initial draft decision was objected by two authorities, TechCrunch reported. However, it did not disclose who those authorities were and whether their objections actually affected the DPC’s ultimate decision.
Meta is quick to point out this is related to record-keeping practices, but that’s not a minor problem. In fact, adequate record-keeping kind of feels like a consistent problem for the company. Last year, Facebook was at the center of a data leak that affected 533 million accounts that affected users from 106 countries. Sometime after that, Facebook noted that those affected wouldn’t be notified, saying they weren’t confident about which users to notify and not much could be done about their data being online.
A company found to not comply with GDPR rules is subject to a fine of up to 4 percent of its annual revenue. Meta’s fine is substantially less than the maximum amount.