The Irish Data Protection Commissioner has fined Meta, the parent company of Facebook, €17m for failing to adequately protect users’ data.
The decision follows an inquiry by the Data Protection Commissioner (DPC) into a series of 12 data breach notifications received by DPC the between June and December 2018,
The regulator found that Meta Platforms Ireland infringed Article 5(2), and 24(1) of the GDPR data protection law, which require organisations to put measures in place to meet key data protection principles.
The DPC found that Meta “failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data”.
The DPC’s decision represents the first time that Article 60 of the GDPR, which requires all European supervisory authorities to act as co-decision-makers has been used to resolve a data protection case.
Objections to the DPC’s draft decision were raised by two of the European supervisory authorities, but the DPC said that consensus was achieved through further engagement between the DPC and the supervisory authorities concerned.
“Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU,” the DPC said.
A Meta spokesperson said, “This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.”
The DPC is the lead regulator for Facebook in the European Union and has primary responsibility for investigating data protection breaches by Facebook and other big tech companies with European headquarters in Dublin.
It has several investigations into Meta underway.
The Irish High Court dismissed a legal challenge by Facebook in May last year against a draft decision by the DPC to suspend Facebook Ireland’s transfer of data about European residents to the US.
The DPC’s decision, which is expected to be finalised within months, follows complaints by NYOB, run by Austrian lawyer Max Schrems, challenging the legal basis used by Facebook to transfer data to the USA.
The DPC imposed a fine of Euro 225 million on WhatsApp, in September, one of the largest fines to date over allegations that WhatsApp had failed to discharge its transparency obligations with regard to the provision of information, to users and non-users of its service.
The DPC also submitted a draft decision into an inquiry against Instagram, also owned by Meta, over processing of the personal data of children to European data protection authorities in December last year, which is awaiting a final decision.
And in April 2021, the regulator launched an inquiry following international media reports, that a collated dataset of Facebook user’s personal data, containing records of 533 million Facebook users had been made available on the internet.
Source link