A €17 million fine imposed on Meta Platforms resulted from the company’s inability to demonstrate compliance, after several personal data breaches.
The Irish DPC has imposed a fine of €17 million on Meta Platforms Ireland Limited (Meta Platforms). The company, formerly titled Facebook Ireland Limited, was found to have infringed Articles 5 (2) and 4 (1) of the GDPR. Over a six month period between June and December 2018, the Irish DPC received a total of twelve data breach notifications from the company, and launched an investigation. This investigation revealed that Meta Platforms failed to implement the appropriate technical and organisational measures to easily demonstrate the security measures it has actually put in place to protect EU users’ data, with regard to the 12 personal data breaches.
The fine imposed on Meta Platforms for €17 million was in respect to Article 5 (2) of the GDPR.
Article 5 (2) dictates that a controller must be able to demonstrate compliance with the principles relating to processing of personal data contained in Article 5 (1). In particular, when the Irish DPC decided to launch an inquiry into the company, its main purpose was to examine the extent to which the company had achieved compliance with Article 5 (1)(f) of the GDPR. This Article dictates that “personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” The controller is not only responsible for maintaining compliance with these principles,but must be able to demonstrate the security measures implemented.
The DPC found that although Meta Platforms provided information and supporting documentary evidence that could be considered analogous to industry best practice and the state of the art, Meta Platforms failed to have appropriate technical and organisational measures in place, such as would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.
All European supervisory authorities participated in the decision as co-decision makers, as this was a cross-border investigation.
The processing in question was “cross-border” and therefore, under Article 60 of the GDPR, this decision had to be made jointly, involving all European supervisory authorities. Article 60 of the GDPR outlines the co-decision process through which all cross-border decisions are made. The draft decision was initially challenged by two European supervisory authorities, however through further engagement between all parties, an agreement was reached. Last week, the DPC published a concise statistical report on its handling of cross-border complaints under the GDPR’s One-Stop-Shop (OSS) thus far. The report reflected that 86% of its cross-border cases to date have all been concerning 10 companies. So far, 38% of complaints transferred by the DPC to other EU/EEA lead supervisory authorities (excluding the UK) have been concluded.