Facebook’s Meta fined €17 Million by Ireland’s Data Protection Commission


2 mins

Posted on 12 Apr 2022

Facebook’s Meta fined €17 Million by Ireland’s Data Protection Commission

Facebook data breaches

Facebook’s parent company Meta has been fined 17 million euros for breaching EU privacy rules.

Meta’s failures

Following  twelve different data breach notifications in a six month period in 2018, the Irish Data Protection Commission (“DPC”) decided to investigate Meta Platforms’ compliance with GDPR requirements in respect of the processing of personal data.

In the course of their investigation, the DPC found that Meta Platforms had infringed articles 5(2) and 24(1) of the GDPR by failing “to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users' data”.

A Meta spokesperson has commented that the fine was related to its record-keeping practices from 2018, which they have now updated, and was not to do with failing to protect users’ personal information.

Cross-border processing

Meta’s breaches involved cross-border processing of data between multiple member states within the EU. As a result, the DPC decision was subject to a co-decision-making process. All of the other European data supervisory authorities were engaged as co-decision-makers in making the decision.

Although objections to the DPC’s original draft decision were raised by two supervisory authorities, the DPC said that, “consensus was achieved through further engagement between the DPC and the supervisory authorities concerned”. Therefore, in accordance with the GDPR’s article 60 co-decision-making process, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.

A united front 

The fine shows the increasingly collective approach to data breaches taken by EU member states (as well as the UK) and follows significant fines issued to Facebook, Google and Clearview. It demonstrates the EU Data Protection authorities are continuing to use the punitive powers available to them. 

Key Contacts :

Mike Hibberd

  • Senior Associate
  • T: +44 (0)118 951 6765
  • Email me

View profile

Piers Leigh-Pollitt

  • Partner & Compliance Officer for Legal Practice
  • T: +44 (0)118 951 6761
  • Email me

View profile

The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.

Back to top