GDPR Update

Author: Clerkin Lynch LLP

Date Published 13/07/2022

GDPR Fine of €17 million for META

The Irish Data Protection Commission (“IDPC”) has imposed a fine of €17m on Meta Platforms Ireland Limited, formerly Facebook Ireland Limited, (“Meta”) for breaches of its obligations under the General Data Protection Regulation (“GDPR”).

The IDPC launched an inquiry into aspects of Meta’s activities following a series of twelve data breach notifications it received in the six month period between 7 June 2018 and 4 December 2018. The inquiry examined the extent to which Meta complied with the requirements of GDPR and specifically Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to these breach notifications.

IDPC Findings

The IDPC inquiry revealed that Meta had infringed Articles 5(2) and 24(1) of the GDPR. In particular the IDPC found that Meta had failed to have appropriate technical and organisational measures in place which would enable it to readily demonstrate the security measures that it implemented in practice to protect relevant personal data in the context of the twelve personal data breaches examined.

Co-Decision Process

However, given that the processing under examination constituted “cross-border” processing under the terms of the GDPR, the IDPC’s decision was subject to the co-decision-making process outlined in Article 60 of the GDPR. Accordingly all of the other European data supervisory authorities were engaged as co-decision-makers by the IDPC as “lead supervisory authority”. Objections to the IDPC’s draft decision were initially raised by two of the other relevant European supervisory authorities but consensus was achieved on the decision in the end. Accordingly, this decision of the IDPC represents the collective views of both the IDPC and its counterpart supervisory authorities across the EU.

Other Fines

This is the latest in a series of fines imposed by the authorities on tech companies operating in Ireland under the GDPR. In September 2021 the IDPC imposed a fine of €225 million on WhatsApp while in October 2021 it fined Twitter €450,000. It is noteworthy that some data protection supervisory authorities across the EU have been critical of the low level of fines historically imposed by the IDPC in Ireland. For example in the WhatsApp case the data protection regulators of eight EU countries objected to the fine originally proposed by the IDPC and it was then reived upwards to €225 million in light of this. Accordingly both the general level of fines and in particular those with a cross border element seem likely to rise.