Ireland: Meta fined $18.6m for breaking EU's GDPR

Following a breach of data privacy European law, Facebook parent company Meta has received an $18.6m (€17m) fine — representing around 0.055 percent of its quarterly revenue.

Ireland's Data Protection Commission (DPC) imposed the fine on Meta Platforms Ireland, formerly Facebook Ireland, following its inquiry into 12 data breach notifications over the six-month period between 7 June 2018 and 4 December 2018.

The inquiry found Meta Platforms infringed Articles 5(2) and 24(1) of the GDPR, the EU's General Data Protection Regulation.

The social media giant "failed to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users' data, in the context of the twelve personal data breaches," according to a DPC statement.

A Meta spokesperson said: "This fine is about record-keeping practices from 2018 that we have since updated, not a failure to protect people's information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve."

Meta's offending data practice involved "cross-border" processing. As such the DPC worked with all of the other European supervisory authorities to come to a consensus. Therefore, the DPC's decision represents the joint view of the Irish authority and its counterpart across the EU.

The fine though may be small change for Meta which accrued $32.6bn ad revenue in calendar Q4, its last reported quarter. It posted net profit of $10.3bn, albeit lower than $11.2bn a year earlier.

• EC fines Facebook €110m for 'misleading' data on WhatsApp deal
• EU, US close to replacing defunct Privacy Shield II
• Americans far more willing to hand over personal data
• France says Google Analytics breaches GDPR when it sends data to US

Last year WhatsApp, a Meta company since 2014, was fined €225m by the DPC under GDPR rules. The messaging firm said it intended to appeal the decision, saying the fine was "entirely disproportionate."

The case was about how WhatsApp acted on transparency obligations within data protection law with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp's service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies."

In a separate case, Google and Facebook were fined by French watchdog Commission Nationale de l'Informatique et des Libertés (CNIL) for the position of GUI button to permit immediate acceptance of cookies while not offering the user an equivalent to refuse them as easily. Google was fined €150m while Facebook got a €60m penalty. ®