The DPC said Meta infringed GDPR by not having in place ‘appropriate technical and organisational measures’ to protect user data.
The Irish Data Protection Commission (DPC) has slammed a €17m fine on Meta, formerly Facebook, for not complying with GDPR requirements in the context of a dozen data breaches.
The fine announced today (15 March) follows an inquiry by the DPC into 12 data breach notifications it received between June and December 2018.
The inquiry examined the extent to which Meta complied with GDPR requirements in relation to the processing of personal data relevant to the 12 breaches.
Ireland’s data watchdog, which has been under scrutiny in recent months for how it handles GDPR complaints against Big Tech, found that Meta infringed EU data rules by not having in place “appropriate technical and organisational measures” to protect user data.
While the decision to fine Meta was announced by the DPC, it was made in consultation with other European supervisory authorities under GDPR rules as the case being investigated constituted cross-border processing.
The DPC said that two European supervisory authorities raised objections to its draft decision, but “consensus was achieved through further engagement between the DPC and the supervisory authorities concerned”.
DPC v Meta
As Meta’s EU headquarters are based in Dublin, the Irish watchdog is the lead data supervisor for the company under GDPR’s ‘one-stop shop’ mechanism.
This is not the only Meta investigation the DPC has been focusing on. In a draft decision last year, the DPC proposed a fine of between €28m and €36m for Meta for failing to sufficiently inform users about how their data is processed – stemming from a complaint lodged by Austrian privacy campaigner Max Schrems.
The DPC also recently issued a draft decision to Meta regarding the company’s data transfers from the EU to the US and whether its use of standard contractual clauses in respect to European user data complies with GDPR.
Although Meta is often the focus of Irish data protection investigations and WhatsApp is the recipient of its largest ever fine, the DPC was accused by Schrems of improperly lobbying other EU regulators to allow Facebook to bypass user consent requirements for ad-related data collection. The Irish data watchdog responded that the claims were “utterly untrue”.
Last month, Ireland’s data protection commissioner Helen Dixon defended the DPC’s track record in enforcing GDPR in Ireland amid criticisms from privacy advocates and politicians.
Dr Johnny Ryan of the Irish Council for Civil Liberties told an Oireachtas Joint Committee last April that the DPC had failed to resolve 98pc of cases of concern across the EU, calling Ireland a “bottleneck of GDPR investigation and enforcement”.
Some of these sentiments were recently echoed by Facebook whistleblower Frances Haugen, who called for a review of the DPC and claimed the Irish regulator is “widely considered” to have stepped back in its responsibilities in enforcing GDPR.
The DPC separately published a statistical report today on handling cross-border complaints under GDPR’s one-stop shop, under which tech giants including Meta and Google are currently able to handle much of their GDPR responsibilities in one EU country.
The watchdog said it has received a “significant number” of cross-border complaints as the lead data supervisor in the EU for many tech companies that have bases in Ireland.
It said many public comments about the DPC’s handling of these complaints are “based on information that is incomplete and lacking context” and it is now looking to provide transparency on the number of complaints received, numbers concluded and outcomes achieved.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.