Meta Platforms – €17,000,000 Fine (Ireland, 2022)

The Irish DPA (DPC) investigated a series of twelve data breach notifications it received in the six month period between 7 June 2018 and 4 December 2018. The inquiry examined the extent to which Meta Platforms complied with the requirements of Articles 5(1)(f), 5(2), 24(1) and 32(1) GDPR in relation to the processing of personal data relevant to the twelve breach notifications. The DPC fined Meta Platforms €17,000,000 for the violation of Article 5(2) GDPR and Article 24(1) GDPR for failing to implement appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches. The DPC's decision was subject to the co-decision-making process outlined in Article 60 GDPR and all of the other European supervisory authorities were engaged as co-decision-makers since the processing under examination constituted cross-border processing. While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned.