Meta hit with €17 million fine over multiple GDPR breaches

A smartphone showing the Meta company logo in front of a large Facebook logo
(Image credit: Getty Images)

Ireland’s Data Protection Commission (DPC) has hit Meta with a €17 million (£14 million) fine over multiple breaches of GDPR.

The DPC said the decision followed an inquiry into a series of 12 data breach notifications it received between 7 June 2018 and 4 December 2018. The inquiry looked at the extent to which Meta complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the 12 breach notifications.

Following the inquiry, the DPC found that Meta infringed Articles 5(2) and 24(1) GDPR. It found the company failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the 12 data breaches.

Since the processing under examination constituted “cross-border” processing, the DPC said its decision was subject to the co-decision making process outlined in Article 60 GDPR and all of the other European supervisory authorities were engaged as co-decision-makers.

The Irish data regulator has been accused in the past of being the “bottleneck” of GDPR enforcement with 160 unresolved complaints. Campaigners claimed that it was hindering pan-European data protection enforcement as a result, with 98% of 164 cases remaining unresolved.

“While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned,” stated the DPC. “Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.”

A Meta spokesperson told IT Pro: “This fine is about record-keeping practices from 2018 that we have since updated, not a failure to protect people's information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.”


Solving big data challenges with Multi-Cloud Data Services for Dell EMC PowerScale

Achieve cost-effective performance at scale and leverage multiple public clouds at the same


To put the €17 million fine into perspective, Facebook’s main Irish subsidiary paid an additional €35 million to settle outstanding tax matters in 2020, and the company put over €1 billion aside to cover potential fines from regulatory investigations, according to the Irish Times. Its corporate tax liability rose to €266.3 million from €173.2 million. Its revenue jumped by €6.3 billion to €40.6 billion at Facebook Ireland in 2020, while pre-tax profits rose to €890 million compared to €482 million the previous year.

The amount the company set aside for potential administrative fines from investigations conducted by data protection authorities more than tripled from €302.3 million to €1.02 billion. The company predicted that regulatory matters would be resolved within the next two years.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.