On 15 March 2022, Ireland’s data protection regulator, the Data Protection Commission (“DPC”) announced it would be imposing a fine of €17 million on Meta, Facebook’s parent company, following an inquiry into 12 data breach notifications it received in relation to the platform in 2018. The DPC ultimately concluded that Meta failed to have appropriate technical and organisational measures in place which would enable it to demonstrate the security measures it had implemented to protect users’ personal data.
As the inquiry related to data subjects in a number of EU states, the DPC submitted its preliminary decision on the matter to other concerned EU supervisory authorities for their input. Whilst objections were raised in relation to the DPC’s decision by the Polish and German supervisory authorities, consensus was eventually reached following further engagement, in accordance with the cooperation process set out under Article 60 of the GDPR, resulting in the decision to fine Meta €17 million.
In response to the news, a spokesperson for Meta said “This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve”. Section 142 of the Data Protection Act 1988 - 2018 (as amended) provides that an organisation may, within 28 days of notification of a decision to fine it, appeal that decision to the Circuit or High Court. Alternatively, where an organisation chooses not to appeal, the DPC is required, pursuant to section 143 to apply to the Circuit Court to affirm its decision. It remains to be seen whether Meta will appeal the decision.
The DPC’s decision follows two high profile decisions in 2021 to fine Twitter €450,000 and Meta- owned WhatsApp €225 million (currently under appeal) and marks a move towards a more aggressive approach by the regulator. This will undoubtedly make the many Irish-based tech giants within the DPC’s remit uneasy, particularly given that the DPC is currently progressing 81 ongoing statutory inquiries. As such, it is likely that we will see many more fines of this magnitude as the year progresses and commentators will be following developments carefully.
