Meta Fined $18.6M Under GDPR for Failing to Protect User Data


Social media giant Meta has been handed yet another fine by a Europe-based privacy regulator. Although relatively small (approximately $18.6 million), the penalty is probably for complacency on the part of Meta in protecting users during several Facebook data breaches that occurred in 2018.

Facebook and Instagram’s parent company Meta has been penalizedOpens a new window with a sum of €17 million (~$18.6 million) by the Irish Data Protection Commission (DPC) over GDPR violations. The DPC said Meta violated Articles 5(2) and 24(1) of the GDPR after investigating the company’s privacy practices concerning EU citizens.

The privacy watchdog said that “Meta Platforms failed to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.”

Besides Articles 5(2) and 24(1), the regulator also probed Meta over Articles 5(1)(f) and 32(1) but said the company did not violate the latter two. DPC opened an investigation into Meta late in 2018 after receiving a dozen data breach notifications between June 7, 2018, and December 4, 2018.

These breaches, which occurred when Meta was engulfed in the Cambridge Analytica scandal, impacted the data of tens of millions of people. More than a few of these breaches were caused by security vulnerabilities that changed user privacy settings, allowed app developers more than required access to user photos, and enabled threat actors to access Facebook account access tokens.

See More: Why Security Does Not Equal Privacy

GDPR gives teeth to the European data and privacy regulators to impose a fine of up to 4% of the annual turnover of the company that violates regulations. Compared to Meta’s 2021 revenue ($117.93 billion), the fine is pocket change. The small figure could be attributed to the fact that the Facebook breaches didn’t occur on account of the blatant disregard on the part of Meta but were accidental.

Nevertheless, Meta has expectedly put on a defensive stance. “This fine is about record-keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.”

This isn’t the first time Meta has been penalized over GDPR-related violations. The company was initially handed a €50 million fine in September 2021 over failing to accurately inform WhatsApp users about using their personal data. This was met with criticism from European stakeholders, because of which the DPC revised the fine to €225 million.

This time around, the DPC decided to impose a fine of $18.6 million after European supervisory authorities reached a consensus on the amount.

Earlier in 2022, Meta was also fined €60 million (~$67.87 million) by France’s Commission Nationale de l’informatique et des Libertés (CNIL). CNIL said Facebook made it difficult for users from France to reject their cookie tracking technology. 

As of now, the transatlantic data-sharing practices of Meta and other companies are currently being reviewed and may be changed. Meta even considered discontinuing some services in the EU due to far-reaching restrictions on data transfers from the EU to the U.S.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!