Irish Data Protection Commission Fines Facebook over Data Breach

Following an investigation into multiple Facebook data breaches in 2018, the Data Protection Commission, Ireland’s privacy watchdog, fined Meta 17 million euros on March 15. According to a DPC’s report, Meta “failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data.”

Since 2018, the European Union’s privacy policy has operated under the General Data Protection Regulation (GDPR). The General Data Protection Regulation gives companies guidelines on how to use European citizens’ data, and, more importantly, allows countries to fine and penalize companies for data misuse.

The fining framework allows penalties of either 20 million euros or 4 percent of total global turnover for severe violations-- whichever number is greater. The framework also gives national entities the ability to enforce additional penalties for issues not directly in the framework, with an emphasis on the penalties being effective deterrents for the company. 

According to the Irish Times, the DPC found that the data breach fell under the category of more severe fines, as the breach violated Articles 5(2) and 24(1) of the GDPR.

In a statement to the Associated Press, Facebook explained, “This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information.”

This is not Facebook’s first fine from the DPC under the GDPR. Per Euractiv, following the regulation’s enactment, Facebook moved their data processing specifications into Facebook’s terms and conditions, forcing users to give consent to data processing to use the website. In October 2021, following a lawsuit filed by Austrian activist group “None of Your Business,” the DPC published a draft decision proposing a fine between 28 and 36 million euros for infringements of transparency obligations under the GDPR, as noted by the European Center for Digital Rights (NOYB). However, since the DPC recognizes both consent and the execution of a contract as lawful reasons to process personal data, the organization allowed Facebook to claim contractual necessity for data-based advertising.  

In November 2021, the DPC demanded that NOYB sign a non-disclosure agreement for future complaints to be heard. In a statement to NOYB, the nonprofit’s chairperson Max Schrems said, “[This] is nothing but an authority demanding to give up the freedom of speech in exchange for procedural rights.”

During Facebook whistleblower Frances Haugen’s visit to Dublin in March 2022, she described the nation as a “tech superpower” with a “history of standing up for the little guys,” before meeting with the Data Protection Commissioner, Helen Dixon, according to the Irish Times. “Facebook knows how to keep us safe without censoring us and they choose not to do so because the way the system works currently is more profitable.” 

In a February 2022 interview with the Irish Examiner, Dixon dismissed criticism for two additional commissioners, that three Commissioners, “in light of the challenges we’ve recognised ourselves, would not assist in such a process.” According to a spokesperson for the Irish Justice Minister, this will be decided “very shortly.”