Irish DPA fines Meta Platforms (Facebook) EUR 17M over several data breaches that occurred in 2018


On 15 March 2022, the Irish DPA adopted its decision imposing a fine of EUR 17M for Meta Platforms Ireland Limited (“Meta Platforms”, formerly Facebook Ireland Limited) for infringements of Articles 5 (2) and 24 (1) of the GDPR.

The investigation was launched after 12 data breach notifications received by the Irish DPA in 6 months (i.e., from 7 June 2018 to 4 December 2018).

Following the investigation, the Irish DPA concluded that Meta Platforms failed to implement appropriate technical and organizational measures that would enable it to demonstrate its security measures set in practice for protecting EU users’ personal data, considering the 12 data breaches.

As the inquired processing activities constituted “cross-border” processing, this decision was subject to the co-decision-making process under Article 60 of the GDPR, and all the European DPAs were involved. Although two DPAs raised objections to the Irish DPA’s draft decision, a consensus was achieved through further engagement between the Irish DPA and the concerned DPAs.

The Irish DPA’s press release is available here, and the summary published by the EDPB on 22 March 2022 is available here.