Meta has been fined €17 million for twelve breaches of the EU GDPR.
The company, formerly known as Facebook, violated several GDPR (General Data Protection Regulation) requirements. More than 30 million people have been affected.
The Irish DPC (Data Protection Commissioner) investigated the breaches. They stared that Meta failed to implement appropriate technical and organisational measures to protect EU users’ personal data. They were not GDPR compliant.
The DPC began its inquiry in 2018. The GDPR was by then, in force. The DPC began the investigation following a dozen breach notifications from Facebook. The DPC began its inquiry in 2018. The GDPR was by then, in force. The DPC began the investigation following a dozen breach notifications from Facebook.
Ireland regulates Meta because the organisation’s EU headquarters are based in Ireland.
Which rules did Facebook break?
The DPC noted that Facebook (as it was known at the time) breached Articles 5(1), 5(2), 24(1) and 32(1) of the EU GDPR.
Articles 5(1) and 5(2) state that personal data must be processed lawfully, fairly and in a transparent manner. The article requires that the data controller must be able to demonstrate that it is doing so.
Articles 24(1) and 32(1) state that organisations must implement appropriate technical and organisational measures in order to protect personal data.
The GDPR doesn’t contain state the use of specific measures. However, it does say that personal data should be encrypted or pseudonymised, where appropriate. Additionally, it states that organisations must be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
Organisations must regularly test, assess and evaluate the effectiveness of these measures.
What was the fine for?
Facebook’s failure to adopt these measures doesn’t necessarily mean that was a data breach. Instead, it was found to have inadequate documentation, which could have resulted in poorly implemented controls. This meant that Meta was not GDPR compliant.
A Meta spokesperson highlighted this in its response, suggesting that the violations were simply a matter of “record keeping practices”.
They added that these were historical breaches that dated back to 2018. The spokesperson added that Meta’s practices were now GDPR compliant.
“We take our obligations under the GDPR seriously and will carefully consider this decision as our processes continue to evolve,” the spokesperson said.
What does this mean for you?
We often tell our clients that GDPR compliance is not JUST about documentation, though this remains very important.
It seems clear that Meta had some good practices in place but failed to demonstrate this good practice.
Meta also failed to deliver on appropriate technical and organisational measures to protect personal data. Did it actually fail or did the company simply fail to demonstrate this area of compliance?
The same can be said when challenged on being able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. Again, there wasn’t a data breach, but they did fail to demonstrate this.
Therefore, you must be able to demonstrate that you are complying with the regulation. You should also need to demonstrate your compliance to the account ability principle that was introduced the with Data Protection Act of 2018.
If you need help with this please get in touch.