man sits at laptop with GDPR logo in front

Meta fined $18.6 million under the GDPR for not protecting user data

Meta, the company that owns Facebook and WhatsApp, was fined $18.6 million by the Irish Data Protection Commission (DPC) on Tuesday for a series of security breaches that happened in violation of local GDPR regulations across the EU.

The fine was likely imposed as a result of Meta’s negligence and failing to adequately protect customers’ data after the Facebook data breaches that happened in 2018. The alleged security flaws, which may have affected up to 30 million Facebook users, go back several years, and Facebook informed the Irish regulator about them in 2018.

In a news statement, the watchdog said:

The DPC discovered that Meta Platforms lacked the necessary technological and organisational procedures that would have allowed it to easily demonstrate the security measures. In light of the twelve personal data breaches, it was really put into reality to secure the data of EU users.

Following an investigation into the company’s privacy practises with regard to EU citizens, the DPC concluded that Meta had breached Articles 5(2) and 24(1) of the GDPR. The DPC, which acts as Facebook’s Meta/Primary EU privacy regulator, commenced this security-related investigation in late 2018. In the six months between June 7, 2018, and December 4, 2018, it got at least 12 warnings from the tech giant about data breaches.

Tens of millions of people’s data compromised by breaches that happened when Meta was involved in the Cambridge Analytica incident. Security vulnerabilities that affected user privacy settings were the root of many of these breaches. Threat actors were able to get Facebook account access tokens and app developers were given more access to user images than what was necessary.

Additional (Meta)

In September 2021, the DPC fined WhatsApp €225 million for violating its GDPR transparency standards. This latest development comes after a similar sanction the DPC imposed on WhatsApp. That is why WhatsApp modified its privacy policy in response to the judgement about how it manages user data from Europeans and shares such data with its parent company, Meta.

In a statement provided to the Associated Press, Meta said:

This fine does not relate to a breach of privacy; rather, it relates to record-keeping procedures from 2018 that we have recently updated. We take our responsibilities under the GDPR seriously, and as our systems continue to develop, we will carefully review this choice.

In July 2021, the Luxembourg National Commission for Data Protection (CNPD) also fined Amazon $887.5 million for breaking data processing regulations at around the same period. Later, France penalised both Meta and Google earlier this year for breaking EU privacy laws by not giving consumers a simple way to decline cookie monitoring technology. Facebook made it hard for French users to reject their cookie monitoring technology, according to CNIL.

Meta and other companies are reviewing their global data-sharing policies and may make changes. Due to significant limitations on data transfers from the EU to the U.S., Meta even thought about stopping some services in the EU.

Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.

Recent posts