Meta fined by Data Protection Commission for breaches

The importance of considering data privacy and compliance at the conception and design stages of systems, processes, products and services has been highlighted by recent enforcement action and a fine of 265 million Euros being imposed on Meta Platforms Ireland Limited (Meta), which is Facebook’s data controller.

A recent decision made by the Data Protection Commission (DPC) in Ireland resulted in Meta being issued with a fine of 265 million Euros (£230 million) and being required to undertake a number of corrective measures. By any measure, this is a considerable fine, which is additional to the costs of the corrective actions required by the DPC.

The DPC is the Irish supervisory authority for data protection under the General Data Protection Regulation (GDPR).

The investigation, which was launched in April 2021, came about as a result of the media reporting the discovery of a Facebook data set on the internet, which included names, dates of birth, contact details and locations, which were being shared on a hacker site, and impacted 533 million people across 106 countries.

The DPC’s investigation concentrated on infringements of article 25(1) and 25(2) of the GDPR, which are replicated within the UK GDPR, and which refer to data protection by design and by default.

Data protection by design and by default means that the organisation is required to place appropriate technical and organisational measures which implement the data protection principles and effectively safeguard an individual’s rights from the concept and design stage right through to implementation of systems, processes, products and services.

Article 25(1) and (2) state:

 “1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

2.   The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.”

The DPC found that Meta had acted in violation of article 25(1) and (2) of the GDPR and imposed: (i) a reprimand; (ii) an order to bring processing into compliance; and (iii) an administrative fine of 265 million Euros. 

The DPC also liaised with all the other supervisory authorities across Europe, which supported the decision and fine level.

This decision reflects the importance of ensuring the protection of personal data is considered at the concept and design stage to properly provide for the implementation of the data protection principles and the implementation of safeguards, which ensure the ongoing protection of personal data and an individual’s rights. Given the level of fine imposed, clearly it is cheaper for a business to build in compliance at the start of its cycle, rather than retro fit.

If you or your organisation have any queries on how to establish a compliant data privacy culture and implement the principles of data protection and effectively safeguard an individual’s rights, please contact Eleanore Beard in our Data Protection team.