In the wake of 12 data breaches reported in 2018, Facebook’s parent company hit with hefty fine for failing to follow GDPR regulations related to its ability to demonstrate data privacy protection practices. Credit: Olivier Le Moal / Getty Images The Republic of Ireland’s Data Protection Commission (DPC) has fined Facebook parent company Meta €17 million (US$18.6 million) for violating multiple articles of the GDPR (General Data Protection Regulation) related to a series of 12 data breach notifications that occurred in the latter half of 2018.The GDPR is an EU regulation that sets comparatively strict standards for the management, processing and protection of user data that went into effect in May 2018. Specifically, the DPC stated, the company failed to institute measures that would allow it to demonstrate compliance with GDPR regulations, under Articles 5(2) and 24(1).“The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches,” the DPC said. The practices under examination by the DPC involved cross-border processing of personal data, and so according to GDPR rules, all of the other European supervisory authorities were consulted, the DPC added. The GDPR applies to almost all companies that handle the personal data of European residents, or have a physical presence in an EU country. Information explicitly covered by the GDPR includes names and addresses, health data, web identifiers like cookies, racial data, sexual orientation and political opinions. Critically, it also applies to third-party vendors providing services to companies subject to the law — meaning they have to be GDPR-compliant, as well, in order to avoid fines for the company directly subject to the law.GDPR fines are determined by a multifactor legal test, which takes into account the gravity and nature of the infraction, whether it was intentional or negligent, what category of data was affected and more. Specific guidelines are provided for offenses under certain chapters of the GDPR, which are capped at either €10 million or 2% of a company’s worldwide income from the previous year, whichever is higher, for lesser infractions, or €20 million or 4% of last year’s income for more serious violations. The €17m fine levied against Meta is the 11th largest ever handed out for violating the GDPR, according to list maintained by email security vendor Tessian. While the fine pales in comparison to the largest ever handed out — that distinction belongs to a €746 million levy against Amazon in 2021, for violating cookie handling policies — the Meta family of companies has previously earned larger fines than the one announced today, including a €255 million penalty for insufficiently well-defined privacy policies at WhatsApp issued by Ireland in 2021, and €60 million in June 2021 from French authorities for failing to obtain proper cookie consent from Facebook users. Related content news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 02, 2024 6 mins RSA Conference Security news analysis Biden delivers updated take on security for critical infrastructure Building on previous efforts, the Biden administration's new National Security Memorandum reflects a more modern approach to protecting US critical infrastructure, giving CISA a better-defined and expanded role as the agency coordinating everyth By Cynthia Brumfield May 02, 2024 7 mins Government Threat and Vulnerability Management Critical Infrastructure PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe