Ireland’s Data Protection Commission (DPC) has fined Meta, Facebook’s parent company, 17 million euros ($18.6 million) for several data breaches that affected up to 30 million users.
The decision followed an inquiry by the DPC into a series of 12 data breach notifications it received in the six-month period between June 7, 2018 and December 4, 2018.
As a result of its inquiry, the DPC found that Meta Platforms infringed Europe’s General Data Protection Regulation (GDPR).
“The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the 12 personal data breaches,” it said in a statement.
In a statement to TechCrunch late on Wednesday, a Meta spokesperson said: “This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.”
Ireland’s initial draft decision was objected to by two authorities.
While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned.
“Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU,” said the Irish consumer watchdog.
Last year, Facebook was at the centre of a data leak that affected 533 million accounts and users from 106 countries.