Last week, Meta was fined €17 million (about £14.2 million) for breaching EU data protection rules.
The Irish DPC (Data Protection Commission) said that the tech giant, formerly known as Facebook, failed to properly document appropriate technical and organisational measures that “would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data”.
The DPC is Meta’s lead supervisory authority in the EU by virtue of the organisation’s Dublin-based EU headquarters.
It began its inquiry in 2018 after it received a dozen breach notifications from Facebook, and discovered a string of GDPR (General Data protection Regulation) breaches.
Many will speculate that it’s a light punishment, given the number of violations and that the GDPR gives supervisory authorities the power to issue fines of up to 4% of an organisation’s global annual turnover – which, in this case, would have reached into the billions.
However, it is still a landmark decision, and not just because of the size of the fine. It also represents the first final decision that Meta/Facebook has received since the GDPR took effect.
It comes at a time when people had doubted the effectiveness of the Regulation. People were warned that if they didn’t meet its strict requirements, their organisation could face huge fines that could put them out of business.
However, that doesn’t give a true assessment of the GDPR’s intention. It was never solely about penalising huge corporations and issuing massive fines. It was looking equally at smaller organisations’ ability to better protect people’s personal data.
The fine levied against Meta demonstrates this. It wasn’t the result of a headline-grabbing data breach affecting hundreds of millions of people; it was the result of improper documentation that undermined individuals’ data privacy.
What did Facebook get wrong?
The DPC determined that Facebook breached Articles 5(1), 5(2), 24(1) and 32(1) of the GDPR.
Articles 5(1) and 5(2) state that personal data must be processed lawfully, fairly and in a transparent manner, and that the data controller must be able to demonstrate that it is doing so.
Articles 24(1) and 32(1) state that organisations must implement appropriate technical and organisational measures to protect personal data.
The GDPR doesn’t mandate the use of specific measures, but it states that organisations must be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
As part of that, organisations should regularly test, assess and evaluate the effectiveness of the measures that they have implemented.
Facebook’s failure to meet these requirements doesn’t necessarily mean that personal data was breached. Rather, it was found to have inadequate documentation, which could have resulted in poorly implemented controls and privacy breaches.
A spokesperson for Meta highlighted this in its response, suggesting that the violations were simply a matter of “record keeping practices”.
They added that these were historical breaches – dating back to 2018 – and that Meta’s practices were now GDPR compliant.
“We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve,” the spokesperson said.
What does this mean for GPDR enforcement?
Most of the public dissemination of the GDPR has focused on mainstream news stories such as this or the €746 million fine levied against Amazon. But beyond that, there have been countless penalties issued on a more modest scale.
According to an IT Governance report, there were at least 429 GDPR fines issued in 2021, and the median penalty was €2,000 (about £1,700).
The fines often aren’t reported on, but they prove that enforcement action is occurring regularly and that organisations must continue to monitor their GDPR compliance status.
If you’re looking for support implementing appropriate technical and organisational measures, DQM GRC is here to help.
Our technical and organisational measures audit provides a complete review of your data protection practices, highlighting any areas of non-compliance that you must fix.
Our auditors will review your practices against our proprietary audit framework, which is derived from relevant international standards, to assure you that your controls are appropriate
The audit comes with a detailed report, providing an assurance rating for each area of your business and outlining weaknesses that you must addressed.
You’ll also receive prioritised recommendations to help you develop an action plan, and we can help you implement the necessary measures to instigate that plan.