Hat tip to Rob Robinson’s ComplexDiscovery site for original coverage of this story. On March 15 (beware the ides of March!), the Data Protection Commission (DPC) announced a decision in its Meta (Facebook) inquiry with the announcement that the DPC fined Meta €17m ($18.77m) for infringement of the General Data Protection Regulation (GDPR).

As announced here, the decision followed an inquiry by the DPC into a series of twelve data breach notifications it received in the six-month period between June 7, 2018 and December 4, 2018.  The inquiry examined the extent to which Meta Platforms complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the twelve breach notifications.

As a result of its inquiry, the DPC fined Meta, finding that Meta Platforms infringed Articles 5(2) and 24(1) GDPR.  The DPC found that Meta Platforms failed to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.

Given that the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the co-decision-making process outlined in Article 60 GDPR and all the other European supervisory authorities were engaged as co-decision-makers.  While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned.  Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.

I guess it’s no surprise that the DPC fined Meta, though it took them over three years to fine them for twelve data breach notifications! Yikes!

So, what do you think? Are you surprised that the DPC fined Meta or that it took that long for them to be fined? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.