A string of at least a dozen data breaches dating back to 2018 is finally catching up with Meta’s Facebook, as the Irish Data Protection Commission (DPC) has issued a fine under the terms of the General Data Protection Regulation. The €17 million GDPR fine stems from a failure to demonstrate that adequate security measures were in place to prevent the data breaches.
The case represents a GDPR landmark as it is the first occasion of Article 60 being used to settle a dispute over penalty terms between national regulators. This fine is in addition to a draft decision from 2021 that could see Meta pay an additional €28 million to €36 million.
GDPR fine total continues to mount for Meta/Facebook
The GDPR fine comes as a result of a dozen data breaches reported between June and December 2018. The majority of these breaches were not disclosed to the public, but one major breach in September of that year had Facebook initially facing a proposed fine of $1.6 billion.
The company’s ultimate penalty looks to be about 1% of that initial proposition, though still a substantial sum as the data breaches are thought to have impacted some 30 million Facebook users. There was an apparent dispute among national data protection authorities about the amount of the GDPR fine (with Germany and Poland known to have objected), though details about the nature of the dispute were not made public. All that is known is that the issue was settled under Article 60 proceedings for the first time, which mandates that supervisory authorities work together to reach an agreement on a ruling and share relevant information with each other. Prior disputes of this nature have tended to accelerate to the invocation of Article 65, which happens when supervisory authorities cannot come to an agreement.
It is fair to speculate that the other data protection authorities were unsatisfied with the size of the GDPR fine, given both the initial proposal and the Irish DPC’s perceived pattern of taking it easy on the tech companies it is assigned to investigate. The incident involved an access token bug that had apparently existed since July of 2017, and in 2018 was discovered and exploited by hackers to gain unauthorized access to Facebook users’ private profile information.
Facebook suffered several other bugs in 2018 that potentially led to data breaches, though it is unclear if these were a factor in this particular GDPR fine. In July of that year the company accidentally changed up to 14 million users’ privacy settings to “public” without their knowledge due to a bug. Then in November, researchers discovered another bug that allowed unauthorized access to certain aspects of profile information. And in December, Facebook revealed a flaw in its API that allowed app developers unauthorized access to the photos of about 5.6 million users.
Fine levied due to pattern of data breaches, but public information limited
In addition to some possible contention over the amount of the GDPR fine, there has been marked public dissatisfaction with the length of time the Irish DPC takes to conclude its investigations into the tech companies that headquarter themselves in Dublin. This particular probe dragging on since 2018 is just one part of this pattern; the Irish DPC is now facing a lawsuit over its slow enforcement that centers on a different probe of Google that dates back to 2018.
Thomas Stoesser, Director and Cybersecurity Expert for comforte AG, points out that though Ireland has seemed to take a soft approach with the companies in its territory the GDPR nevertheless has the potential to levy business-crippling fines when regulatory authorities are on the same page: “Companies need to realize that GDPR is a data privacy regulation that has teeth. By now, many companies have been fined by the Data Protection Commission in Ireland, including big brands like Google, British Airways, and Marriott. These are just a few of the multi-million Euro fines that have been handed out in the past four years since GDPR became enforceable. It should be clear by now that more big fines will be handed out if organizations fail to take data privacy seriously. The former information commissioner Elizabeth Denham pointed out something a couple of years ago that many companies don’t yet seem to understand: The personal data that they are processing and storing is not their property. They have only been entrusted with it. That is a big difference.”
For its part, Meta characterized the GDPR fine as a matter of outdated “record-keeping practices” rather than something caused by data breaches. It is unclear how many actual data breaches were involved, save the massive intrusion in September 2018, as much of the information about the incidents is not available to the public.
Facebook remains in a variety of legal trouble in the European Union, as indicated by it setting aside €1.02 billion for anticipated fines at the end of 2021 (more than triple the amount it laid aside in 2020). At over $32 billion in annual ad revenue, the company is still able to comfortably afford it.
The company does face some serious challenges in the immediate future, however, including the prospect of potentially pulling out of the EU. Another GDPR challenge, also currently being handled by the Irish DPC, could render the company’s cross-Atlantic data transfers so difficult to keep in compliance that Facebook may opt to pull up stakes in Europe entirely. Another issue is a serious blow to the company’s revenue from Apple’s new privacy policies, which could cost the company as much as $10 billion in 2022 just as the company begins pivoting to a focus on virtual reality.