The Irish data watchdog is trying to prove it is a regulatory Rottweiler by slapping Facebook parent Meta with a €17m (£14.3m) fine – its first GDPR penalty against the main social media site – although it has done little to stifle claims that it is a toothless poodle.
The case dates back to 2018, and follows complaints to the Irish Data Protection Commissioner by NOYB, the privacy organisation run by Austrian lawyer Max Schrems.
The inquiry probed 12 separate data breach notifications received by the Irish DPC that challenged the legal basis used by Facebook to transfer data to the US between June and December 2018.
The regulator found that Meta Platforms Ireland infringed Article 5(2), and 24(1) of GDPR, and found that Meta “failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data”.
The DPC’s decision represents the first time that Article 60 of the GDPR, which requires all European supervisory authorities to act as co-decision-makers has been used to resolve a data protection case.
Objections to the DPC’s draft decision were raised by Germany and Poland, but the DPC said that consensus was achieved through further engagement between the DPC and the supervisory authorities concerned.
“Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU,” the Irish DPC said.
Perhaps unsurprisingly, Meta has attempted to play down the ruling, with a spokesperson saying: “This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.”
With annual revenues of £90bn for 2021, it would take Meta just a couple of hours to earn the £14.3m fine.
Schrems has yet to comment on the ruling but instead seems more concerned with a separate report from the Irish DPC – released on the same day – that details its handling of cross-border complaints under the GDPR’s one-stop shop mechanism.
The report shows Meta accounts for 39% of the total 969 cross-border complaints the regulator has received as lead supervisory authority (30% Facebook, 9% WhatsApp) to the end of 2021.
It goes on to claim that the Irish have concluded 65% of complaints, with 35% still open but insists other EU data protection authorities (DPAs) have concluded just 38% of complaints with 62% still open.
To which Schrems tweeted: “Wow… DPC Ireland now tries to trash other DPAs within the EU, when their report actually admits that: 99% of cases do not see a formal decision (86% are amicable resolutions and 13% are not pursued by the complainant anymore.
“There is an undisclosed number of cases that are rejected as not valid – only 9 draft Decisions under Article 60 of GDPR were produced by the DPC since 2018 (that is 0.93%). It’s all about twisting the facts until they fit your story…”
Related stories
Privacy group vows to ensure that WhatsApp coughs up
Irish up WhatsApp fine 350% to €225m after EDPB call
Irish GDPR investigations ‘hampered by ancient tech’
EU regulators mull €50m Irish GDPR fine for WhatsApp
Exposed: Row over ‘paltry’ Twitter fine threatens GDPR
Twitter fined just €450,000 in first major Irish ruling
Irish data regulator ‘go-slow’ triggers judicial review