In the wake of 12 data breaches reported in 2018, Facebook’s parent company hit with hefty fine for failing to follow GDPR regulations related to its ability to demonstrate data privacy protection practices. Credit: Olivier Le Moal / Getty Images The Republic of Ireland’s Data Protection Commission (DPC) has fined Facebook parent company Meta €17 million (US$18.6 million) for violating multiple articles of the GDPR (General Data Protection Regulation) related to a series of 12 data breach notifications that occurred in the latter half of 2018.The GDPR is an EU regulation that sets comparatively strict standards for the management, processing and protection of user data that went into effect in May 2018. Specifically, the DPC stated, the company failed to institute measures that would allow it to demonstrate compliance with GDPR regulations, under Articles 5(2) and 24(1).“The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches,” the DPC said.The practices under examination by the DPC involved cross-border processing of personal data, and so according to GDPR rules, all of the other European supervisory authorities were consulted, the DPC added. The GDPR applies to almost all companies that handle the personal data of European residents, or have a physical presence in an EU country. Information explicitly covered by the GDPR includes names and addresses, health data, web identifiers like cookies, racial data, sexual orientation and political opinions. Critically, it also applies to third-party vendors providing services to companies subject to the law — meaning they have to be GDPR-compliant, as well, in order to avoid fines for the company directly subject to the law.GDPR fines are determined by a multifactor legal test, which takes into account the gravity and nature of the infraction, whether it was intentional or negligent, what category of data was affected and more. Specific guidelines are provided for offenses under certain chapters of the GDPR, which are capped at either €10 million or 2% of a company’s worldwide income from the previous year, whichever is higher, for lesser infractions, or €20 million or 4% of last year’s income for more serious violations. The €17m fine levied against Meta is the 11th largest ever handed out for violating the GDPR, according to list maintained by email security vendor Tessian. While the fine pales in comparison to the largest ever handed out — that distinction belongs to a €746 million levy against Amazon in 2021, for violating cookie handling policies — the Meta family of companies has previously earned larger fines than the one announced today, including a €255 million penalty for insufficiently well-defined privacy policies at WhatsApp issued by Ireland in 2021, and €60 million in June 2021 from French authorities for failing to obtain proper cookie consent from Facebook users. Related content news Top cybersecurity product news of the week New product and service announcements from Coro, Descope, Genetec, Varonis, Cloudbrink, Databarracks, and Security Journey By CSO staff Dec 07, 2023 22 mins Generative AI Security news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe