Meta says it has yet to decide whether to appeal the €17 million fine imposed by the Irish Data Protection Commissioner for mishandling the reporting of 12 breach notifications.
We are still reviewing the decision,” said a spokesperson for the parent company of Facebook, Instagram and Whatsapp, which employs around 5,000 people in Dublin.
“This fine relates to record keeping practices from 2018 that we have since updated, and not a failure to protect individuals’ information.”
The Irish DPC’s decision follows its investigation into a series of 12 data breach notifications received between June and December 2018.
The DPC found that Meta breached Articles 5(2) and 24(1) of the GDPR, failing to “put in place appropriate technical and organizational measures that would allow it to easily demonstrate the security measures it has implemented in practice to protect EU users”. data, as part of the 12 personal data breaches”.
The DPC’s draft decision, criticized by some commentators as amounting to little more than a “rounding error” in the context of Meta’s annual turnover, was first challenged by two other European authorities. monitoring. However, these “objections” were overcome, according to Helen Dixon’s office.
Meta’s spokesperson said the fine was “considered”.
“We take our obligations under the GDPR seriously and will carefully review this decision as our processes continue to evolve,” the spokesperson said.
Separately, the DPC has sought to dispel what it describes as “incomplete” criticisms that “lack context” about how it handles cross-border complaints.
It has published a statistical report on its handling of cross-border complaints under the GDPR one-stop-shop mechanism.
The DPC’s report indicates that between the end of May 2018 and the end of 2021, nearly two-thirds (65%) of the cross-border complaints it handled as lead supervisor were concluded, with 82% of those received in 2018 and 75% in 2019 “now complete”.
In total, the report indicates that 1,150 valid cross-border complaints were received by the DPC during this period, 969 (84%) as the main supervisory authority and 181 (16%) as the “control authority”. control concerned”.
The report indicates that out of the 634 concluded cross-border complaints handled by the DPC as leader, 544 were resolved amicably in the interest of the complainant.
Austrian privacy campaigner Max Schrems told a joint committee of the Oireachtas last year that the Irish DPC had an “extremely poor” record of resolving complaints and that “99% of complaints are not settled”.
The charge was dismissed by Ms Dixon, calling the analysis “simplistic”.
The Irish authority currently has open investigations into Meta, Google, Twitter, Apple, Yahoo and TikTok, among others. Its report indicates that 86% of all cross-border complaints handled by the DPC as a leader concern only 10 data controllers.
Almost two-thirds of cross-border complaints handled by the DPC as lead authority were initially lodged with another European data authority and transferred to the DPC, the report says.
The DPC report says “many” of the remaining open complaints from 2018 and 2019 are related to an investigation.