Irish SA fines Meta Platforms (formerly Facebook) €17M for data breaches

22 March 2022

Background information

Date of final decision: 15 March 2022
Cross-border case or national case: Cross-border
If cross-border, LSA: Ireland
and CSAs: All other EU DPAs
Controller: Meta Platforms Ireland Limited (formerly Facebook Ireland Limited)
Legal Reference: Articles 5(1)(f), 5(2), 24(1) and 32(1) GDPR
Decision: Administrative fine of €17m imposed
Key words: Personal data breach; demonstration of implementation of security measures in practice


Summary of the Decision

Origin of the case

The DPC launched an inquiry of its own-volition, arising from receipt of a series of twelve data breach notifications in the six month period between 7 June 2018 and 4 December 2018.  The purpose of the inquiry was to examine the extent to which Meta Platforms Ireland Limited (“Meta Platforms”) achieved compliance with the requirements of Articles 5(1)(f), 5(2), 24(1) and 32(1) GDPR in relation to the processing of personal data relevant to the twelve breach notifications.

Key Findings

The DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR.  While the DPC found that the information and supporting documentary evidence provided by Meta Platforms during the course of the inquiry could be considered analogous to industry best practice and the state of the art, Meta Platforms failed to have in place appropriate technical and organisational measures such as would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.


Infringements found of Articles 5(2) and 24(1) GDPR. Administrative fine of €17m imposed in respect of the infringement of Article 5(2) GDPR.

For further information: decision in national language