Facebook’s parent company, Meta, has been fined $18 Million USD under the European Union’s GDPR regulation, for multiple data breaches. This comes at a time when regulators have begun investigating the social media giant for monopolistic practices.
GDPR, or the General Data Protection Regulation, is the European Union’s (EU) law pertaining to the collection and protection of user’s data. In basic terms, the regulation makes companies responsible for their customers data and privacy. This includes protecting it, making sure that their customers data can be removed from their tracking software and informing them if there is a breach within 72 hours.
The important thing to note is that this regulation applies to any company that does business on the continent. Meaning airlines, banks and social media giants must comply by this regulation or be fined up to 4% of their GDP. (1)
Facebook’s fines stem from several incidents around the time the GDPR went into effect in May 2018. From June to September of that year, they reported twelve different breaches to Ireland’s Data Protection Commission (DPC). After several years of investigating, the commission came down with the US equivalent of $18 million dollars in fines, for failure to protect their customers’ data and for failure to disclose the breaches in a timely matter.
“The decision followed an inquiry by the DPC into a series of twelve data breach notifications it received in the six-month period between 7 June 2018 and 4 December 2018. The inquiry examined the extent to which Meta Platforms complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the twelve breach notifications.
As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR. The DPC found that Meta Platforms failed to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.”(2)
This is not the first time a Facebook connected company was hit with a GDPR related fine. In September 2021, Whatsapp, one of Meta’s subsidiaries was fined $267 million by the same regulator for lack of transparency on how they reported their data.
The GDPR outlines what must be reported and letting customers know what their data is being used for is one of the core components of this rule. “In sum, the DPC found a range of transparency infringements by WhatsApp — spanning articles 5(1)(a); 12, 13 and 14 of the GDPR. In addition to issuing a sizeable financial penalty, it has ordered WhatsApp to take a number of actions to improve the level of transparency it offer users and non-users — giving the tech giant a three-month deadline for making all the ordered changes.”(3)
Facebook’s fine shows that the EU has begun to crack down on privacy breaches. With the increase of cyber-attacks, especially in the wake of recent events, its imperative companies learn to comply with this regulation and protect their customer’s data or they could face large fines.
As a broker for cyber insurance, PL Risk and Axis Insurance can identify what needs to be done in order to be covered by cyber insurance. Many carriers are putting limitations and exclusions on their forms that will deny coverage if they don’t follow procedures to protect their own data and their customer’s data.