On Tuesday, the Irish Data Protection Commission (DPC) imposed a fine of €17 million (approximately $18.6 million) on Meta Platforms, the parent company of Facebook and WhatsApp, due to a series of security failures that breached the European Union’s General Data Protection Regulation (GDPR).
The DPC determined that Meta Platforms did not implement necessary technical and organizational measures to adequately safeguard the personal data of European Union users. This ruling stemmed from an investigation into twelve separate incidents of data breaches reported between June 7 and December 4, 2018. According to the DPC, these breaches highlighted weaknesses in Meta’s ability to demonstrate effective security practices.
In a statement, the DPC emphasized that the violations were serious, with the regulator expressing particular concern over Meta’s lack of readiness in showcasing its data protection measures. The findings suggest a systematic failure to maintain adequate controls, which is critical for compliance under GDPR.
Meta responded to the fine by clarifying that the penalties were related to record-keeping practices from 2018 which have since been improved. The company asserted its commitment to GDPR compliance and pledged to reassess its procedures in light of the DPC’s decision.
This fine follows similar enforcement actions against WhatsApp, which was penalized €225 million in September 2021 for failing to meet transparency obligations under GDPR. The messaging platform subsequently updated its privacy policy to enhance clarity concerning the handling of European users’ data.
In the backdrop of these penalties, other tech giants have also faced scrutiny. Notably, Amazon was fined $886.6 million in July 2021 for non-compliance with data-processing regulations. Earlier this year, both Meta and Google received fines from France for not providing users with an effective opt-out mechanism for cookie tracking technology, further illustrating the growing regulatory pressure on tech companies regarding data privacy.
The implications of these regulatory actions extend beyond fines; they highlight the importance of robust security measures in mitigating risks associated with data breaches. Businesses, particularly in the tech sector, should take heed of the tactics and techniques outlined in the MITRE ATT&CK framework, which categorizes common adversarial behaviors. These could include initial access and persistence tactics that relate to vulnerabilities exploited during such breaches.
As companies continue to navigate the complex world of data protection, the necessity for transparent and effective security measures has never been more critical. The ongoing scrutiny from regulatory bodies underscores the importance of incorporating strong data governance practices to avoid significant financial penalties and reputational damage.
