Facebook’s past privacy practices fail under regulatory scrutiny

The consensus among data security professionals is that a security breach is not a matter of if, but a matter of when.

Breaches lead to regulatory attention and even slickest operations can be undone under scrutiny. This scrutiny can expose holes or lapses in a business’ privacy practices (whether these lapses are flagrant rule violations or simply unintentional).

On Tuesday, the Irish Data Protection Commission issued Facebook’s parent company (Meta Platforms) with a fine of €17 million for a series of security lapses that occurred in violation of GDPR laws. The fine stems from a security-related inquiry opened by the DPC following 12 data breach notifications received from Facebook in the period between 7 June 2018 and 4 December 2018. This follows a €225 million fine issued in September 2021 for another GDPR violation in connection with a DPC investigation into security issues in Meta's WhatsApp communication service. 

In reaction to Tuesday's developments, Meta shared a statement in which it claimed that “this fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people's information”.

Notwithstanding Meta’s assertion that it did not risk exposing users’ data, there remains an inevitability to cyber threats and data breaches. These risks emphasise the importance of not only maintaining up-to-date policies which meet privacy laws and protect against the latest threats, but of ensuring that a business is capable of demonstrating that its compliance is correctly evidenced in the event of third-party scrutiny.