Meta has been fined $18.6 million by the Irish Data Protection Commission (DPC) for Facebook’s 2018 breaches of the European Union’s General Data Protection Regulation (GDPR). 

The Irish Data Protection Commission (DPC) announced the inquiry results into 12 data breach notifications it received in six months, between June 7, 2018 and December 4, 2018. As a result, the DPC found that Meta failed to have appropriate security measures in place which would enable it to demonstrate all policies and procedures implemented to protect European Union users’ data. According to TechCrunch, both data breaches impacted up to 30 million Facebook users.

A spokesperson for Meta said, “This fine is about record-keeping practices from 2018 that we have since (been) updated, not a failure to protect people’s information.”

The DPC noted two other authorities raised objections to its draft decision on the inquiry of the 12 data breaches, but the consensus was achieved through further engagement between the DPC and the other supervisory authorities. The DPC’s decision represents the collective views of the European Union, the DPC said. 

By now, many companies have been fined by the Data Protection Commission in Ireland, including big brands like Google, British Airways, and Marriott. These are just a few of the multi-million fines that have been administered in the past four years since the GDPR became enforceable, explains Thomas Stoesser, director and cybersecurity expert with data security specialists comforte AG. 

Data privacy and data security regulators in the European Union are taking their responsibility of oversight seriously, says John Bambenek, cybersecurity leader and Principal Threat Hunter at Netenrich, “particularly when it comes to large tech companies known to vacuum up massive amounts of user data, in ensuring data privacy of its citizens.” That said, Bambenek says the fine barely registers “as loose change in an old couch for a company like Meta,” and it’s doubtful that much of the company’s data security and data privacy procedures will change as a result of the fine.

However, it should be clear that more big fines will be administered if organizations fail to take data security and privacy seriously, says Stoesser. “A couple of years ago, the former information commissioner Elizabeth Denham pointed out something that many companies don’t yet seem to understand: The personal data that they are processing and storing is not their property. They have only been entrusted with it. That is a big difference.”

So what can organizations like Meta do to adequately protect their users’ data privacy? While it may seem obvious, Stoesser says organizations need to take a serious approach to data security. “There are proven methods available that can prevent such data breaches,” Stoesser explains. “Modern data security platforms that offer different protection methods to preserve privacy are a great example.”