The Irish data watchdog said Meta’s platforms had “failed to have in place appropriate technical and organisational measures” in the context of the 12 personal data breaches.
The data breach notifications were received by the DPC over a six-month period between June 7, 2018 and December 4, 2018, it said.
“This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information,” a Meta spokesperson told AFP.
“We take our obligations under the GDPR seriously, and will carefully consider this decision as our processes continue to evolve.”
Two European supervisory authorities working as part of the GDPR’s decision-making process raised objections to the initial DPC decision, but “consensus was achieved through further engagement between the DPC and the supervisory authorities,” the Irish commission said.
In September last year, Ireland hit WhatsApp with a record 225-million-euro fine following pressure from other European regulators to increase an initial penalty.
In a draft finding submitted to other European regulators for approval, the DPC proposed imposing a fine of between 30 and 50 million euros, but a number of national regulators rejected the figure, triggering the launch of a dispute resolution process.
The GDPR, which came into force in 2018, has been viewed as a powerful weapon for EU members to curb the excesses of big tech companies, giving national watchdogs cross-border powers and the possibility to impose sizeable fines for data misuse.
US Big Tech companies have faced probes and huge fines in Europe, as well as plans for EU-wide legislation to rein them in.