Meta Platforms Ireland Limited (formerly known as Facebook Ireland Limited) - March 2022

Document

Cited authorities 5

Cited in

Section	Decisions made under data protection act 2018

Page 1 of 61

In the matter of the General Data Protection Regulation

DPC Case Referenc e: IN 18-11-5

In the matter of Meta Platforms Ireland Limited (formerly known as Facebook Ireland Limited)

Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act,

2018 and Article 60 of the General Data Protection Regulaltion

Further to an own-volition inquiry pursuant to Section 110 of the Data Protection Act, 2018

DECISION

Decision-Maker for the Commission:

Helen Dixon

________________________________

Commissioner for Data Protection

Dated the 15th day of March 2022

Data Protection Commission

21 Fitzwilliam Square South

Dublin 2, Ireland

Page 2 of 61

INTRODUCTION

1. This is the decision (“the Decision”) of the Data Protection Commission (“the DPC”), made pursuant

to Section 111 of the Data Protection Act, 2018 (“the 2018 Act”) and in accordance with Article 60 of

Regulation (EU) 2016/679 (General Data Protection Regulation) (“the GDPR”), arising from an inquiry

conducted by the DPC of its own volition under Section 110(1) of the 2018 Act (“the Inquiry”).

2. The Inquiry was commenced on 11 December 2018 in respect of twelve personal data breaches (“the

Breaches”) which were notified to the DPC by or on behalf of Facebook Ireland Limited (“FB-I”) on

dates between 7 June 2018 and 4 December 2018. While Facebook Ireland Limited has since

changed its name to Meta Platforms Ireland Limited, with effect from 5 January 2022, the relevant

events, for the purpose of the Inquiry, occurred prior to this name change. In the circumstances, the

term “FB-I” is used throughout this Decision to denote Meta Platforms Ireland Limited, the company

formerly known as Facebook Ireland Limited. Similarly, Facebook, Inc. changed its name to Meta

Platforms, Inc. on 28 October 2021 and any references, within this Decision, to “Facebook, Inc.”

should be understood as meaning Meta Platforms, Inc., the company formerly known as Facebook,

Inc.

3. This Decision sets out my findings, as the decision-maker for the DPC in this matter, as to whether (i)

an infringement of a relevant enactment by FB-I, the controller to which the Inquiry relates, has

occurred or is occurring, and (ii) if so, whether a corrective power should be exercised in respect of

FB-I as the controller concerned, and the corrective power that is to be so exercised. An infringement

of a relevant enactment, for this purpose, means an infringement of the GDPR, or an infringement

of a provision of, or regulation under, the 2018 Act which gives further effect to the GDPR.

4. For the avoidance of doubt, this Decision represents the collective views of the Commission and

supervisory authorities concerned

(“CSAs”, each one being a “CSA”), further to the co-decision-

making process outlined in Article 60 GDPR.

PRELIMINARY MATTERS

Controller and processor

5. This Decision is addressed to Meta Platforms Ireland Limited, a private company limited by shares

with registered offices at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. As already

noted above, Meta Platforms Ireland Limited became the new name of Facebook Ireland Limited,

effective 5 January 2 022. Each of the breach notifications

submitted to the DPC in respect of the

Breaches were submitted by or on behalf of FB-I as a controller within the meaning of Article 4(7)

Sections 105(1) and 107 of the 2018 Act.

As defined in Article 4(22) GDPR.

References in this Decision to breach notifications are references to notifications made via the DPC’s Cross-

Border Breach Notification Form, used to facilitate controllers in making personal data breach notifications

involving cross-border processing within the meaning of Article 4(23) GDPR. Be tween 7 June 2018 and 4

December 2018, the Cross-Border Breach Notification Form was available for download on the DPC’s website,

and the completed form submitted by email to the DPC with a self -declared ‘risk rating’ in the subject line,

indicating whether the controller considered the personal data breach to be ‘Low Risk’, ‘High Risk’, ‘Medium

Risk’, or ‘Severe Risk’. Due to revisions to the Cross-Border Breach Notification Form in that time period, six of

the Breaches (Brea ch 7, Breach 8, Breach 9, Breach 10, Breach 11, and Breach 12) were made using a newer

version of the form. Those six breach notifications were also accompanied by a copy of FB -I’s record of

processing activities for the purpose of Article 30 GDPR.

Page 3 of 61

GDPR. FB-I had confirmed to the DPC previously by email dated 25 May 2018 that FB-I was the

controller for the Facebook service and the Instagram service in the EU. It is understood that FB-I is

also the controller for the provision of the Facebook and Instagram services to users in the other EEA

states (Norway, Liechtenstein and Iceland).

In the Inquiry, FB-I specifically stated that, as controller,

it determines the purposes and means of processing of the personal data of EU users

which I assume

to include users in the other EEA states.

6. Facebook, Inc. (as it was then known) is a company incorporated under the laws of Delaware with an

address at 1601 Willow Road, Menlo Park, CA 94025, California, United States of America. FB-I has

confirmed in the Inquiry that Facebook, Inc. acted as a processor as defined in Article 4(8) GDPR in

relation to the data processing concerned by each of the Breaches.

In this regard, FB-I has outlined

that Facebook, Inc. processes the personal data of EU users of the Facebook and Instagram services

solely on FB-I’s behalf, as a processor, and that the relationship between the two entities as controller

and processor, respectively, is governed by a Data Transfer and Processing Agreement dated 25 May

2018 (“DTPA”) directed to meeting the requirements of Article 28(3) GDPR.

A copy of the DTPA was

provided to the DPC in the Inquiry.

7. I am satisfied, for the purposes of this Decision, that FB-I and Facebook, Inc. are appropriately

identified as the controller and processor, respectively, for the processing of personal data the

subject of the Inquiry.

Facebook and Instagram

8. The Breaches to which the Inquiry relates concern both the Facebook and Instagram services.

9. Facebook is a social media service available at the website www.facebook.com, and as an app for

Android and iOS. As of the end of December 2018, it had 2.32 billion monthly active users globally.

In very broad overview, users with a Facebook account can create a profile containing personal

information, photos and interests, and connect with other users by adding them as ‘Frie nds’, or

(usually in the case of people they do not know personally) by ‘following’ another user’s profile. Each

user’s profile includes their ‘Timeline’, where they can post photos, videos, locations and status

updates, as well as see posts they have been ‘tagged’ in and posts written to their Timeline by

Friends. Users can also create and manage ‘Pages’ and ‘Groups’ and ‘Events’ around particular

interests, topics, or social activities. The homepage a user sees when they log into their account

contains a ‘Newsfeed’ showing a list of status updates, photos, videos, and ‘likes’ by other users,

Pages and Groups that they follow on Facebook, which is continuously updated. Users can ‘like’ or

comment on other users’ posts, ‘tag’ other users in posts, send messages to other users, and create

a ‘Facebook Story’ which remains visible for 24 hours, among other features. The audience of content

that users share on Facebook can be edited depending on who the user wishes to see it (alternatives

include ‘Public’, ‘Friends’, or ‘Custom’). There is an option to remove (or ‘ Unfriend’) a person who

the user had pr eviously added as a Friend, and users can ‘block’ other users to prevent them from

(for example) seeing their profile or sending them messages.

See, for example, information on users affected, in cluding numbers in the other EEA states, in the updated

breach notification form for Breach 10 (4 January 2019) (Section 8.1, updating Section 5.5).

FB-I’s Response to Queries 1 to 4 in the Commencement Notice (18 January 20 19), pages 1 to 2.

FB-I’s Response to Queries 1 to 4 in the Commencement Notice (18 January 2019), page 3 to 4

FB-I’s Response to Queries 1 to 4 in the Commencement Notice (18 January 2 019), page 4.

Press Release, ‘Facebook Reports Fourth Quarter and Full Year 2018 Results’ (30 January 2019)

Fourth-Quarter-and-

Full-Year-2018-Results/default.aspx>.

To continue reading

Request your trial

Subscribers can access the reported version of this case.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see a list of all the cited cases and legislation of a document.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see a list of all the documents that have cited the case.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see the revised versions of legislation with amendments.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see any amendments made to the case.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see a visualisation of a case and its relationships to other cases. An alternative to lists of cases, the Precedent Map makes it easier to establish which ones may be of most relevance to your research and prioritise further reading. You also get a useful overview of how the case was received.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see the list of results connected to your document through the topics and citations Vincent found.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Meta Platforms Ireland Limited (formerly known as Facebook Ireland Limited) - March 2022

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users