Meta Platforms Ireland Limited (formerly known as Facebook Ireland Limited) - March 2022

SectionDecisions made under data protection act 2018
Page 1 of 61
In the matter of the General Data Protection Regulation
DPC Case Referenc e: IN 18-11-5
In the matter of Meta Platforms Ireland Limited (formerly known as Facebook Ireland Limited)
Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act,
2018 and Article 60 of the General Data Protection Regulaltion
Further to an own-volition inquiry pursuant to Section 110 of the Data Protection Act, 2018
Decision-Maker for the Commission:
Helen Dixon
Commissioner for Data Protection
Dated the 15th day of March 2022
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, Ireland
Page 2 of 61
1. This is the decision (“the Decision) of the Data Protection Commission (“the DPC”), made pursuant
to Section 111 of the Data Protection Act, 2018 (“the 2018 Act) and in accordance with Article 60 of
Regulation (EU) 2016/679 (General Data Protection Regulation) (“the GDPR”), arising from an inquiry
conducted by the DPC of its own volition under Section 110(1) of the 2018 Act (“the Inquiry”).
2. The Inquiry was commenced on 11 December 2018 in respect of twelve personal data breaches (“the
Breaches”) which were notified to the DPC by or on behalf of Facebook Ireland Limited (FB-I) on
dates between 7 June 2018 and 4 December 2018. While Facebook Ireland Limited has since
changed its name to Meta Platforms Ireland Limited, with effect from 5 January 2022, the relevant
events, for the purpose of the Inquiry, occurred prior to this name change. In the circumstances, the
term “FB-I” is used throughout this Decision to denote Meta Platforms Ireland Limited, the company
formerly known as Facebook Ireland Limited. Similarly, Facebook, Inc. changed its name to Meta
Platforms, Inc. on 28 October 2021 and any references, within this Decision, to “Facebook, Inc.”
should be understood as meaning Meta Platforms, Inc., the company formerly known as Facebook,
3. This Decision sets out my findings, as the decision-maker for the DPC in this matter, as to whether (i)
an infringement of a relevant enactment by FB-I, the controller to which the Inquiry relates, has
occurred or is occurring, and (ii) if so, whether a corrective power should be exercised in respect of
FB-I as the controller concerned, and the corrective power that is to be so exercised. An infringement
of a relevant enactment, for this purpose, means an infringement of the GDPR, or an infringement
of a provision of, or regulation under, the 2018 Act which gives further effect to the GDPR.
4. For the avoidance of doubt, this Decision represents the collective views of the Commission and
supervisory authorities concerned
(“CSAs”, each one being a “CSA”), further to the co-decision-
making process outlined in Article 60 GDPR.
Controller and processor
5. This Decision is addressed to Meta Platforms Ireland Limited, a private company limited by shares
with registered offices at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. As already
noted above, Meta Platforms Ireland Limited became the new name of Facebook Ireland Limited,
effective 5 January 2 022. Each of the breach notifications
submitted to the DPC in respect of the
Breaches were submitted by or on behalf of FB-I as a controller within the meaning of Article 4(7)
Sections 105(1) and 107 of the 2018 Act.
As defined in Article 4(22) GDPR.
References in this Decision to breach notifications are references to notifications made via the DPC’s Cross-
Border Breach Notification Form, used to facilitate controllers in making personal data breach notifications
involving cross-border processing within the meaning of Article 4(23) GDPR. Be tween 7 June 2018 and 4
December 2018, the Cross-Border Breach Notification Form was available for download on the DPC’s website,
and the completed form submitted by email to the DPC with a self -declared ‘risk rating’ in the subject line,
indicating whether the controller considered the personal data breach to be ‘Low Risk’, ‘High Risk’, ‘Medium
Risk’, or ‘Severe Risk’. Due to revisions to the Cross-Border Breach Notification Form in that time period, six of
the Breaches (Brea ch 7, Breach 8, Breach 9, Breach 10, Breach 11, and Breach 12) were made using a newer
version of the form. Those six breach notifications were also accompanied by a copy of FB -I’s record of
processing activities for the purpose of Article 30 GDPR.
Page 3 of 61
GDPR. FB-I had confirmed to the DPC previously by email dated 25 May 2018 that FB-I was the
controller for the Facebook service and the Instagram service in the EU. It is understood that FB-I is
also the controller for the provision of the Facebook and Instagram services to users in the other EEA
states (Norway, Liechtenstein and Iceland).
In the Inquiry, FB-I specifically stated that, as controller,
it determines the purposes and means of processing of the personal data of EU users
which I assume
to include users in the other EEA states.
6. Facebook, Inc. (as it was then known) is a company incorporated under the laws of Delaware with an
address at 1601 Willow Road, Menlo Park, CA 94025, California, United States of America. FB-I has
confirmed in the Inquiry that Facebook, Inc. acted as a processor as defined in Article 4(8) GDPR in
relation to the data processing concerned by each of the Breaches.
In this regard, FB-I has outlined
that Facebook, Inc. processes the personal data of EU users of the Facebook and Instagram services
solely on FB-I’s behalf, as a processor, and that the relationship between the two entities as controller
and processor, respectively, is governed by a Data Transfer and Processing Agreement dated 25 May
2018 (“DTPA”) directed to meeting the requirements of Article 28(3) GDPR.
A copy of the DTPA was
provided to the DPC in the Inquiry.
7. I am satisfied, for the purposes of this Decision, that FB-I and Facebook, Inc. are appropriately
identified as the controller and processor, respectively, for the processing of personal data the
subject of the Inquiry.
Facebook and Instagram
8. The Breaches to which the Inquiry relates concern both the Facebook and Instagram services.
9. Facebook is a social media service available at the website, and as an app for
Android and iOS. As of the end of December 2018, it had 2.32 billion monthly active users globally.
In very broad overview, users with a Facebook account can create a profile containing personal
information, photos and interests, and connect with other users by adding them as ‘Frie nds, or
(usually in the case of people they do not know personally) by ‘following’ another user’s profile. Each
user’s profile includes their Timeline, where they can post photos, videos, locations and status
updates, as well as see posts they have been ‘tagged’ in and posts written to their Timeline by
Friends. Users can also create and manage ‘Pages’ and ‘Groups’ and ‘Events around particular
interests, topics, or social activities. The homepage a user sees when they log into their account
contains a ‘Newsfeed’ showing a list of status updates, photos, videos, and ‘likes by other users,
Pages and Groups that they follow on Facebook, which is continuously updated. Users can ‘like’ or
comment on other users posts, ‘tag’ other users in posts, send messages to other users, and create
a Facebook Story which remains visible for 24 hours, among other features. The audience of content
that users share on Facebook can be edited depending on who the user wishes to see it (alternatives
include ‘Public’, ‘Friends’, or ‘Custom’). There is an option to remove (or ‘ Unfriend’) a person who
the user had pr eviously added as a Friend, and users can ‘block’ other users to prevent them from
(for example) seeing their profile or sending them messages.
See, for example, information on users affected, in cluding numbers in the other EEA states, in the updated
breach notification form for Breach 10 (4 January 2019) (Section 8.1, updating Section 5.5).
FB-I’s Response to Queries 1 to 4 in the Commencement Notice (18 January 20 19), pages 1 to 2.
FB-I’s Response to Queries 1 to 4 in the Commencement Notice (18 January 2019), page 3 to 4
FB-I’s Response to Queries 1 to 4 in the Commencement Notice (18 January 2 019), page 4.
Press Release, Facebook Reports Fourth Quarter and Full Year 2018 Results (30 January 2019)

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT