3rd Party Risk Management , General Data Protection Regulation (GDPR) , Governance & Risk Management
Impose Fine, Get Sued: A Day at the Irish DPC
Watchdog Fines Meta the Same Day It Gets Sued Over 'Inaction' in Google CaseOn Tuesday, Ireland's Data Protection Commission imposed a penalty of $18.6 million on Meta Platforms Ireland Ltd. - formerly Facebook Ireland Ltd. - for not implementing adequate measures as required by the GDPR, resulting in data breaches. Ironically, the same day, a member of the Irish Council for Civil Liberties, a nonprofit organization, sued the privacy watchdog for not protecting citizens from the "biggest data breach ever recorded," aka Google's Real-Time Bidding data breach.
See Also: Netskope FERPA Mapping Guide
Meta Fined Over GDPR Issues
The DPC penalized Meta Platforms based on the findings of an inquiry it had made into a series of 12 data breach notifications received between June and December 2018, according to a statement from the organization.
Data Protection Commission announces decision in Meta (Facebook) inquiry https://t.co/agccC3j7YM pic.twitter.com/zNZSYnDt5E
— Data Protection Commission Ireland (@DPCIreland) March 15, 2022
The DPC investigated whether Meta Platforms adhered to the requirements detailed in GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1), based on the data breach notifications it had received. "As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR," the DPC says.
Meta Platforms, it says, did not have appropriate technical and organizational security measures in place to protect the data of the 12 complainants.
A Meta spokesperson told Information Security Media Group: "This fine is about record-keeping practices from 2018 that we have since updated, not a failure to protect people's information. We take our obligations under the GDPR seriously and will carefully consider this decision as our processes continue to evolve."
Although two European Union-based supervisory authorities initially objected to the DPC's draft decision, a consensus was reached later, reflecting the "views of both the DPC and its counterpart supervisory authorities throughout the EU," the DPC says.
Take GDPR Seriously
Companies must realize that GDPR is a data privacy regulation that has teeth, and the fines imposed by the DPC in Ireland on big banner names such as Google, British Airways and Marriott is a testament to it, says Thomas Stoesser, data security expert at cybersecurity firm comforte AG.
"It should be clear by now that more big fines will be handed out if organizations fail to take data privacy seriously. Former U.K. Information Commissioner Elizabeth Denham pointed out something a couple of years that many companies don't yet seem to understand: The personal data that they are processing and storing is not their property. They have only been entrusted with it. That is a big difference," Stoesser tells Information Security Media Group.
A good starting point for organizations such as Meta to protect customer data adequately would be to take a serious approach to data security and use modern data security platforms that offer different protection methods to preserve privacy, Stoesser says.
DPC Sued for Inaction
The Irish Council for Civil Liberties says that it has sued the DPC for not protecting Ireland citizens from the "biggest data breach ever recorded," referencing Google's Real-Time Bidding online advertising data breach.
But a DPC spokesperson clarifies to ISMG that the ICCL organization is not the plaintiff. The plaintiff is Johnny Ryan, a senior fellow at ICCL.
"I would like [to] make the point that it is not the case that ICCL are suing the DPC. ICCL are not party to this judicial review and therefore have no standing in the case. The leave was sought by Mr. Ryan," the DPC spokesperson tells ISMG.
This was further verified by ISMG from a picture of the cover page of the Judicial Review filed at the High Court by the claimant, Ryan, which he tweeted a couple of days ago.
We are taking the Irish Data Protection Commission to court.
— Johnny Ryan (@johnnyryan) March 14, 2022
For 3½ years it has failed to act on a GDPR complaint against Google’s massive Real-Time Bidding (“RTB”) advertising data breach. https://t.co/TIxgXEglb4
Ryan says that "the DPC was created to protect us against the illegal collection and use of intimate data about us. But it has failed to act in this landmark case, despite the passage of three and a half years and having detailed evidence of Google's massive and ongoing data breach."
Liam Herrick, the executive director of ICCL, says, "We are concerned that the rights of individuals across the EU are in jeopardy, because the DPC has failed to investigate Google's RTB system. The issue at stake here affects the rights of every European, and we are going to court to see that digital rights are protected. Repeated attempts to get the DPC to take up this rights violation have failed."
RTB: A Cause of Concern
Google's Real-Time Bidding is a program that allows authorized buyers to bid for display, mobile and video advertising impressions - automatically and in real time. Google also has an RTB Protocol for it, but the plaintiff, Ryan, alleges that RTB can broadcast private information about Google's users to more than 1,000 other tracking companies in a split second.
"There is no control over what those companies do with this sensitive data [and] this infringes the cardinal GDPR principle that companies must protect personal data," Ryan says.
According to the lawsuit filed, Google operates this allegedly unlawful RTB system on millions of websites, broadcasting personal data to other tracking companies billions of times a day, which makes it "the largest data breach ever."
Ryan initially flagged this malpractice to the DPC in May 2017. He lodged an official complaint on the matter in September 2018. Here is the timeline of events:
- May 2017: The DPC was alerted about a massive online ads security breach.
- September 2018: Ryan lodged a GDPR complaint.
- May 2019: The DPC confirmed launching an inquiry.
- Jan 2022: The DPC said it had an overview of what it would investigate but refused to investigate the security quotient.
- March 2022: Johnny Ryan filed a lawsuit against DPC for prolonged inaction.
The intent behind suing the DPC and taking it to court, Ryan tells ISMG, is that "we want to see that it takes action [against all those violating the GDPR compliance]."
According to local Irish media, the lawsuit was brought before Justice Charles Meenan, who - on an ex parte basis - granted Ryan permission to bring his challenge, which will be heard in May.
"The merits of the case are yet to be heard, and we will be defending our position," a DPC spokesperson tells ISMG. They say the investigation of Google's violations reported by Ryan is "proceeding at pace."