The Irish Data Protection Commission is imposing a fine of €17m on Facebook parent company Meta.
The decision followed an inquiry by the commission into a series of 12 data breach notifications it received in the six-month period between 7 June 2018 and 4 December 2018.
The inquiry examined the extent to which Meta Platforms complied with the requirements of GDPR, the General Data Protection Regulation, in relation to the processing of personal data relevant to the 12 breach notifications.
The Data Protection Commission found that Meta Platforms failed to have in place appropriate technical and organisational measures that would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users' data, in the context of the 12 personal data breaches.
Given that the processing under examination constituted "cross-border" processing, all of the other European supervisory authorities were engaged as co-decision makers.
While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned.
Meanwhile, Meta has given its reaction to the DPC announcement.
"This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people's information," a Meta spokesperson said.
"We take our obligations under the GDPR seriously and will carefully consider this decision as our processes continue to evolve," the spokesperson added.
Separately, the Data Protection Commission has today released a report on its handling of complaints.
It comes amid criticism from privacy campaigners and civil liberty groups that the DPC's investigations of big tech firms are taking too long to conclude.
According to today's report, 65% of all cross-border complaints handled by the Data Protection Commission as the lead supervisory authority since May 2018 have been concluded.
82% of such complaints received in 2018 have been concluded and 75% of those received in 2019 have been concluded.
"86% of all cross-border complaints handled by the DPC as the lead supervisory authority relate to just 10 data controllers," according to the report.