The Irish Data Protection Authority (DPC) Tuesday fined Meta Platforms Ireland Limited €17m for a series of data breaches affecting up to 30 million Facebook users that were disclosed to the Irish DPC by the social media company in 2018.

The Irish DPC is Meta’s lead privacy regulator in the EU and opened this inquiry after receiving 12 data breach notifications within a six-month period from 7 June 2018 to 4 December 2018. The inquiry examined Meta’s compliance with the GDPR’s personal data processing rules under Articles 5(1)(f), 5(2), 24(1), and 32(1)

It found that the company had breached Articles 5(2) and 24(1) by failing to put in place “appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data.”

As the data processing under inquiry involved cross-border cases, other European supervisory authorities were engaged as co-decision makers as per Article 60 of the GDPR. The decision represents the collective views of the Irish DPC and its counterpart European supervisory authorities.

The penalty is the first final decision of the Irish DPC against Facebook and Meta since the GDPR came into force. The authority had fined Meta subsidiary WhatsApp Ireland Ltd. in September last year for failing to comply with the GDPR’s transparency rules. In general, the Irish DPC has faced criticism for its slow pace and deferential approach towards GDPR enforcement against big tech.

Recently, the Irish Council for Civil Liberties, a civil liberties group, sued the Irish DPC for failing to thoroughly investigate a complaint made about Google and IAB Europe’s procession of personal data.