Facebook's parent company, Meta, has been fined €17 million (~$18.6M) by the Irish Data Protection Commission (DPC) over a string of historical data breaches.

The security lapses in question, which appear to have affected up to 30M Facebook users, date back several years -- and had been disclosed by Facebook to the Irish regulator in 2018.

The DPC, which is Meta/Facebook's lead privacy regulator in the European Union, opened this security-related inquiry in late 2018 after it received no less than 12 data breach notifications from the tech giant in the six month period between June 7 2018 and December 4 2018.

The European Union's General Data Protection Regulation (GDPR) -- which came into application in May 2018 -- puts a legal requirement on data controllers to swiftly disclose breaches of personal data to a supervisory authority if the leak of information is likely to pose a risk to individuals. (The most serious breaches should be notified within 72 hours.)

"The inquiry examined the extent to which Meta Platforms complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the twelve breach notifications," the DPC wrote in a press release announcing a final decision on its Facebook inquiry.

"As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR. The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches."

In a statement responding to the DPC's penalty, a Meta spokesperson sought to play down the episode as merely a case of historically lax record-keeping -- writing: