Meta Hit with a €251 Million Fine For Compliance Failures Amid Data Breach

The Irish Data Protection Commission (DPC) hit Meta Platforms Ireland Limited (MPIL) with a fine of €251 million following two inquiries into a 2018 data breach. The breach affected approximately 29 million Facebook accounts globally, with about 3 million of those accounts based in the EU/EEA. The personal data exposed included users’ full names, email addresses, phone numbers, locations, places of work, dates of birth, religions, genders, timeline posts, group memberships, and children’s personal data. The breach was a result of the exploitation of user tokens by unauthorized third parties. The DPC’s investigation concluded that MPIL had violated multiple articles of the GDPR.

MPIL was reprimanded for failing to include all necessary information in its breach notification, resulting in an €8 million fine. Additionally, MPIL was found to have failed to adequately document the facts related to each breach and the steps taken to remedy them, which led to an additional €3 million fine. The DPC also determined that MPIL had not adequately protected data protection principles in the design of its processing systems, leading to a significant €130 million fine. Furthermore, they failed to ensure that only necessary personal data was processed by default, resulting in another significant €110 million fine.

The DPC emphasized the importance of building data protection requirements into the design and development cycle to prevent serious risks and harm. Deputy Commissioner Graham Doyle noted that the failure to protect user profile information, which often includes sensitive data such as religious or political beliefs, sexual orientation, or other private matters, exposed individuals to serious risks of data misuse. According to the DPA, the vulnerability behind the breach created a grave risk of misuse of this sensitive data because unauthorized exposure of profile information was permitted.