Social media company, Meta, has been slammed a €251 million in Europe over a 2018 personal data breach that impacted 29 million Facebook users globally.
The Irish Data Protection Commission (DPC), which announced the fine on Tuesday, said Meta Platforms Ireland Limited (‘MPIL’) reported the breach in September 2018.
Of the 29 million Facebook users affected by the breach, the DPC said approximately three million were based in the EU.
It added that the categories of personal data affected included: user’s full name; email address; phone number; location; place of work; date of birth; religion; gender; posts on timelines; groups of which a user was a member; and children’s personal data.
The breach
The data protection watchdog said the breach arose from the exploitation by unauthorised third parties of user tokens on the Facebook platform.
- Between September 14 and September 28, 2018, the DPC said unauthorised persons used scripts to exploit this Facebook vulnerability and gained the ability to log on as the account holder
- It, however, pointed out that the breach was remedied by MPIL and its US parent company shortly after its discovery.
“The decisions, which were made by the Commissioners for Data Protection, Dr. Des Hogan and Dale Sunderland, included a number of reprimands and an order to pay administrative fines totalling €251 million,” the DPC stated.
GDPR infringements
The Commission said two decisions were taken against Meta after its investigations revealed infringement of the GDPR.
On its first decision, the Commission said Meta breached Article 33(3) of the GDPR by not including in its breach notification all the information required by that provision that it could and should have included.
“The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €8 million.
“By failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance.
“The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €3 million,” it added.
- On the second decision, the DPC said Meta contravened Article 25(1) of the GDPR by failing to ensure that data protection principles were protected in the design of processing systems.
- The DPC found that MPIL had infringed this provision, reprimanded MPIL, and ordered it to pay administrative fines of €130 million.
- The DPC said it also found that MPIL had infringed the provisions of Article 25(2) of the GDPR, and ordered it to pay administrative fines of €110 million.
Commenting on the decisions, DPC deputy commissioner Graham Doyle said:
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals.
“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances.
“By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
What you should know
The latest fine against Meta comes barely a month after the EU slammed a landmark €797 million fine against the Mark Zuckerberg company for linking its classified ads platform, Facebook Marketplace, directly to its core social network, Facebook, and imposing unfair trading conditions on other online classified ad providers.
- In July, Nigeria’s Federal Competiton and Consumer Protection Commission (FCCPC) and the Nigeria Data Protection Commission (NDPC) also imposed a $220 million fine against Meta Platforms Incorporated following a joint investigation into the company’s conduct, privacy policies, the operation thereof, and practices between May 2021 and December 2023.
- The final order highlighted Meta’s alleged infringements to include, denying Nigerian data subjects the right to self-determine; unauthorized transfer and sharing of Nigerian data-subjects personal data, including cross-border storage in violation of then, and now prevailing law; discrimination and disparate treatment and abuse of Dominance.
