Meta Platforms has been fined $263 million (€251 million) by Ireland’s Data Protection Commission (DPC) for failing to adequately protect users’ data, following a major 2018 security breach that exposed the personal information of millions of Facebook accounts globally.
Data breaches
The Irish regulator said Meta failed to implement sufficient safeguards in its video upload function, which allowed hackers to exploit the vulnerability and gain full access to around 29 million Facebook accounts worldwide, including approximately 3 million based in the European Union.
The compromised personal data included users’ full names, email addresses, phone numbers, locations, workplaces, dates of birth, and group memberships, according to the DPC. Sensitive details such as religious beliefs, gender, and children’s personal information were also exposed.
Meta Ireland, Facebook’s European subsidiary, reported the breach in September 2018 after resolving the issue alongside its US-based parent company.
The DPC’s final decision highlighted four infringements of the EU’s General Data Protection Regulation (GDPR), which governs data protection standards across the bloc. The findings included violations of Articles 25 and 33 of the GDPR, relating to the failure to build in data protection by design and default, and deficiencies in breach notification and documentation processes.
Hefty fines
The commission imposed a series of administrative fines, including $136.5 million for failing to ensure data protection principles in system design and $115.5 million for not processing only necessary personal data by default. Additional penalties of $11.6 million were issued for inadequacies in breach reporting and documentation.
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” said DPC Deputy Commissioner Graham Doyle.
“By allowing unauthorized exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
Meta acted swiftly to address the breach and notify affected users and regulators, AFP reported, quoting a company spokesperson.
Recent fines
The decision marks the latest in a series of fines against Meta and other major technology companies under the GDPR. Ireland’s DPC, which oversees many global tech giants headquartered in Dublin, has been at the forefront of enforcement.
Meta was fined $95.5 million in September for failing to protect users’ passwords, while LinkedIn recently received a $325.5 million penalty for breaches involving targeted advertising.
The European Union introduced the GDPR in 2018 to enhance consumer privacy and hold companies accountable for personal data protection. Tech firms such as Google, Apple, and Meta face increasing scrutiny as regulators across the globe step up enforcement on issues ranging from privacy to competition.
Despite the fines, the penalties remain small relative to the billions of dollars earned annually by tech giants like Meta.
