Meta was fined again by the Irish Data Protection Commission (DPC). It was levied €251 million for failing to report a 2018 data breach that affected roughly 29 million Facebook accounts worldwide.
On Tuesday [December 18, 2024], the Irish DPC declared its decision to fine the Mark Zuckerberg-owned company following two inquiries into Meta Platforms Ireland Limited (‘MPIL’).
The DPC launched these own-volition inquiries following a personal data breach reported by MPIL in September 2018.
Children’s Personal Data Affected
Among the 29 million Facebook account holders impacted worldwide, 3 million of them were based in the EU/EEA.
DPC reported that the nature of personal data impacted included users' personal information.
This included the user’s full name, email address, phone number, location, place of work, date of birth, religion, gender, posts on timelines, and groups of which a user was a member.
In addition to the personal data of adult Facebook users, children’s personal data too was compromised in the Meta breach.
The data breach was a result of an unauthorised third party exploiting user access tokens.
Despite taking immediate action to address a bug in its 'View As' feature, Facebook was found to have violated several GDPR articles.
Also Read: Meta Slammed With $101.56 Million Fine For GDPR Violation
Meta Violated 4 GDPR Articles
The DPC provided a list of 4 GDPR violations including Article 33(3), Article 33(5), Article 25(1) and Article 25(2).
The authorities explained the first violation stating that by not including in its breach notification all the information required by that provision it could and should have been included. For this, the DPC reprimanded MPIL for failures concerning this provision and ordered it to pay administrative fines of €8 million.
In Article 33(5) GDPR violation, Meta failed to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance. The DPC ordered the firm to pay administrative fines of €3 million.
In another decision violating Article 25(1) GDPR, Facebook's parent company failed to ensure that data protection principles were protected in the design of processing systems. The DPC found that MPIL had infringed this provision, and reprimanded MPIL with administrative fines of €130 million.
Lastly, concerning the Article 25(2) violation, Meta failed in its obligations as the controller to ensure that, by default, only personal data that are necessary for specific purposes are processed. The DPC levied MPIL with administrative fines of €110 million.
The total amount for fines levied on Meta sums up to €251 million.
DPC Deputy Commissioner Graham Doyle expressed in an official statement that this enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals.
“Facebook profiles can and often do, contain information about matters such as religious or political beliefs, life or orientation, and similar matters that a user may wish to disclose only in particular circumstances,” Doyle added.
“By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
Also Read: Meta Slammed With 15M Fine For Collecting User Data in South Korea
