- Irish Data Protection Commission Irish fined Meta €251 million over 2018 global personal data breach
- The DPC said the breach contravened some sections of the GDPR
- The decision is the latest in the many fines against Meta in 2024 alone
The Irish Data Protection Commission (DPC) has fined Meta €251 million in Europe over a 2018 personal data breach that affected 29 million Facebook users globally.
The DPC announced the fine on Tuesday, December 17, noting that the breach in September 2018 was reported by Meta Platforms Ireland Limited (MPIL), with approximately three million out of the 29 million affected users based in the EU.
It said the breach affected personal data such as a user’s full name, email address, phone number, location, place of work, date of birth, religion, gender, posts on timelines, groups of which a user was a member, and children’s personal data.
The DPC noted that unauthorised third parties exploited user tokens on Facebook and gained the ability to log on as the account holder between September 14 and 28, 2018.
It added that the breach was remedied by MPIL and its US parent company shortly after its discovery.
The DPC stated, “The decisions, which were made by the Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland, included a number of reprimands and an order to pay administrative fines totalling €251 million.”
Details of infringements and penalties
The DPC said Meta contravened some sections of the GDPR, which led to the commission taking two decisions against the social media company, resulting in the €251 million fine.
The first decision pertained to Meta breaching Article 33(3) of the GDPR by not including in its breach notification all the information required by that provision that it could and should have included.
It said, “The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €8 million.
“By failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance.
“The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €3 million.”
The DPC said its second decision was based on Meta’s contravention of Article 25(1) of the GDPR by failing to ensure that data protection principles were protected in the design of processing systems.
The DPC found that MPIL had infringed this provision, reprimanded MPIL, and ordered it to pay administrative fines of €130 million.
The DPC said it also found that MPIL had infringed the provisions of Article 25(2) of the GDPR, and ordered it to pay administrative fines of €110 million.
Comment on the DPC’s decision
The DPC’s Deputy Commissioner, Graham Doyle, noted that the decisions highlights the need to build data protection requirements into the design and development of products to avoid exposing individuals to risks.
Doyle said, “This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals.
“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances.
“By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
The many fines against Meta
Meta has been slammed with fines in 2024, all relating to privacy policies and unfair trading conditions.
In November, the EU fined Meta €797 million for integrating its classified ads platform, Facebook Marketplace, directly into its core social network, Facebook, and imposing unfair trading conditions on other online classified ad providers.
In July, Meta Platforms Incorporated was fined $220 million by Nigeria’s Federal Competition and Consumer Protection Commission (FCCPC) and the Nigeria Data Protection Commission (NDPC) after a joint investigation into its conduct, privacy policies, the operation thereof, and practices between May 2021 and December 2023.
The investigations said Meta allegedly infringed on such rights as denying Nigerian data subjects the right to self-determine; unauthorised transfer and sharing of Nigerian data-subjects personal data, including cross-border storage in violation of then, and now prevailing law; discrimination and disparate treatment and abuse of Dominance.
Meta to cut metaverse budget by 20%
Meanwhile, TheRadar reported that Meta, the parent company of Facebook, Instagram, and WhatsApp, is set to cut the budget of Reality Labs by some 20 per cent between 2024 and 2026. Reality Labs is the division of the company responsible for the development of its metaverse hardware and software.
This is based on a report from The Information and is consistent with recent reports that Meta intends to put Reality Labs into production in advance of multiple high-profile hardware launches that are scheduled to occur over the course of the next few years.
