The Data Protection Commission (DPC) said on Tuesday it had imposed €251 million of fines following data breach inquiries into the main Irish unit of Meta, the parent of Facebook and Instagram.
The investigations follow a data breach, affecting 29 million Facebook accounts globally, that was reported by Meta Platforms Ireland Limited to the DPC in September 2018. Some three million of the affected accounts were based in the European Economic Area, the DPC said in a statement.
The categories of personal data affected included users’ names, workplaces, birth dates, religious beliefs and groups of which they were members.
The breach, stemming from unauthorised persons being able to take advantage of a Facebook platform security issue to gain the ability to log on to millions of accounts globally, was remedied by the Irish company and its US parent “shortly after its discovery”, the DPC said.
“This enforcement action highlights how the failure to build in data-protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” said DPC deputy commissioner Graham Doyle.
“By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
The case is the latest in a series of DPC actions against part of the world’s largest social media group.
Meta Platforms Ireland is pursuing a High Court challenge against a decision by the DPC in May last year to impose a record €1.2 billion fine on it for violating European privacy rules. It followed a long investigation into transfers by Facebook of Europeans’ personal data to the US.
[ Brussels looks into Google and Meta secret ads deal to target teensOpens in new window ]
The Irish watchdog had not proposed a financial penalty against Meta in its original draft decision in the case but was “instructed” to impose a fine after a dispute resolution process at the European Data Protection Board, the body of almost 50 national and regional data regulators that must approve any cross-border penalties for data violations.
The DPC reprimanded and imposed a fine of €91 million on the company three months ago for improperly storing user passwords. Meta Platforms Ireland has appealed this decision to the High Court.
The latest action brings total fines levied by the DPC on organisations over the past five years to more than €3.5 billion. However, the authorities had only collected €19.9 million of the total as of the end of October, with many of the sanctions still the subject of court appeal or other legal processes. All fines ultimately collected by the DPC go to the exchequer.
[ LinkedIn claims data watchdog’s €310m fine is ‘penal’ sanctionOpens in new window ]
A spokesperson for Meta said that the group took immediate action to fix the problem as soon as it was identified, and proactively informed people affected as well as the DPC
“We have a wide range of industry-leading measures in place to protect people across our platforms,” the spokesperson added.
Meta Platforms Ireland is also expected to appeal the latest DPC decision.
- Sign up for the Business Today newsletter and get the latest business news and commentary in your inbox every weekday morning
- Opt in to Business push alerts and have the best news, analysis and comment delivered directly to your phone
- Join The Irish Times on WhatsApp and stay up to date
- Our Inside Business podcast is published weekly – Find the latest episode here
