Mark Zuckerberg’s Meta wants the High Court to overturn a “wholly disproportionate” €91 million penalty imposed on it by Ireland’s data protection regulator for improperly storing user passwords.
The fines, which were imposed last September under the General Data Protection Regulation (GDPR), relate to a 2019 incident where it was discovered the company had stored some user passwords in plaintext, which is an easily readable format, instead of applying encryption.
Meta, which operates Facebook and Instagram, claims the Data Protection Commission (DPC) failed to consider whether the fines totalling €91 million were “effective, proportionate and dissuasive”, as required by the GDPR.
The principle of proportionality is a “fundamental principle” of European Union (EU) law, but the €91 million penalties are “excessive and go beyond what is required to be effective and dissuasive”, Meta says.
Ireland’s 11 billionaires saw their wealth grow by a third to €50bn in 2024
Pancreatic cancer: ‘I just can’t explain what it felt like hearing those words’
Remote working in Ireland: People ‘are being pushed back to the office against their will’
‘The phone would ring and it would be Mike Scott from the Waterboys or Bono from U2. Everyone wanted to talk to my father’
The company further claims that the commission acted in breach of fair procedures and due process by calculating the fine by reference to Meta’s global turnover without affording it full rights of defence.
Meta is asking the High Court to quash the DPC’s September 2024 decision and accompanying fines totalling €91 million.
It also seeks a court declaration that sections of the Irish Data Protections Act are unconstitutional and incompatible with the State’s obligations under the European Convention on Human Rights.
Also among the company’s claims is that the DPC “misinterpreted and misapplied” an article of the GDPR that defines a “personal data breach” and wrongly concluded that every plaintext password logged amounted to “personal data”.
Meta accepted some of the instances were personal data, but in many cases the plaintext passwords were not logged alongside identifying features, it says.
Meta claims the DPC incorrectly found there had been “unauthorised disclosure of, or access to, personal data”.
There was, in fact, no disclosure or access to personal data in relation to the issue, the company says.
The case came before Ms Justice Mary Rose Gearty on Monday, when she made an order permitting Meta to pursue its claims via the court’s judicial review mechanism. She heard the application while only Meta was represented in court.
Meta’s lawyers said the company has also initiated a statutory appeal over the same September 2024 decision.
The €93 million fine is one of several imposed by the DPC on Meta. The most significant was issued in May 2023, when the company was fined a record €1.2 billion for violating European privacy rules, following a long investigation into transfers by Facebook of Europeans’ personal data to the US.
This decision is the subject of a High Court challenge by Meta.
Last December the regulator handed down a €251 million fine following a data breach, affecting 29 million Facebook accounts globally, that was reported by Meta in September 2018.
A €265 million penalty was given in 2022 over a “collated” set of Facebook personal data that had been uploaded on to an online forum.
- Sign up for push alerts and have the best news, analysis and comment delivered directly to your phone
- Join The Irish Times on WhatsApp and stay up to date
- Listen to our Inside Politics podcast for the best political chat and analysis
