Meta Platforms Ireland Limited (MPIL), a subsidiary of the global tech company Meta, has been fined €251 million by the Irish Data Protection Commission (DPC) for a 2018 data breach affecting 29 million Facebook users. The breach exposed sensitive user information, including identities, locations, and personal preferences, and highlighted major shortcomings in the company’s compliance with EU data protection laws.
The 2018 Data Breach: A Timeline
In September 2018, Meta reported to the Irish regulator that attackers exploited vulnerabilities in Facebook’s “View As” feature. This tool, designed to let users preview their profiles as others see them, was manipulated using automated scripts to gain unauthorised access to user accounts.
The breach exposed personal details, such as names, email addresses, phone numbers, workplaces, birth dates, religious affiliations, and even children’s data.
While Meta quickly patched the vulnerability, the DPC’s investigation revealed significant gaps in the company’s handling of the incident under the EU’s General Data Protection Regulation (GDPR).
GDPR Violations and Fines
The DPC identified two key areas where Meta fell short, resulting in financial penalties:
- Failure to Notify Adequately:
Meta failed to provide comprehensive details in its breach notification, violating GDPR Article 33(3). This resulted in an €8 million fine. Furthermore, its incomplete documentation of the incident led to an additional €3 million penalty. - Inadequate System Design:
The company was found to have failed to integrate data protection principles into its system design, as required by GDPR Articles 25(1) and 25(2). This negligence led to €130 million and €110 million fines, respectively.
DPC’s Warning on Privacy Risks
Graham Doyle, deputy commissioner of the DPC, emphasised the potential misuse of exposed data, including sensitive information about users’ political views, religious beliefs, and sexual orientation. These risks, he noted, could have serious implications for users’ privacy and safety.
Meta’s Mounting Fines Across Regions
This penalty adds to Meta’s mounting fines in Europe, bringing its total GDPR-related penalties to nearly €3 billion since 2018. In 2023, the company was hit with a record €1.2 billion fine. Meta has announced plans to appeal the latest ruling.
The spotlight on Meta’s data handling practices isn’t limited to Europe. In July 2024, Nigeria’s Federal Competition and Consumer Protection Commission (FCCPC) and Nigeria Data Protection Commission (NDPC) jointly fined Meta $220 million for privacy violations, including unauthorised data transfers and non-compliance with cross-border storage regulations.
Credit: TechEconomy (Text Excluding Headline)
