Meta Platforms, the parent company of Facebook and Instagram, has been hit with a €251 million fine by the Irish Data Protection Commission (DPC) over a 2018 data breach affecting 29 million Facebook accounts globally.
Key Details of the Meta Data Breach
The DPC’s investigation centered on a breach reported by Meta Platforms Ireland Limited in September 2018. Approximately three million of the affected accounts were based within the European Economic Area (EEA). Compromised personal data included:
The breach occurred due to unauthorized access to a Facebook platform security vulnerability, enabling attackers to log into millions of accounts. Meta resolved the issue promptly after its discovery.
Regulatory Response and Penalties
DPC deputy commissioner Graham Doyle emphasized the significance of data protection during the design and development phases of platforms. He stated, “This enforcement action highlights how the failure to build in data-protection requirements can expose individuals to very serious risks and harms, including risks to fundamental rights and freedoms.”
Meta’s breach exposed users’ profile information, creating a grave risk of data misuse. This case adds to a growing list of enforcement actions taken by the DPC against Meta, one of the world’s largest social media companies.
Meta’s Legal Challenges and Record Fines
The €251 million penalty follows a €1.2 billion fine imposed on Meta in May 2023 for violations of European privacy regulations related to the transfer of European user data to the US. That fine remains under appeal in the Irish High Court.
In another recent case, the DPC fined Meta €91 million for improperly storing user passwords. Meta has also appealed that decision, highlighting the company’s ongoing legal battles with European regulators.
The latest fine increases the total penalties levied by the DPC on organizations over the past five years to over €3.5 billion. However, only €19.9 million has been collected to date, as many fines remain under appeal or other legal processes. All fines collected by the DPC contribute to Ireland’s exchequer.
Meta’s Response to the Penalty
A Meta spokesperson stated that the company took immediate action to fix the problem upon discovery. “We proactively informed affected individuals and the DPC. We have a wide range of industry-leading measures in place to protect people across our platforms,” the spokesperson added.
Meta is expected to appeal the latest DPC decision, continuing its efforts to challenge regulatory actions in court.
Implications for Data Privacy and Regulation
The €251 million fine underscores the importance of robust data protection measures in digital platforms. As global regulators intensify their scrutiny of tech giants, the case serves as a reminder of the critical need for compliance with privacy laws to safeguard user information.