Irish Data Protection Commission (DPC) Imposes a Fine of €251 Million on Meta

On 17th December 2024, the Irish Data Protection Commission (DPC) announced its final decisions on two inquiries initiated against Meta Platforms Ireland Limited (‘MPIL’). The inquiries were launched following the personal data breach reported by MPIL in September 2018, which impacted approximately 29 million Facebook accounts globally, approximately 3 million of which were based in the EU/EEA.

Background to the Decision

The personal data breach occurred due to hackers exploiting vulnerabilities in Facebook’s “View As” feature, which allows users to preview their profiles as seen by others. In some instances, the video uploader incorrectly appeared within this feature, generating an access token linked to the profile being viewed. If obtained, this token allowed attackers to log into the other user’s account, compromising their data and account security. The categories of personal data impacted as a result of this data breach included the user's full name, email address, phone number, location, workplace, date of birth, religion, gender, timeline posts, group memberships, and personal data of children.

MPIL and its US parent company remedied the breach shortly after its discovery. The DPC's inquiries led to decisions published, which included several reprimands and an order for MPIL to pay administrative fines totalling €251 million.

The DPC’s Findings

The DPC’s final decisions highlight the following findings of infringement of the General Data Protection Regulation:

Decision 1

1. Under Article 33(3) GDPR, which requires notifying the supervisory authority about the personal data breach, the DPC reprimanded MPIL for failure to include all the necessary details in its breach notification. These details include the nature of the breach, the name and contact details of the data protection officer, the likely consequences of the personal data breach, and the measures taken to mitigate the possible adverse effects of the breach. The DPC ordered MPIL to pay administrative fines of €8 million regarding the failure to comply with this provision.
2. Under Article 33(5) GDPR, the DPC reprimanded MPIL for failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance. The DPC ordered MPIL to pay administrative fines of €3 million.

Decision 2

1. Under Article 25(1) GDPR, the DPC reprimanded MPIL for failing to ensure that data protection principles were adhered to in the design of processing systems. The DPC ordered MPIL to pay administrative fines of €130 million.
2. Under Article 25(2) GDPR, the DPC reprimanded MPIL for failing in their obligations as controllers to ensure that only personal data that are necessary for specific purposes are processed. The DPC ordered MPIL to pay administrative fines of €110 million.

You can read the DPC’s press release here. The DPC will publish the full decision and further related information in due course.

Key Takeaways

The recent imposition of a fine worth €251 million on MPIL serves as a wake-up call for all the companies that handle the personal data of EU residents. Such companies must ensure compliance with the GDPR and be accountable for their actions not only to the supervisory authorities but also to the concerned individuals whose personal data is handled by them. Here are some key takeaways:

1. Be Transparent in Breach Notifications: When a personal data breach occurs, organizations need to be upfront and thorough about the details of the data breach. The DPC found that MPIL’s breach notification lacked critical information that it should have included. This is a clear reminder for all the organizations handling personal data that transparency is not optional as supervisory authorities demand the complete details of any personal data breach incidents that occur.
2. Maintain Thorough Records: Organizations should maintain complete records of all the facts concerning personal data breaches, such as what happened during the data breach, the effects of the data breach, and what mitigating measures were taken to remedy it. DPC imposed additional fines on MPIL due to its failure to document important facts relating to the data breach incident. It shows that maintenance of personal data breach records is not just a regulatory checkbox, it is crucial for accountability purposes.
3. Design Processes with Privacy in Mind: Organizations should adopt appropriate technical and organizational security measures when designing their internal systems and processes. For example, if an organization processes special categories of personal data, it should go a step further in ensuring the safety of such data. If special categories of personal data, such as data revealing racial or ethnic origin, political opinions, and religious or philosophical beliefs, end up in the wrong hands, the misuse of such data can prove to be disastrous.
4. Cooperate with the Supervisory Authorities: Whenever a personal data breach occurs within an organization, it should notify such breach to the supervisory authority under the GDPR. Not maintaining transparency while reporting personal data breaches to the supervisory authority can lead to delays in investigation and the imposition of heavy fines on the organization. 
5. Non-Compliance is Costly: The imposition of a €251 million fine on MPIL serves as an example of the financial implications of non-compliance with data protection regulations. Moreover, non-compliance also causes massive reputational damage to the concerned organization and shatters customer trust.
6. Take Data Protection as a Continuous Commitment: Organizations dealing with personal data should make it a practice to ensure the protection of personal data at all times. For this purpose, they should conduct regular audits, staff training and monitoring of their processes to steer clear of potential personal data breaches.

To conclude, this case is a powerful reminder that in this digital era, the organizations that protect their customer data will not only avoid penalties but also win customer trust. On the other hand, organizations that do not comply with data protection regulations and learn from the mistakes of their competitors will lose their reputation in the industry. Data protection is no longer a choice; it is a crucial ingredient to success in this digital age.