Securiti launches Gencore AI, a holistic solution to build Safe Enterprise AI with proprietary data - easily

View

Irish Data Protection Commission (DPC) Imposes a Fine of €251 Million on Meta

Author

Rohma Fatima Qayyum

Assoc. Data Privacy Analyst

Listen to the content

On 17th December 2023, the Irish Data Protection Commission (DPC) announced its final decisions on two inquiries initiated against Meta Platforms Ireland Limited (‘MPIL’). The inquiries were launched following the personal data breach reported by MPIL in September 2018, which impacted approximately 29 million Facebook accounts globally, approximately 3 million of which were based in the EU/EEA.

Background to the Decision

The personal data breach occurred due to hackers exploiting vulnerabilities in Facebook’s “View As” feature, which allows users to preview their profiles as seen by others. In some instances, the video uploader incorrectly appeared within this feature, generating an access token linked to the profile being viewed. If obtained, this token allowed attackers to log into the other user’s account, compromising their data and account security. The categories of personal data impacted as a result of this data breach included the user's full name, email address, phone number, location, workplace, date of birth, religion, gender, timeline posts, group memberships, and personal data of children.

MPIL and its US parent company remedied the breach shortly after its discovery. The DPC's inquiries led to decisions published, which included several reprimands and an order for MPIL to pay administrative fines totaling €251 million.

The DPC’s Findings

The DPC’s final decisions highlight the following findings of infringement of the General Data Protection Regulation:

Decision 1

  1. Under Article 33(3) GDPR, which requires notifying the supervisory authority about the personal data breach, the DPC reprimanded MPIL for failure to include all the necessary details in its breach notification. These details include the nature of the breach, the name and contact details of the data protection officer, the likely consequences of the personal data breach, and the measures taken to mitigate the possible adverse effects of the breach. The DPC ordered MPIL to pay administrative fines of €8 million regarding the failure to comply with this provision.
  2. Under Article 33(5) GDPR, the DPC reprimanded MPIL for failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance. The DPC ordered MPIL to pay administrative fines of €3 million.

Decision 2

  1. Under Article 25(1) GDPR, the DPC reprimanded MPIL for failing to ensure that data protection principles were protected in the design of processing systems. The DPC ordered MPIL to pay administrative fines of €130 million.
  2. Under Article 25(2) GDPR, the DPC reprimanded MPIL for failing in their obligations as controllers to ensure that only personal data that are necessary for specific purposes are processed. The DPC ordered MPIL to pay administrative fines of €110 million.

You can read the DPC press release here. The DPC will publish the full decision and further related information in due course.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

What's
New