Irish data privacy watchdog fines Meta €251 million for GDPR failure

“We took immediate action to fix the problem,” said a spokesperson for Meta, who are expected to appeal.

This article is exceptionally available for free! Want access to more exclusive content like this? Discover all the benefits of Euractiv Pro.

Request a trial
Content-Type:

News Based on facts, either observed and verified directly by the reporter, or reported and verified from knowledgeable sources.

Meta signage in front of the headquarters in Menlo Park, California, USA. [EPA-EFE/JOHN G. MABANGLO]

Théophane Hartmann Euractiv Dec 17, 2024 16:06 2 min. read Content type: News Euractiv is part of the Trust Project

Ireland's Data Protection Commission (DPC) slapped Meta with a €251 million fine on Tuesday (17 December) for failure to comply with the EU's data privacy regulation (GDPR), according to a press release.

The fine was issued for a security breach on social media Facebook which started in July 2017, and affected close to three million accounts in the European Economic Area.

"This enforcement action highlights how the failure to build in data protection requirements [...] can expose individuals to [...] risk to the fundamental rights and freedoms of individuals," said the Irish DPC deputy commissioner Graham Doyle.

The breach was a bug in Facebook's design which allowed unauthorised people using scripts to exploit a vulnerability on a Facebook code, allowing them to view profiles of users they should not have been able to see otherwise.

Meta is expected to appeal the decision. "We took immediate action to fix the problem," said a Meta spokesperson in an email.

Meta discovered the security issue in September 2018, fixed the vulnerability and informed law enforcement authorities.

Still, according to the DPC, Meta failed to notify and fully document the breach to regulatory authorities. This meant Meta had infringed GDPR, for which it was issued an €11 million fine.

But the bulk of the fine handed down by the DPC – €240 million of the €251 million – is for the nature of the personal data breach itself, which Doyle said constitued a "failure to build in data protection requirements throughout the design" of the affected system.

The impacted personal data included included users' full name, gender, religion, phone number, location, and place of work.

The DPC has been criticised for its lax enforcement of the GDPR, since its entry into force in 2018.

However, this is the third fine issued by the DPC under GDPR since the appointment of Des Hogan as Commissioner for Data Protection and Chairperson of the DPC in February 2024.

The final decision follows the DPC's submission of its draft ruling for review under the GDPR cooperation mechanism involving other EU data protection authorities.

Notably, both the draft and final decisions were issued during Hogan's tenure, and according to the press release, the draft decision received no objections from peer authorities.

The DPC fined Meta €91 million for a password management lapse in September. It also fined Linkedin €310 million over targeted advertising in October.

[Edited by Owen Morgan]

Subscribe to our newsletters

Subscribe
  翻译: