Meta Fined €251 Million in Ireland for Data Breach

Irish Data Protection Commission (DPC) fined Meta Platform Ireland €251 million after two inquiries into a data breach that impacted approximately 29 million global Facebook accounts. Meta self-reported the breach that took place in September 2018.

The DPC stated the breach included personal data such as full names, mail addresses, phone numbers, places of work, birth dates, religion, and gender, as well as posts on timelines and groups where users were members. The watchdog noted three million of the users impacted were based in the EU and EEA.

The breach occurred due to the exploitation by unauthorized third parties of user tokens on the Facebook platform. It was remedied by Meta shortly after discovery. The DPC found the social media giant infringed on GDPR rules by failing to document the facts relating to each breach, and the steps taken to remedy them. It also noted Meta failed in its obligations to ensure that, by default, only personal data that are necessary for specific purposes are processed.

Meta said it took immediate action to fix the problem as soon as it was identified, and that it proactively informed the users that were impacted as well as the DPC. The DPC stated it will publish the full decision and further related information in due course. Meta said it will appeal the decisions.

In September, DPC hit Meta with fines totaling €91 million for inadvertently storing hundreds of millions of user passwords incorrectly. It also fined the company €1.2 billion in May 2023 for breaches of EU laws covering data protection. The most recent fine also adds to a €390 million penalty the DPC imposed on Meta in January 2023 and a €405 million charge in 2022, which are also related to breaches of data processing rules.