×

Irish Information Security Forum

Irish Data Protection Commission Fines Meta €251 Million

Release Date:  17th December 2024
Source: Irish Data Protection Commission

 

 

In December 2024, the Irish Data Protection Commission (DPC) imposed a significant fine of €251 million on Meta Platforms Ireland Limited (MPIL) following two inquiries into a personal data breach reported by MPIL in September 2018. This breach affected approximately 29 million Facebook accounts globally, including around 3 million accounts based in the EU/EEA.

 

The breach involved the exploitation of user tokens on the Facebook platform by unauthorized third parties. The affected personal data included users' full names, email addresses, phone numbers, locations, places of work, dates of birth, religions, genders, posts on timelines, groups of which users were members, and children's personal data. Meta and its US parent company took immediate action to remedy the breach upon its discovery.

 

The DPC's final decisions recorded several infringements of the General Data Protection Regulation (GDPR) by MPIL:

 

  • Article 33 (3) GDPR: Failure to include all required information in the breach notification.
  • Article 33 (5) GDPR: Failure to document the facts relating to each breach and the steps taken to remedy them.
  • Article 25 (1) GDPR: Failure to ensure data protection principles were protected in the design of processing systems.
  • Article 25 (2) GDPR: Failure to ensure that, by default, only personal data necessary for specific purposes were processed.

 

The DPC reprimanded MPIL for these failures and ordered it to pay administrative fines totaling €251 million. 

 

DPC logo Ireland

DPC Deputy Commissioner Graham Doyle commented:

“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals. Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”

 

Meta is expected to appeal the decision, as it has done with previous fines imposed by the DPC.



Reference(s)


Irish Data Protection Commission fines Meta €251 Million | 17/12/2024 | Data Protection Commission

 

IISF Logo

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

Information Security

GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

 


Forum SPONSORS 

Invitations for Annual Sponsorship of IISF has now reopened.

Sponsorship of IISF Opportunity
(your logo & profile link here)

 

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more

 

secured by edgescan digital security radar logo

© iiSf. All rights reserved. CRN: 3400036GH  - Privacy  - Sponsorship  - Cybersecurity News Index  - Cybersecurity Resources  - X  - Produced by
LinkedIn Twitter