DPC Fines Meta €251 Million for Facebook Data Breach
The Irish Data Protection Commission (DPC) has imposed a fine of €251 million on Meta, the parent company of Facebook, due to a significant personal data breach affecting approximately 29 million accounts worldwide. Of these, around three million accounts were located in Europe. The breach, which was reported by Meta in September 2018, involved unauthorized access to various types of personal information, including users’ full names, email addresses, phone numbers, locations, workplaces, dates of birth, religious affiliations, genders, posts, group memberships, and children’s personal data.
The incident was traced back to the exploitation of user tokens by unauthorized third parties on the Facebook platform. User tokens are coded identifiers that verify a user’s identity and control access to specific features and personal data. Meta took corrective measures shortly after the breach was discovered, but the DPC’s decision highlights the serious risks posed by inadequate data protection measures during the design and development phases of digital platforms.
Graham Doyle, Deputy Commissioner of the DPC, emphasized the importance of integrating data protection requirements to safeguard individuals’ rights and freedoms. He noted that the vulnerabilities leading to this breach posed a significant risk of misuse of personal data. The enforcement action taken against Meta included reprimands and the substantial fine, which adds to the €2.8 billion in total fines that the DPC has levied against the company to date. However, only €17 million of these fines has been collected due to ongoing legal challenges.
Meta has announced its intention to appeal the DPC’s decision, stating that it took immediate action to address the issue once it was identified. A spokesperson for Meta reiterated the company’s commitment to protecting user data and highlighted the extensive measures in place to ensure user safety across its platforms.
