‘Meta Ireland’ issued a €91 million by the Irish Data Protection Commission

In a significant enforcement action, the Irish Data Protection Commission (DPC) has imposed a €91 million fine on Meta Ireland. This decision follows a comprehensive five-year investigation into Meta’s handling of user passwords, which were stored in an unencrypted, readable ‘plaintext’ format.

Background

• Incident: In March 2019, Meta notified the DPC that it had inadvertently stored user passwords in plaintext on its internal systems, without cryptographic protection.
• Investigation: As Meta is headquartered in Ireland, the DPC acted as Lead Supervisory Authority in the investigation. The scope of the inquiry concerned  whether Meta had: (i) implemented adequate security measures to protect user passwords; and (ii) complied with GDPR obligations to document and notify the DPC of personal data breaches.

Key Findings

• GDPR Violations: The DPC found Meta in violation of several GDPR principles, including data integrity and confidentiality. Meta failed to implement appropriate security measures to protect personal data and did not notify the DPC of the breach in a timely manner, as required by Article 33 of the GDPR.
• Repeated Offenses: This is the third time Meta has been fined by the DPC for data protection violations. Previous fines include €17 million in March 2022 and €1.2 billion in May 2023.
• Lack of Documentation: The investigation revealed that Meta did not adequately document personal data breaches when they occurred, further compounding their non-compliance.

The DPC’s decision has been submitted to other data protection supervisory authorities in the EU/EEA for comments, with no objections raised. The final decision is yet to be published, but it sets a precedent for stringent enforcement of data protection laws.

Our Views

Whilst this was an Irish DPC enforcement action, this case underscores the importance of robust data protection practices and timely breach notifications for all organisations within the scope of UK or EU GDPR. Companies must ensure they have adequate security measures in place to protect personal data and comply with GDPR requirements to avoid substantial fines and reputational damage.

The fine highlights the critical need for companies to prioritise data security and transparency. As technology continues to evolve, so do the threats to personal data. It is imperative for organisations to stay ahead of these challenges by implementing robust security measures and fostering a culture of compliance.

This enforcement action serves as a reminder that non-compliance can lead to significant financial and reputational consequences. We encourage all businesses to review their data protection policies and practices regularly to ensure they meet the highest standards of security and privacy.