The European privacy issues have brought Meta, the parent company of Facebook, back into the spotlight. On Friday, the DPC in Ireland made an announcement regarding a €91 million fine, equal to $101.5 million, which came as a result of a multi-year inquiry into a 2019 security breach. The breach exposed hundreds of millions of Facebook users’ passwords, which were stored in plaintext on Meta’s servers. This is yet another penalty associated with privacy for Meta, asserting the ongoing compliance difficulties it has under Europe’s strict General Data Protection Regulation (GDPR).
In light of the ruling, Meta, represented by its spokesperson, Matthew Pollard, pointed out that the problem was flagged in a security review conducted internally in 2019. “We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly,” Meta stated. Citing Meta’s press release,
GDPR Non-Compliance Cited in Meta Penalty
The DPC launched its statutory inquiry into the incident in April 2019 after Meta disclosed that “hundreds of millions” of user passwords had been inadvertently stored in plaintext. Companies need to comply with the GDPR requirement for personal data security, or they could incur large fines for not doing so. Concluding its investigation, the DPC said that Meta had violated GDPR regulations because passwords were not encrypted, creating an unauthorized third-party access danger to sensitive information.
As part of its oversight of Meta’s compliance with the GDPR within the European Union, the Irish regulator observed that Meta did not notify the DPC within the specified 72-hour timeframe once aware of the breach. Moreover, Meta did not fully record the breach.
Deputy Commissioner Graham Doyle expressed the gravity of the violation in a statement: “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.” He remarked that, because of the sensitive nature of passwords, which provide entry to social media, Meta’s security measures were not at the expected level.
Heavier Penalty Compared to Previous Breach
The €91 million penalty set for Meta is much greater than the €17 million penalty it received in March 2022 for the 2018 security breach that touched up to 30 million users of Facebook. By comparison, the 2019 breach affected “hundreds of millions” of users. The assessment by the DPC of the fine incorporated the seriousness, the scope, and the duration of the breach, together with the possible impact on affected users. Although this fine is quite substantial, it only equals a small part of the possible penalties Meta might have to deal with under the GDPR. Given Meta’s 2023 revenue of $134.90 billion and the fact that the maximum penalty is 4% of global annual turnover, there could be billion-dollar potential fines in theory. Regardless of the company’s initiatives to minimize the matter by blaming an internal mistake, the size of the fine illustrates the DPC’s increasing worries about how Meta handles personal data.