Meta, the parent company of Facebook, has been fined €91 million (£75 million) by the Irish Data Protection Commission (DPC) following an inquiry into the handling of user passwords. The investigation, which began in April 2019, was initiated after Meta reported to the DPC that it had accidentally stored certain user passwords in an unencrypted format on its internal systems.
The draft decision was submitted to other European data protection authorities in June 2024, and no objections were raised. The DPC found Meta in violation of four counts under the General Data Protection Regulation (GDPR).
Commenting on the decision, DPC Deputy Commissioner Graham Doyle emphasized the critical nature of protecting user passwords: “It is widely accepted that storing passwords in plaintext is not secure due to the risks associated with unauthorized access to such data. The passwords involved in this case are particularly sensitive, as they provide access to users’ social media accounts,” he said.
The ruling, delivered by Commissioners Dr. Des Hogan and Dale Sunderland, was officially communicated to Meta on September 26. In addition to the fine, the decision includes a formal reprimand of the company.
This is not the first time Meta has faced penalties from the Irish DPC. In May 2023, the company was fined €1.2 billion (£1 billion) for mishandling data transfers between Europe and the United States—the largest fine ever imposed under the EU’s GDPR. Additionally, in 2022, Meta was fined €265 million (£220 million) after data from 533 million users across 106 countries was discovered on a hacking forum, having been “scraped” from Facebook’s platform several years prior.
These repeated violations highlight ongoing concerns regarding Meta’s data protection practices and its compliance with European privacy laws.
The latest fine underscores the heightened scrutiny Meta faces from European regulators as the company continues to grapple with regulatory compliance across its global operations. The DPC, which serves as the lead supervisory authority for Meta under the GDPR due to the company’s European headquarters being in Dublin, has been increasingly proactive in enforcing data privacy standards and holding large tech firms accountable.
Meta has yet to issue a detailed response to the decision but has indicated that it is reviewing the ruling and considering its next steps. Historically, the company has contested penalties issued by the DPC, arguing that its data handling procedures are in line with industry standards and regulations. However, the frequency and scale of the fines are intensifying pressure on Meta to overhaul its data management and security practices.
This decision also serves as a warning to other companies operating within the EU. It highlights the growing determination of data protection authorities to ensure compliance and protect users’ personal information, even from large multinational corporations. The DPC’s enforcement actions have positioned it as one of the most influential regulatory bodies in the EU, setting precedents for other countries’ data protection authorities.
In light of this ruling, analysts predict that Meta and other tech giants will face even stricter oversight in the coming years, particularly as new regulations such as the Digital Services Act (DSA) and the Digital Markets Act (DMA) come into force. These laws aim to establish clearer rules for content moderation, data handling, and market competition, further tightening the regulatory landscape for companies like Meta.
Moving forward, Meta’s compliance strategy will likely need to include more robust internal controls, transparent reporting mechanisms, and closer cooperation with regulators to mitigate the risk of further penalties. The ongoing scrutiny and financial repercussions also raise questions about the long-term sustainability of the company’s existing data practices and whether further changes will be required to maintain user trust and regulatory approval.
As the company navigates these challenges, the spotlight remains on Meta’s ability to balance its business model, which heavily relies on data monetization, with the stringent privacy requirements enforced across its key markets.