Meta, the parent company of Facebook, WhatsApp, and Instagram, has reportedly been fined over €250 million by the Irish Data Protection Commission (DPC) following a data breach.
The breach, which Meta disclosed in September 2018, affected around 29 million Facebook accounts worldwide, including approximately three million accounts within the EU/EEA. The compromised data included users’ full names, email addresses, phone numbers, locations, workplaces, dates of birth, religions, genders, timeline posts, group memberships, and children’s personal information.
The incident occurred due to the exploitation of user tokens on the Facebook platform by unauthorized third parties. Although Meta and its US parent company resolved the issue shortly after discovering it, significant damage had already been done.
The DPC’s decision, led by Commissioners Dr. Des Hogan and Dale Sunderland, involved issuing multiple reprimands and imposing administrative fines totaling €251 million.
Deputy Commissioner Graham Doyle emphasized that the breach created a significant risk of data misuse. He stressed that failing to integrate data protection measures into the design and development process exposes individuals to serious harm, including threats to their fundamental rights and freedoms.
Doyle noted that Facebook profiles often contain sensitive details, such as religious or political beliefs, sexual orientation, and other personal information intended for limited disclosure. He underscored that the unauthorized exposure of such data posed a severe risk of misuse.
He further emphasized that this breach highlights the critical need for companies to prioritize data protection throughout the lifecycle of platform design and development. Neglecting these safeguards can result in significant vulnerabilities, putting users’ sensitive information at risk.
The enforcement action serves as a strong warning to tech companies about the consequences of inadequate data protection measures. It also underscores the importance of adhering to the General Data Protection Regulation (GDPR), which sets strict standards for safeguarding personal data and imposes substantial penalties for violations.
Meta has faced increasing scrutiny from European regulators in recent years over its handling of user data. This latest fine adds to the growing list of penalties the company has incurred under GDPR enforcement.
While Meta has acknowledged the breach and taken corrective measures, critics argue that such incidents erode public trust and highlight systemic issues within large tech platforms regarding data security.
The Irish Data Protection Commission, as the lead supervisory authority for Meta under the GDPR due to its European headquarters being in Ireland, continues to play a pivotal role in overseeing compliance with data protection laws and ensuring accountability for breaches.
Meta has not yet issued a formal statement regarding the fine but is expected to respond to the decision and outline any additional steps it plans to take to prevent similar incidents in the future.
