Written by: Haim Ravia, and Dotan Hammer
Following a five-year-long investigation, A €91 million fine was sanctioned by the Irish Data Protection Commission (DPC) in late September, due to Meta’s data breach incident keeping hundreds of millions of user passwords in an unencrypted, readable ‘plaintext’ format. The DPC found that Meta violated its obligations as a controller according to the GDPR, reprimanded the company, and issued a fine for failing to notify the DPC of the violation, and for failing to properly protect its users’ passwords.
Meta did inform the DPC of its unintentional saving of passwords in an unprotected manner. However, the notification was found incompliant with the GDPR’s Article 33 which requires notifications to the supervisory authority to be done “without undue delay”.
The DPC’s decision cited the GDPR principles of data integrity and confidentiality. It found the company to be incompliant with a number of derivative obligations: implementing appropriate security measures for processing personal data, considering the data security risks, and implementing necessary measures to mitigate those risks, specifically as it pertains to storing personal passwords. The DPC’s decision also highlights that the company failed to document personal data breaches when they occurred.
This is the third time the DPC has fined Meta for violations of data protection laws. Previously, Meta was fined €17 million in March 2022 and €1.2 billion in May 2023. The final decision on this new enforcement action has yet to be published by the DPC. Yet it was submitted to other data protection supervisory authorities in the EU/EEA for comments, and none objected.
Click here to read the DPC’s press release regarding the decision.
