In a significant ruling, the Data Protection Commission (DPC) has imposed a hefty fine of €91 million on Meta Platforms Ireland Limited (MPIL) following an extensive inquiry into the mishandling of user data. This decision comes after an investigation that began in April 2019, triggered by MPIL’s notification of a serious data breach involving the storage of user passwords in ‘plaintext’—a method that lacks proper encryption and cryptographic protection.
Background of the Inquiry
The inquiry was initiated after MPIL reported that certain passwords belonging to social media users were stored without adequate security measures. This startling revelation prompted the DPC to assess MPIL’s compliance with the General Data Protection Regulation (GDPR), focusing on whether the company had taken necessary precautions to protect sensitive user information.
In June 2024, the DPC drafted a decision and shared it with other Concerned Supervisory Authorities across the EU/EEA, as mandated by Article 60 of the GDPR. Notably, there were no objections from these authorities, paving the way for the final ruling.
Findings of the DPC
The DPC’s official decision, communicated to MPIL on September 26, outlined several key infringements of GDPR provisions:
- Article 33(1): MPIL failed to notify the DPC about a personal data breach involving the storage of user passwords in plaintext.
- Article 33(5): The company did not adequately document the personal data breaches concerning these passwords.
- Article 5(1)(f): MPIL lacked appropriate technical and organizational measures to ensure the security of users’ passwords against unauthorized access.
- Article 32(1): There was a failure to implement suitable security measures that corresponded to the risks associated with processing sensitive data.
Deputy Commissioner Graham Doyle emphasized the gravity of the situation, stating, “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data.” He further noted the sensitive nature of the passwords, which could grant unauthorized access to users’ social media accounts.
The Implications of the Ruling
The DPC’s decision underscores the critical importance of data security and compliance with GDPR principles, particularly regarding the integrity and confidentiality of personal data. The ruling serves as a stark reminder to organizations about their responsibility to implement robust security measures when processing user information.
The DPC’s ruling includes corrective measures such as:
- A reprimand under Article 58(2)(b) of the GDPR.
- An administrative fine of €91 million pursuant to Articles 58(2)(i) and 83 of the GDPR.
Moving Forward
The DPC plans to publish the full decision along with additional related information in the near future. This case highlights the need for companies to be vigilant in their data protection practices and to act swiftly in notifying authorities of any breaches to mitigate potential risks to users.
The €91 million fine imposed on Meta Platforms Ireland Limited serves as a significant reminder of the importance of data protection and compliance within the digital landscape. As regulatory scrutiny continues to grow, organizations must prioritize security measures and adhere strictly to GDPR requirements to protect user data effectively.
