The Irish Data Protection Commission (DPC) fined Meta €251 million ($263.6M) over General Data Protection Regulation (GDPR) violations arising from a 2018 personal data breach impacting 29 million Facebook accounts.
The breach was caused by the exploitation of user access tokens by unauthorized parties, exposing sensitive user data such as names, email addresses, phone numbers, and physical locations, while it also impacted children.
Although Facebook took immediate corrective action upon discovering the bug in its “View As” feature, the incident still violated several GDPR articles.
Specifically, the Irish DPC says the following GDPR violations are related to the incident:
- Article 33(3): Incomplete breach notification details → €8M fine
- Article 33(5): Poor documentation of breach facts/remedies → €3M fine
- Article 25(1): Failure to embed data protection in system design → €130M fine
- Article 25(2): Failure to limit data processing to what’s necessary → €110M fine
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” commented Graham Doyle, the DPC’s Deputy Commissioner.
The DPC has promised to publish the entire decision soon, providing the public with more insight.
In response to the DPC’s announcement, Meta sent BleepingComputer the following statement:
“This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified, and we proactively informed the people impacted, as well as the Irish Data Protection Commission,” Meta told BleepingComputer.
“We have a wide range of industry-leading measures in place to protect people across our platforms.”
Meta settles in Australia
Also today, the Australian Information Commissioner announced that Meta has agreed to a $50 million settlement for Australian Facebook users impacted by the Cambridge Analytica incident.
The settlement resolves privacy breaches under the Privacy Act 1988 involving data disclosed to the This is Your Digital Life app, potentially misused for political profiling.
Australians who had Facebook accounts between November 2, 2013, and December 17, 2015, spent over 30 days in Australia and either installed the Your Digital Life app or were friends with someone who did are eligible for compensation.
More details about the payment scheme are available on the enforceable undertaking page.
Meta has sent BleepingComputer a separate statement regarding that development, renouncing past practices.
“We settled on a no admissions basis, as it is in the best interest of our community and shareholders that we close this chapter on allegations that relate to past practices no longer relevant to how Meta’s products or systems work today. We look forward to continuing to build services Australians love and trust with privacy at the forefront,” Meta told BleepingComputer.