The Irish Data Protection Commission (DPC) has imposed a €251 million ($263.6M) fine on Meta for GDPR violations stemming from a significant 2018 data breach affecting 29 million Facebook users. The breach, which exploited user access tokens, exposed sensitive information including names, email addresses, phone numbers, and location data.
Key GDPR Violations and Fines:
– Incomplete breach notification (Article 33(3)): €8M
– Poor breach documentation (Article 33(5)): €3M
– Inadequate data protection design (Article 25(1)): €130M
– Excessive data processing (Article 25(2)): €110M
The DPC’s Deputy Commissioner, Graham Doyle, emphasized how failing to incorporate data protection requirements in system design can pose serious risks to individual privacy rights.
Meta’s Response:
Meta acknowledged the incident, stating they took immediate corrective action and implemented industry-leading security measures across their platforms.
Australian Settlement:
In a separate development, Meta agreed to a $50 million settlement in Australia regarding the Cambridge Analytica scandal. The settlement covers Australian Facebook users active between November 2013 and December 2015 who were affected by the This is Your Digital Life app data collection.
Meta maintains these issues relate to past practices no longer relevant to their current operations and systems, emphasizing their commitment to privacy-focused services moving forward.