The Irish Data Protection Commission (DPC) has imposed a €251 million ($263.6 million) fine on Meta for violations of the General Data Protection Regulation (GDPR) following a 2018 Facebook data breach that affected 29 million accounts.
The breach occurred when unauthorized parties exploited user access tokens, exposing sensitive data, including names, email addresses, phone numbers, physical locations, and information about children. Although Facebook quickly fixed the bug in its “View As” feature, the incident was found to violate multiple GDPR provisions:
- Article 33(3): Insufficient breach notification details → €8 million fine
- Article 33(5): Inadequate documentation of breach facts/remedies → €3 million fine
- Article 25(1): Failure to embed data protection in system design → €130 million fine
- Article 25(2): Failure to limit data processing to necessity → €110 million fine
“This enforcement action underscores the importance of embedding data protection requirements throughout the design and development process to safeguard individuals’ fundamental rights and freedoms,” said Graham Doyle, Deputy Commissioner of the DPC.
The DPC will soon publish its full decision to provide further context on its findings and rationale.
In a statement to BleepingComputer, Meta addressed the DPC’s decision:
“This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified, and we proactively informed the people impacted, as well as the Irish Data Protection Commission,” Meta said. “We have a wide range of industry-leading measures in place to protect people across our platforms.”
Meta Agrees to $50M Settlement in Australia Over Cambridge Analytica Scandal
On the same day, the Australian Information Commissioner announced that Meta has agreed to a $50 million settlement for Australian Facebook users affected by the Cambridge Analytica incident.
This case involved breaches under the Privacy Act 1988, where data shared with the “This is Your Digital Life” app was allegedly misused for political profiling.
Australians who held Facebook accounts between November 2, 2013, and December 17, 2015, and either installed the app or were friends with someone who did, may be eligible for compensation. Details about the payment scheme are available on the enforceable undertaking page.
Meta issued a separate statement regarding the settlement:
“We settled on a no admissions basis, as it is in the best interest of our community and shareholders that we close this chapter on allegations that relate to past practices no longer relevant to how Meta’s products or systems work today. We look forward to continuing to build services Australians love and trust with privacy at the forefront,” the company told BleepingComputer.
These developments highlight the ongoing challenges Meta faces in balancing innovation, privacy, and compliance with global data protection standards.
(via: Bleepingcomputer)
