Reset your clock: Meta receives yet another privacy penalty in Europe. Ireland’s Data Protection Commission (DPC) on Friday issued disciplinary sanctions and a fine of 91 million euros (approximately $101.5 million at current exchange rates) after concluding a multi-year investigation into a 2019 security breach by Facebook’s parent company. ) announced fines.
The DPC announced the block’s General Data Protection Regulation Act in April 2019 after Meta (then still called Facebook) notified that the passwords of “hundreds of millions” of users had been stolen. GDPR), we have launched a statutory investigation into the incident in question. It was stored in plain text on the server.
This security incident is a legal issue in the European Union, as the GDPR requires adequate protection of personal data.
After investigating, the DPC concluded that Meta did not meet the legal criteria for blocking because the passwords were not protected by encryption. The risk arose because third parties could access people’s sensitive information stored in their social media accounts.
The regulator, which leads the oversight of Meta’s GDPR compliance, also found that Meta breached the regulation by failing to notify the breach within the required period (the regulation typically requires 72 hours after becoming aware of the breach). (It). Mehta also failed to properly document the violations, according to the DPC.
Deputy Chair Graham Doyle said in a statement: It should be noted that the passwords considered in this case are particularly sensitive, as they allow access to the user’s social media accounts. ”
Asked to respond to the latest GDPR sanctions, Meta spokesperson Matthew Pollard issued an emailed statement claiming the company had taken “immediate action” on “mistakes” in its password management processes. He tried to downplay the findings.
“As part of our 2019 security review, we discovered that some Facebook user passwords were temporarily recorded in a readable format within our internal data systems. Although we took immediate steps to correct it, we have no evidence that these passwords were misused or accessed without authorization,” Mehta wrote. “We have proactively raised this matter with our lead regulator, the Irish Data Protection Commission, and have worked constructively with them throughout this investigation.”
Meta had already racked up most of the largest GDPR penalties ever imposed on a tech giant, so the latest sanctions only highlight the scale of the company’s privacy compliance problems.
This fine is significantly higher than the €17 million fine imposed on Meta by the DPC in March 2022 over a security breach in 2018. The Irish regulator has since replaced senior management. However, the two cases also differ in some ways. Meta’s previous security breach affected up to 30 million Facebook users, but in 2019 hundreds of millions of Facebook users allegedly had their passwords compromised as a result of failing to protect them. was affected.
The GDPR gives data protection authorities the power to impose fines for breaches, with the amount of the fine calculated based on factors such as the nature, severity and duration of the breach. Scope or purpose of processing. Consider things like the number of data subjects affected and the level of damage sustained.
The maximum possible fine under the GDPR is 4% of annual global turnover. So in Meta’s case, a €91 million fine may sound like a lot of change, but given that its annual revenue in 2023 was a staggering $134.9 billion, it theoretically is. It’s only a fraction of the billions of dollars the company could face.
