Facebook’s Parent Company Faces Record Fines in EU Over Massive 2018 Data Breach

• The Irish watchdog hit Meta Ireland with a €251 million sanction based on various GDPR violations.
• The fines and reprimands are connected to a significant data breach that exposed the sensitive personal details of millions of users, with 3 million in the E.U.
• Sanctions refer to failings to issue compliant breach notifications, document and remedy the incident, or implement data protection.

The Irish Data Protection Commission (DPC) has levied a €251 million fine against Meta Platforms Ireland Limited (MPIL) following investigations into a significant personal data breach reported in September 2018. 

The DPC Commissioners issued final decisions following two independent investigations. These inquiries included a series of reprimands and administrative fines directed at Meta for violations of General Data Protection Regulation (GDPR) provisions.

DPC concluded that MPIL failed to include “all relevant information required in its breach notification,” which was sanctioned with a reprimand and an €8 million fine. Facebook’s parent company was also found guilty of failing to properly “document the facts and details of the breach or the remedial steps undertaken,” hindering compliance checks and resulting in a €3 million fine and a reprimand.

MPIL received an additional reprimand and a €110 million fine for failing to ensure that only necessary user data was processed by default in specific cases. It also received a €130 million fine and a reprimand for violating a GDPR article requiring it to incorporate data protection principles into the design of its processing systems.

The breach exposed sensitive personal information associated with approximately 29 million Facebook accounts globally, including around 3 million accounts within the EU/EEA, and involved the exploitation of user tokens on the Facebook platform by unauthorized third parties.

A wide array of personal data was compromised in the process, including users' full names, email addresses, phone numbers, locations, work affiliations, dates of birth, religious beliefs, genders, timeline posts, group memberships, and even children’s personal data. 

Meta and its parent company in the U.S. acted promptly to remedy the breach upon discovery.

While no objections were raised by peer EU/EEA supervisory authorities, Meta intends to appeal the decision.

Last month, the Federal Court of Justice (BGH) in Germany declared that Facebook users affected by data breaches in 2018 and 2019 are eligible for compensation, even if they did not suffer financial loss.