Irish Data Privacy Commissioner fines Meta €251 million for GDPR violations

Menlo Park, USA, Meta office. Photo: depositphotos.

On 17 December, the Irish Data Protection Commission (DPC) announced a record fine of €251 million for Meta. The reason was a violation of the EU’s General Data Protection Regulation (GDPR), which concerned security on the Facebook social network. This is reported by Time Ukraine Israel portal, citing Euractiv.

Details of the violation and fine

The breach that led to the fine began in July 2017 and affected about three million user accounts in the European Economic Area. The main problem was a vulnerability in Facebook’s code that allowed third parties to use special scripts to view user profiles without their consent.

“This case demonstrates that failure to comply with data protection rules can put individuals at significant risk of losing their privacy and fundamental rights,” commented DPC Deputy Commissioner Graham Doyle.

It is known that Meta discovered the problem in September 2018, promptly fixed the vulnerability, and reported it to law enforcement agencies. However, according to the DPC, the company did not take sufficient measures to inform regulators and did not provide full documentation of the incident.

Distribution of the fine

The fine of EUR 251 million is divided into two parts:

  • 11 million for insufficient communication with regulators;
  • EUR 240 million for non-compliance with GDPR requirements in the overall system architecture.

The data that was compromised included user names, gender, religion, phone numbers, location, and place of work.

Meta’s reaction

A Meta spokesperson said in a statement that the company had taken immediate steps to resolve the issue, but planned to appeal the DPC’s decision.

Context and criticism of the DPC

This case is the third large-scale fine for Meta in the last year. In September, the DPC fined the company €91 million for password management violations, and in October, it fined Linkedin €310 million for misusing data for targeted advertising.

Nevertheless, the DPC is often criticised for its lack of effectiveness in implementing the GDPR, although the number of investigations has increased significantly under the leadership of De Hogan, who took over the commission in February 2024. The latest decision was made after consultation with other EU data protection authorities, and no objections to the draft decision were received.

This fine is a strong reminder that non-compliance with the GDPR can have serious consequences for companies. In particular, the Meta case highlights the need not only to respond promptly to incidents, but also to fully comply with regulatory obligations.

НОВИНИ