Meta fined $263 million for alleged GDPR violations that led to data breach

Ireland’s data privacy regulator on Tuesday announced it has fined Meta €251 million ($263 million) for alleged data security failures that led to about 29 million worldwide Facebook accounts being breached in 2018.

Meta’s video upload system allegedly failed, exposing all user information contained in the Facebook profiles belonging to the owners of those accounts. 

The exposed data included locations, religion, gender, posts on timelines, groups of which a user was a member, children’s personal data, phone numbers, and email addresses, the Data Protection Commission (DPC) said in a press release.

“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms,” DPC Deputy Commissioner Graham Doyle said in a statement. “By allowing unauthorized exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”

Meta reported the breach to the DPC in September 2018.

A Meta spokesperson issued a statement noting that the fine dates to an incident that occurred six years ago.

“We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission,” the statement said. “We have a wide range of industry-leading measures in place to protect people across our platforms.”  

The fine was levied for several reasons, the DPC said, including that Meta allegedly failed to provide all information it was supposed to in the original breach notification.

DPC also said the fine ties to the company’s alleged failure to document “the facts relating to each breach, the steps taken to remedy them and to do so in a way that allows the Supervisory Authority to verify compliance.”

The bulk of the fine stemmed from Meta’s alleged failure to use appropriate data protection methods in its design of processing systems and for alleged shortcomings guaranteeing that only personal data necessary for “specific purposes” were processed. 

All of Meta’s alleged failures violated Europe’s strict General Data Protection Regulation.

The fine announced Tuesday is just the latest financial hit Meta has taken for violating European data protection laws.

In September, the DPC fined Meta €91 million ($96 million) for allegedly failing to appropriately safeguard users' password data and for a delay in reporting the problem.

In May 2023, the DPC fined Meta €1.2 billion ($1.3 billion) for allegedly improperly transferring Facebook users’ personal data from the European Union to the U.S. In September 2021, the DPC levied a €405 million ($425 million) fine for alleged failures in how Meta used data belonging to minors.

In January 2023, the DPC fined Meta €390 million ($410 million) for improperly processing user data for ad targeting.

Ireland has been a leader in regulating Meta because its European offices are based in Dublin.