In a significant event that underscores the growing emphasis on digital privacy, Meta, formerly known as Facebook, was slapped with a hefty €251 million ($263 million) fine by the European Union’s top data privacy regulator, the Irish Data Protection Commission (DPC). The fine, officially announced on December 17, 2024, was the outcome of a data breach that occurred in 2018, which impacted the personal data of nearly 30 million users. This breach exposed sensitive information, including full names, email addresses, phone numbers, locations, workplaces, dates of birth, religion, gender, Facebook posts, and group memberships.
Breach of General Data Protection Regulation (GDPR)
The DPC found multiple violations of GDPR, which is the stringent data protection law in the European Union. Meta was criticized for inadequate breach notification, poor documentation, failure to uphold data protection principles, and unnecessary data processing. More alarming was the exposure of children’s data, raising severe concerns about the company’s ability to ensure the privacy of its younger users. The incident had a global impact, with approximately 3 million victims hailing from the European Union and the European Economic Area.
It’s not the first time Meta found itself in hot water over data security lapses. Just three months prior, in September, the DPC fined Meta $100 million for exposing the plaintext passwords of about 600 million Facebook users. This violation was disclosed in 2019, thanks to the vigilant efforts of American security researcher Brian Krebs. Meta had admitted its failure to use cryptographic protection or encryption for these passwords, a clear breach of GDPR security standards, which require robust measures to protect personal data.
Implications of the Fine and Regulatory Scrutiny
This incident underscores the growing tension between tech giants and regulatory bodies concerning data protection. The DPC’s decision reflects an enforcement trend as authorities worldwide strive to hold companies accountable for safeguarding users’ personal information. The fine stands as one of the most significant penalties in recent years, emphasizing the critical importance of robust data security measures and user privacy in today’s digital landscape.