Inquiry into Meta Platforms Ireland Limited - September 2024
(IN-19-4-1)
Date of Decision: 26 September 2024
On 26 September 2024, the Irish Data Protection Commission (DPC) adopted a final decision in an own-volition statutory inquiry, concerning the processing of user passwords on the Facebook service by Meta Platforms Ireland Limited (MPIL). The inquiry was carried out in accordance with the Data Protection Act 2018 and Article 60 of the EU General Data Protection Regulation (GDPR). The DPC was competent to act as lead supervisory authority for the processing at issue, pursuant to Article 56 GDPR.
The Decision considered particular aspects of the fundamental right to data protection under Article 8 of the Charter of Fundamental Rights of the EU, as expressed in the GDPR’s specific data protection rules concerning personal data breaches, and the obligation to ensure the security of personal data.
Background to the Inquiry Process
MPIL uses cryptographic and encryption techniques when storing users’ passwords, and does not store the individual characters that make up a password. On 21 March 2019, MPIL informed the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems. On 24 April 2019, the DPC commenced an own-volition inquiry in response to this issue.
Summary of Findings
| Number | Article of the GDPR | Findings |
|---|---|---|
| 1 | Article 4(12) | The Data Protection Commission found that each of the instances of plaintext password logging, as identified by MPIL on 7 January 2019 and 31 January 2019, constituted a personal data breach within the meaning of Article 4(12) GDPR. |
| 2 | Article 33(1) | The Data Protection Commission found that MPIL infringed Article 33(1) GDPR by failing to notify a personal data breach to the Data Protection Commission without undue delay and within 72 hours of the discovery on 31 January 2019 of the passwords stored in plaintext. |
| 3 | Article 33(5) | The Data Protection Commission found that MPIL infringed Article 33(5) GDPR on two occasions by failing to document the personal data breach discovered on 7 January 2019 and by failing to document the personal data breach discovered on 31 January 2019. |
| 4 | Article 5(1)(f), 32(1) | The Data Protection Commission found that MPIL did not comply with the requirements of Article 5(1)(f) GDPR and Article 32(1) GDPR (in particular having regard to Article 32(1)(b)) by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. |
Corrective Measures
Where the DPC makes a decision under Section 111(1)(a) of the Act, it must also make a decision under Section 111(2) as to whether a corrective power should be exercised in respect of the controller or processor concerned, and if so, the corrective power to be exercised.
Having considered the infringements of the GDPR as set out above, the DPC decided to exercise the following corrective powers, in accordance with Article 58(2) GDPR:
- a reprimand, pursuant to Article 58(2)(b) GDPR, regarding the infringements identified in the Decision; and
- three administrative fines totalling €91 million, as follows:
- In respect of MPIL’s infringement of Article 33(1) GDPR, a fine of €8 million.
- In respect of MPIL’s infringement of Article 33(5) GDPR, a fine of €8 million.
- In respect of MPIL’s infringements of Articles 5(1)(f) and 32(1) GDPR, a fine of €75 million.
The purpose of the reprimand is to formally recognise the serious nature of the infringements in order to deter future similar non-compliance by MPIL and other controllers or processors carrying out similar processing operations. The infringements concerned the personal data of tens of millions of Facebook users. Furthermore, the DPC found both infringements contributed to a risk of fraud, impersonation, spamming and potential financial or reputational loss in respect of the data subjects.
In deciding to impose three administrative fines totalling €91 million, the DPC gave due regard to the factors set out in Article 83(2) GDPR. The DPC also considered that administrative fines totalling €91 million met the requirements set out in Article 83(1) GDPR of being effective, proportionate and dissuasive.
Prior to its adoption, the DPC submitted a draft of its decision to the Concerned Supervisory Authorities in June 2024, as required under Article 60(3) of the GDPR. The Concerned Supervisory Authorities did not raise any objections under Article 60(4) GDPR to the draft decision. Four comments were received from CSAs with regard to the draft decision. The DPC had regard to these comments, and to a final submission by MPIL, when finalising the decision for adoption.
For more information, you can download:
- A complete summary of the decision at this link: Summary of Inquiry into Inquiry into Meta Platforms Ireland Limited - September 2024 (PDF, 193 KB).
- The full decision at this link: Inquiry into Meta Platforms Ireland Limited - September 2024 (PDF, 1.2 MB).
- A corrigendum to the decision: Corrigendum to decision for inquiry into Meta Platforms Ireland Limited - September 2024 (PDF, 67 KB).