Irish Data Protection Commission fines Meta €251 Million

The Irish Data Protection Commission (DPC) has today announced its final decisions following two inquiries into Meta Platforms Ireland Limited (‘MPIL’). These own-volition inquiries were launched by the DPC following a personal data breach, which was reported by MPIL in September 2018.

This data breach impacted approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. The categories of personal data affected included: user’s full name; email address; phone number; location; place of work; date of birth; religion; gender; posts on timelines; groups of which a user was a member; and children’s personal data. The breach arose from the exploitation by unauthorised third parties of user tokens[1] on the Facebook platform.  The breach was remedied by MPIL and its US parent company shortly after its discovery.

The decisions, which were made by the Commissioners for Data Protection, Dr. Des Hogan and Dale Sunderland, included a number of reprimands and an order to pay administrative fines totalling €251 million.

The DPC submitted a draft decision to the GDPR cooperation mechanism in Sept 2024, as required under Article 60 of the GDPR[2]. No objections to the DPC’s draft decision were raised. The DPC is grateful for the cooperation and assistance of its peer EU/EEA supervisory authorities in this case.

The DPC’s final decisions record the following findings of infringement of the GDPR:

1. Decision 1
   1. Article 33(3) GDPR - By not including in its breach notification all the information required by that provision that it could and should have included. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €8 million.
   2. Article 33(5) GDPR - By failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €3 million.
2. Decision 2
   1. Article 25(1) GDPR - By failing to ensure that data protection principles were protected in the design of processing systems. The DPC found that MPIL had infringed this provision, reprimanded MPIL, and ordered it to pay administrative fines of €130 million.
   2. Article 25(2) - By failing in their obligations as controllers to ensure that, by default, only personal data that are necessary for specific purposes are processed. The DPC found that MPIL had infringed these provisions, reprimanded MPIL, and ordered it to pay administrative fines of €110 million.

DPC Deputy Commissioner Graham Doyle commented:

“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals. Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”

The DPC will publish the full decision and further related information in due course.

Further information

^[1] User tokens are coded identifiers that can be used to verify the user of a platform or utility, and to control access to particular platform features and to personal data of the user and their contacts.

^[2] Article 60 of the GDPR regulates the cooperation procedure between the Lead Supervisory Authority and the other Concerned Supervisory Authorities.

Background

The breach that gave rise to the DPC’s Decisions arose from the deployment of a video upload function on the Facebook platform in July 2017. Facebook’s ‘View As’ feature allowed a user to see their own Facebook page as it would be seen by another user. A user making use of this feature could invoke the video uploader in conjunction with Facebook’s ‘Happy Birthday Composer’ facility. The video uploader would then generate a fully permissioned user token that gave them full access to the Facebook profile of that other user. A user could then use that token to exploit the same combination of features on other accounts, allowing them to access multiple users’ profiles and the data accessible through them. Between 14 and 28 September 2018 unauthorised persons used scripts to exploit this vulnerability and gained the ability to log on as the account holder to approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. Facebook security personnel were alerted to the vulnerability by an anomalous increase in video upload activity and removed the functionality that caused the vulnerability shortly thereafter.