Daily Archives: Wednesday, December 18, 2024

Yesterday the Irish Data Protection Commission (DPC) announced its final decisions following two inquiries into Meta Platforms Ireland Limited (‘MPIL’). These inquiries were launched by the DPC following a personal data breach which was reported by MPIL in September 2018.

This data breach involved some 29 million Facebook accounts around the world, of which approximately 3 million were based in the EU/EEA. The categories of personal data affected included: user’s full name; email address; phone number; location; place of work; date of birth; religion; gender; posts on timelines; groups of which a user was a member; and children’s personal data. The breach arose from the exploitation by unauthorised third parties of user tokens – i.e. coded identifiers that can be used to verify the user of a platform or utility, and to control access to particular platform features and to personal data of the user and their contacts – on the Facebook platform. The breach was remedied by MPIL and its US parent company shortly after its discovery.

The DPC submitted a draft decision to the GDPR cooperation mechanism in September 2024, as required under the GDPR’s Article 60. No objections to the DPC’s draft decision were raised.

The DPC’s final decisions list the following infringements of the GDPR:

1. Decision 1
   1. Article 33(3) GDPR – By not including in its breach notification all the information required by that provision that it could and should have included. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €8 million.
   2. Article 33(5) GDPR – By failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €3 million.
2. Decision 2
   1. Article 25(1) GDPR – By failing to ensure that data protection principles were protected in the design of processing systems. The DPC found that MPIL had infringed this provision, reprimanded MPIL and ordered it to pay administrative fines of €130 million.
   2. Article 25(2) – By failing in their obligations as controllers to ensure that, by default, only personal data that are necessary for specific purposes are processed. The DPC found that MPIL had infringed these provisions, reprimanded MPIL, and ordered it to pay administrative fines of €110 million.

DPC Deputy Commissioner Graham Doyle commented as follows:

“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals. Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”