Data Protection Commission fines Meta €91 million

The Data Protection Commission (DPC) inquiry into Meta Platforms Ireland Limited (Meta), which commenced in April 2019 has now been concluded. The DPC announced its final decision to impose an administrative fine of €91 million on Meta on 27 September 2024.

The decision follows an investigation by the DPC in respect of the storage of certain passwords of social media users in ‘plaintext’ on Meta internal systems, without any cryptographic protection or encryption.  The fine represents the latest in a series of fines levied on Meta over the last number of years for infringements of the GDPR: In May 2023, Meta was fined €1.2 billion for mishandling the personal data of users when transferring data between Europe and the United States, the largest fine ever imposed under the GDPR. In September 2022, the DPC issued a €405 million fine on Meta concerning the unlawful processing of children’s personal data.

The DPC found that Meta had infringed Articles 5(1)(f) and Article 32(1) of the GDPR, for failing to implement appropriate technical and organisational security measures to protect user’s passwords against unauthorised access and ensure confidentiality of this personal data. Meta was also found to have infringed Articles 33(1) and 33(2) of the GDPR, for failing to document and notify the DPC, in relation to its non-compliance. 

The DPC often acts as the lead supervisory authority (LSA) in relation to cross border processing and cross border enforcement regarding investigations into large multinational corporations (MNCs) for alleged infringements of the GDPR, due to many MNCs having their European headquarters based in Ireland. Article 60 of the GDPR provides that cross border enforcement decisions are to be agreed upon jointly by all of the supervisory authorities concerned (CSAs) across the EU/EEA, before being formally adopted by a single supervisory authority. The DPC submitted their draft decision to the CSAs in June 2024 and there were notably no objections raised. 

While it is anticipated that Meta will likely appeal the administrative fine, the decision underscores the obligations that the GDPR places on all data controllers to implement appropriate security measures when processing personal data and to ensure that all security incidents and personal data breaches are properly documented and reported to the DPC without undue delay. The decision highlights the potential financial and reputational repercussions data controllers may face for non-compliance with these obligations. 

For further information, please contact Seán O’Donnell, Zelda Deasy or any member of the ByrneWallace LLP Data Protection/GDPR Team.