Irish data privacy watchdog fines Meta €251 million for GDPR failure

Posted on by Dissent

Ireland’s Data Protection Commission slapped Meta with a €251 million fine for failure to comply with the GDPR

Euractiv reports:

The fine was issued for a security breach on social media Facebook which started in July 2017, and affected close to three million accounts in the European Economic Area.

“This enforcement action highlights how the failure to build in data protection requirements […] can expose individuals to […] risk to the fundamental rights and freedoms of individuals,” said the Irish DPC deputy commissioner Graham Doyle.

The breach was a bug in Facebook’s design which allowed unauthorised people using scripts to exploit a vulnerability on a Facebook code, allowing them to view profiles of users they should not have been able to see otherwise.

Meta is expected to appeal the decision. “We took immediate action to fix the problem,” said a Meta spokesperson in an email.

Meta discovered the security issue in September 2018, fixed the vulnerability and informed law enforcement authorities.

Read more at Euractiv.  The specific infringements cited by the DPC were as follows:

The DPC’s final decisions noted the following infringements of the GDPR and the resulting fines for each:

  1. Decision 1
    1. Article 33(3) GDPR – By not including in its breach notification all the information required by that provision that it could and should have included. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €8 million.
    2. Article 33(5) GDPR – By failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €3 million.
  2. Decision 2
    1. Article 25(1) GDPR – By failing to ensure that data protection principles were protected in the design of processing systems. The DPC found that MPIL had infringed this provision, reprimanded MPIL, and ordered it to pay administrative fines of €130 million.
    2. Article 25(2) – By failing in their obligations as controllers to ensure that, by default, only personal data that are necessary for specific purposes are processed. The DPC found that MPIL had infringed these provisions, reprimanded MPIL, and ordered it to pay administrative fines of €110 million.

Related posts:

Category: BreachesBusinessFeatured NewsGovtLaws