The Irish Data Protection Commission (DPC) has announced its final decisions following two inquiries into Meta Platforms Ireland Limited. The DPC launched own-volition inquiries following a personal data breach, which was reported by MPIL in September 2018.
The data breach affected approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. The categories of personal data affected included: user’s full name, email address, phone number, location, place of work, date of birth, religion, sex, posts on timelines, groups of which a user was a member, and children’s personal data. The breach arose from the exploitation by unauthorised third parties of user tokens on the Facebook platform. MPIL and its US parent company remedied the breach shortly after its discovery.
The DPC decisions included several reprimands and an order to pay administrative fines totalling €251 million.
The DPC submitted draft decisions to the GDPR cooperation mechanism in July 2024, as required under Article 60 of the GDPR. None of the other regulators raised objections to the DPC’s draft decisions.
The DPC’s final decisions record the following findings of infringement of the GDPR:
Decision 1
- Article 33(3) GDPR – MPIL infringed this by not including in its breach notification all the information required by Article 33(3). The DPC reprimanded MPIL and ordered it to pay administrative fines of €8 million.
- Article 33(5) GDPR – MPIL infringed this by failing to document the facts relating to each breach, the steps taken to remedy them, or to do so in a way that allows the relevant regulator to verify compliance. The DPC reprimanded MPIL and ordered it to pay administrative fines of €3 million.
Decision 2
- Article 25(1) GDPR – MPIL infringed this by failing to ensure that data protection principles were included in the design of processing systems. The DPC reprimanded MPIL, and ordered it to pay administrative fines of €130 million.
- Article 25(2) – MPIL infringed this by failing in its obligations as controller to ensure that, by default, only personal data that is necessary for specific purposes was processed. The DPC reprimanded MPIL, and ordered it to pay administrative fines of €110 million.
The DPC will publish the full decision and further related information in due course.