The Data Protection Commission (DPC) has announced its final decision following an inquiry into Meta Platforms Ireland Limited (MPIL).
In March 2019, MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems (that is, without cryptographic protection or encryption). MPIL also published information regarding this incident in March 2019. These passwords were not made available to external parties.
The DPC started its inquiry in April 2019 and assessed MPIL’s compliance with the GDPR, and in particular, whether MPIL implemented measures to ensure a level of security appropriate to the risks associated with the processing of passwords, and whether MPIL complied with its obligations to document, and notify the DPC of, personal data breaches.
The DPC’s Decision concerns the GDPR principles of integrity and confidentiality. The GDPR requires data controllers to implement appropriate security measures when processing personal data, taking into account factors such as the risks to service users and the nature of the data processing. To maintain security, data controllers should evaluate the risks inherent in the processing and implement measures to mitigate those risks. The DPC’s decision emphasises the need to take such measures when storing user passwords.
The GDPR also requires data controllers to properly document personal data breaches, and to notify data protection authorities of breaches that occur. A personal data breach may, if not addressed in an appropriate and timely manner, result in damage such as loss of control over personal data. Therefore, when a controller becomes aware that a personal data breach has occurred, it should notify the supervisory authority without undue delay, as set out in Article 33 GDPR.
The DPC submitted a draft decision to the other Concerned Supervisory Authorities across the EU/EEA in June 2024, as required under Article 60 of the GDPR. No objections to the draft decision were raised by the other authorities.
The decision contains the following corrective powers:
- A reprimand under Article 58(2)(b) GDPR; and
- Administrative fines totalling €91 million under Articles 58(2)(i) and 83 GDPR.
The DPC’s Decision records the following findings of infringement of the GDPR:
- Article 33(1) GDPR, as MPIL failed to notify the DPC of a personal data breach concerning storage of user passwords in plaintext;
- Article 33(5) GDPR, as MPIL failed to document personal data breaches concerning the storage of user passwords in plaintext;
- Article 5(1)(f) GDPR, as MPIL did not use appropriate technical or organisational measures to ensure appropriate security of users’ passwords against unauthorised processing; and
- Article 32(1) GDPR, because MPIL did not implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.
The DPC will publish the full Decision and further related information in due course.