HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Meta fined €251 million for GDPR violations

Written by Farah Amod | Dec 26, 2024 1:43:04 AM

Meta was fined €251 million for failing General Data Protection Regulation (GDPR) requirements in a Facebook data breach affecting 29 million accounts.

 

What happened

The Irish Data Protection Commission (DPC) fined Meta Platforms Ireland Limited €251 million for a 2018 data security breach that compromised the personal information of approximately 29 million Facebook accounts worldwide. Around 3 million of these accounts belonged to users within the European Union and European Economic Area.

The breach stemmed from a flaw in Facebook's 'View As' feature, which allows users to view their profiles from another user's perspective. Cyber attackers exploited this vulnerability by combining the video upload function with the 'Happy Birthday Composer' tool, creating user tokens that granted unauthorized access to multiple accounts.

 

Going deeper

The compromised data included full names, email addresses, phone numbers, locations, workplace details, dates of birth, religions, genders, timeline posts, group memberships, and children’s personal information. The breach exposed Meta to multiple GDPR violations, including incomplete breach notifications, poor documentation practices, and a lack of data protection principles in system design.

The fine breakdown is as follows:

  • €8 million for incomplete breach notifications.
  • €3 million for documentation failures.
  • €130 million for design-related GDPR principle violations.
  • €110 million for processing unnecessary personal data.

Meta resolved the breach shortly after its discovery in 2018 and notified affected individuals and the DPC. However, the company intends to appeal the decision, arguing that immediate action was taken to address the issue.

 

What was said

Graham Doyle, deputy commissioner at the DPC, discussed the broader implications of the breach.This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms,he said.

A Meta spokesperson stated, "We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission."

 

The big picture

The €251 million fine is part of nearly €3 billion in GDPR penalties imposed on Meta by the Irish DPC. This case proves the need for strong data protection measures, timely breach notifications, and proper documentation to mitigate risks and avoid regulatory scrutiny. With no objections from EU and EEA authorities, the fine reinforces GDPR enforcement and pressures companies like Meta to improve data safeguards and accountability.

 

FAQs

What is the 'View As' feature, and why was it vulnerable?

The 'View As' feature on Facebook allows users to see how their profile appears to others. The vulnerability occurred because attackers exploited an interaction between this feature and the video upload function, which generated tokens granting unauthorized account access.

 

What are GDPR design-related principle violations?

GDPR requires companies to embed data protection into system design ('privacy by design'). Violations occur when systems are built without adequately considering data minimization, security measures, or transparency, exposing users to unnecessary risks.

 

Why are GDPR fines issued by the Irish DPC?

The Irish DPC oversees GDPR enforcement for many tech companies, including Meta, because they have their European headquarters in Ireland. This makes the DPC the lead supervisory authority for GDPR violations involving these companies.