- Meta has been hit with a €251 million GDPR fine
- Punshment follows Facebook data breach incident in 2018
- Ireland’s Data Protection Commission is yet to collect many of the fines
Meta has received yet another GDPR fine, with the parent company of Facebook, Instagram and WhatsApp facing a €251 million (around $263 million) hit following a 2018 data breach which exposed around 29 million Facebook accounts globally, 3 million of which were EU-based users.
Ireland’s Data Protection Commission (DPC) has been one of Europe’s leading regulatory bodies when it comes to holding tech firms to account, handing out huge penalties for GDPR violations, including the largest ever GDPR fine, a $1.3 billion charge, also against Meta, for data handling.
The most recent violations refer to the attack in which malicious actors used the ‘view as’ feature, which ordinarily allows users to see what their account looks like to their friends and family, to steal access tokens in order to take over the users account.
Millions of users affected
Of the users whose tokens were stolen, 15 million had their phone numbers and email addresses exposed, and a further 14 million also had their usernames, gender, relationship status, and location check-ins accessed. One million lucky users targeted had no data stolen.
Following the breach, the DPC found Facebook infringed GDPR by not including enough information in its breach notification, failing to properly document the facts of the incident. The DPC also found the company failed to ensure the data protection principles were protected, and that Facebook had failed in its ‘obligation as controllers’ to ensure that only necessary personal data is processed.
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” said DPC Commissioner Graham Doyle.
This may seem like a hefty fine, and it is, but the reality of these GDPR fines is not quite what it seems. So far, only 1% of these DPC fines have been collected, so there’s a chance this fine could also get tied up in the appeals process indefinitely.