On 17 December 2024, the Irish Data Protection Commission (DPC) released its final determinations following two investigations into Meta Platforms Ireland Limited (MPIL), initiated in response to a personal data breach self-reported by Meta in September 2018.

The data breach affected around 29 million Facebook accounts worldwide, with roughly 3 million of these accounts located in the European Union. The types of personal information compromised encompassed the user’s full name, email address, phone number, geographical location, workplace, date of birth, religious affiliation, gender, posts on timelines, groups to which the user belonged, and personal data pertaining to children.

The incident resulted from a vulnerability that enabled attackers to acquire automated login credentials, commonly called “tokens.” These tokens facilitate easier access to widely used applications and services such as Spotify, Pinterest, and Yelp. The flaw, which had existed since July 2017, was identified in September 2018 when Facebook engineers observed atypical login behaviour. Following the detection of the breach, Meta Platforms Ireland and its parent company in the United States took immediate action to rectify the situation.

The final determinations of the DPC document the following findings of violations of the GDPR:

Article 33(3) GDPR – By not including all the information it should have included in its breach notification. The DPC issued a reprimand to MPIL for its shortcomings related to this provision and mandated the payment of administrative fines amounting to 8 million euros.

Article 33(5) GDPR – The DPC criticized MPIL for not adequately documenting the details of each breach, including the measures implemented to address them, and for failing to present this information in a manner that would enable the Supervisory Authority to confirm compliance. Consequently, MPIL was instructed to pay administrative penalties of 3 million euros.

Article 25(1) GDPR – The DPC determined that MPIL violated data protection principles by not incorporating them into the design of its processing systems. Consequently, the DPC issued a reprimand to MPIL and mandated the payment of administrative fines amounting to 130 million euros.

Article 25(2) – The DPC determined that MPIL violated its responsibilities as data controller by not ensuring that, by default, only personal data essential for particular purposes was processed. Consequently, the DPC reprimanded MPIL and mandated the payment of administrative fines amounting to 110 million euros.

DPC Deputy Commissioner Graham Doyle emphasized that the DPC’s enforcement action underscores the significant risks and harms individuals may face when data protection requirements are not integrated throughout the design and development process. This oversight can jeopardize fundamental rights and freedoms.

Facebook profiles frequently include sensitive information about religious or political beliefs, sexual orientation, and other personal matters that users may prefer to share only under specific conditions. The unauthorized exposure of this profile information has created serious vulnerabilities, leading to a substantial risk of misuse of such data.