DPC (Ireland) - Meta Ireland

From GDPRhub
Revision as of 07:35, 1 October 2024 by Ao (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Ireland |DPA-BG-Color=background-color:#013d35; |DPAlogo=LogoIE.png |DPA_Abbrevation=DPC |DPA_With_Country=DPC (Ireland) |Case_Number_Name=Meta Ireland |ECLI= |Original_Source_Name_1=DPC |Original_Source_Link_1=https://www.dataprotection.ie/en/news-media/press-releases/DPC-announces-91-million-fine-of-Meta |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Original_Source_Name_2= |Original_Source_Link_2= |Original_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DPC - Meta Ireland
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Article 32(1) GDPR
Article 33(1) GDPR
Article 58(2)(b) GDPR
Article 58(2)(i) GDPR
Article 60 GDPR
Type: Investigation
Outcome: Violation Found
Started: 01.04.2019
Decided: 27.09.2024
Published: 27.09.2024
Fine: 91,000,000 EUR
Parties: Meta Platforms Ireland Limited
National Case Number/Name: Meta Ireland
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: DPC (in EN)
Initial Contributor: ao

The DPA fined Meta €91,000,000 for a personal data breach involving the storage of Meta users’ passwords in plaintext without cryptographic protection or encryption.

English Summary

Facts

This decision is the final result of an inquiry launched in April 2019 after Meta Platforms Ireland Limited (MPIL) notified the DPC of the personal data breach. MPIL notified the DPC that it had inadvertently stored passwords of social media users in plaintext on its internal systems without cryptographic protection or encryption.

The DPC press release shows that passwords were not made available to external parties.

The DPC had submitted a draft decision under Article 60 GDPR to the other Concerned Supervisory Authorities across the EU/EEA in June 2024 and no objections were raised by the other authorities.

Holding

The DPC found the following violations:

1. Article 33(1) GDPR, for failure to notify the DPC the data breach concerning storage of user passwords in plaintext. 2. Article 33(5) GDPR, for failure to document personal data breaches concerning the storage of user passwords in plaintext. 3. Article 5(1)(f) GDPR, for failure to implement appropriate technical and organisational measures to secure users’ passwords against unauthorized processing. 4. Article 32(1) GDPR, for failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including confidentiality of user passwords.

Highlighting that an unaddressed personal data breach can result in damage such as loss of control over personal data, the DPC reprimanded MPIL pursuant to Article 58(2)(b) GDPR and issued a fine of €91 million pursuant to Article 58(2)(i) and Article 83 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.