Banner1.jpg

DPC (Ireland) - Meta "View-as" feature

From GDPRhub
DPC - Meta "View-as" feature
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 25 GDPR
Article 33 GDPR
Type: Investigation
Outcome: Violation Found
Started: 24.09.2018
Decided:
Published: 17.12.2024
Fine: 251,000,000 EUR
Parties: Meta Platforms Ireland Limited
National Case Number/Name: Meta "View-as" feature
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: DPC (in EN)
Initial Contributor: ao

The DPA issued a €251,000,000 fine to Meta for failing to prevent a data breach compromising the data of millions of Facebook users as well as its failure to adequately document the breach.

English Summary

Facts

In September 2018, the Irish Data Protection Commission (DPC) launched two inquiries into data processing activities of Meta Platforms Ireland Limited, here the controller.

In July 2017, Meta implemented a so-called “View-as” function on Facebook which allowed users to see their own Facebook page as it would appear to another user. The function included a video upload feature which created so-called “user tokens”. User tokens are coded IDs which are used to verify users and can control access to platform features as well as personal data. Users could therefore use these tokens to gain access to other accounts.

Between the 14 and 18 September 2018, third parties caused a major data breach by using the tokens to log on as other Facebook account holders. The data breach impacted approximately 29,000,000 Facebook users globally of which 3,000,000 were based in the EU/EEA.

Meta employees became aware of the data breach through an unusual increase in video uploads and removed the function shortly after.

Holding

Decision one: Documentation concerning the data breach

The DPC found that Meta had violated Article 33(3) GDPR for failing to include necessary information in their data breach report. For this violation, the DPC issued a reprimand and set an administrative fine of €8,000,000.

Further, the DPC found a violation of Article 33(5) GDPR as Meta had failed to appropriately document facts of the breach and remedial steps taken. For obstructing the supervisory authorities ability to verify compliance, the DPC issued a reprimand and set and administrative of €3,000,000.

Decision two: Privacy by design

The DPC found that Meta had violated Article 25(1) GDPR for failing to embed data protection principles into the design of the feature. For this the DPC issued a reprimand and an set an administrative fine of €130,000,000.

Additionally, the DPC found that Meta had violated Article 25(2) GDPR for failing to ensure that by default only necessary personal data was processed. For this the DPC issued a reprimand and set an administrative fine of €110,000,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Irish Data Protection Commission fines Meta €251 Million

17th December 2024

The Irish Data Protection Commission (DPC) has today announced its final decisions following two inquiries into Meta Platforms Ireland Limited (‘MPIL’). These own-volition inquiries were launched by the DPC following a personal data breach, which was reported by MPIL in September 2018.

This data breach impacted approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. The categories of personal data affected included: user’s full name; email address; phone number; location; place of work; date of birth; religion; gender; posts on timelines; groups of which a user was a member; and children’s personal data. The breach arose from the exploitation by unauthorised third parties of user tokens[1] on the Facebook platform.  The breach was remedied by MPIL and its US parent company shortly after its discovery.

The decisions, which were made by the Commissioners for Data Protection, Dr. Des Hogan and Dale Sunderland, included a number of reprimands and an order to pay administrative fines totalling €251 million.

The DPC submitted a draft decision to the GDPR cooperation mechanism in Sept 2024, as required under Article 60 of the GDPR[2]. No objections to the DPC’s draft decision were raised. The DPC is grateful for the cooperation and assistance of its peer EU/EEA supervisory authorities in this case.

The DPC’s final decisions record the following findings of infringement of the GDPR:

Decision 1 Article 33(3) GDPR - By not including in its breach notification all the information required by that provision that it could and should have included. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €8 million. Article 33(5) GDPR - By failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €3 million. Decision 2 Article 25(1) GDPR - By failing to ensure that data protection principles were protected in the design of processing systems. The DPC found that MPIL had infringed this provision, reprimanded MPIL, and ordered it to pay administrative fines of €130 million. Article 25(2) - By failing in their obligations as controllers to ensure that, by default, only personal data that are necessary for specific purposes are processed. The DPC found that MPIL had infringed these provisions, reprimanded MPIL, and ordered it to pay administrative fines of €110 million.

DPC Deputy Commissioner Graham Doyle commented:

“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals. Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”

The DPC will publish the full decision and further related information in due course.

Further information

[1] User tokens are coded identifiers that can be used to verify the user of a platform or utility, and to control access to particular platform features and to personal data of the user and their contacts.

[2] Article 60 of the GDPR regulates the cooperation procedure between the Lead Supervisory Authority and the other Concerned Supervisory Authorities.

Background

The breach that gave rise to the DPC’s Decisions arose from the deployment of a video upload function on the Facebook platform in July 2017. Facebook’s ‘View As’ feature allowed a user to see their own Facebook page as it would be seen by another user. A user making use of this feature could invoke the video uploader in conjunction with Facebook’s ‘Happy Birthday Composer’ facility. The video uploader would then generate a fully permissioned user token that gave them full access to the Facebook profile of that other user. A user could then use that token to exploit the same combination of features on other accounts, allowing them to access multiple users’ profiles and the data accessible through them. Between 14 and 28 September 2018 unauthorised persons used scripts to exploit this vulnerability and gained the ability to log on as the account holder to approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. Facebook security personnel were alerted to the vulnerability by an anomalous increase in video upload activity and removed the functionality that caused the vulnerability shortly thereafter.