For a Facebook security breach that touched millions of users and that the company told everyone about in September 2018, Meta was fined €251 million, which is about $263 million.
Ireland’s Data Protection Commission (DPC) issued the fine on Tuesday in line with the EU’s General Data Protection Regulation (GDPR). It is not the biggest GDPR fine Meta has received since the rules went into effect more than five years ago, but it is a significant punishment for a single security breach.
Since July 2017, when the company was still called Facebook, a video upload feature came out with a “View as” tool that let users see their own Facebook page as another user would. This is what the breach is about.
Because of a bug in the design, people who used the feature could use the video uploader along with Facebook’s “Happy Birthday Composer” feature to make a fully authorised user code that let them see the other user’s entire Facebook profile. Then, according to the DPC, they could use the token to use the same set of features on other accounts, which would give them unauthorised access to many users’ profiles and data.
Unauthorised people used scripts to take advantage of this Facebook flaw between September 14 and September 28, 2018, gaining access to about 29 million Facebook accounts around the world as the account holder. About 3 million of these accounts were based in the EU/European Economic Area, making them subject to the DPC’s enforcement powers.
The breach affected many types of personal information, such as full names, email addresses, phone numbers, locations, places of work, times of birth, religion, gender, posts on timelines, groups that the person was a part of, and personal information about children.
This is likely because the large amount of personal data that was affected affected the size of the fine.
Two Choices About Enforcement
The Irish regulator made a final decision on Tuesday on two enquiries it opened into the 2018 incident. One decision is about Meta’s breach notification, as the GDPR requires that all major security incidents be reported quickly and in full. The second decision is about the rules on data protection by design and default.
In both cases, the DPC said Meta broke the GDPR for the bloc.
Here’s how the full punishment is broken down: Meta was fined €11 million for its first decision. The DPC said that Meta’s breach notice did not have all the information it “could and should have had,” and the company did not fully record the facts of the breach and the steps it took to fix the problem.
Meta was also fined €240 million for the second decision, in which the DPC said the company broke GDPR rules about data security by design because it didn’t have the right safeguards in place to keep people’s data safe from being processed without their permission.
In a statement, DPC deputy commissioner Graham Doyle said, “This enforcement action shows how people can be put at great risk when data protection rules aren’t built in during the whole design and development process.” He went on to say that this could include a threat to their basic rights and freedoms.
“People’s Facebook profiles often, if not always, include details about their sexual life or orientation, political or religious beliefs, and other things that they may not want everyone to see.” The weaknesses that led to this breach made it possible for personal information to be seen by people who weren’t supposed to see it. This created a high risk of misuse of this kind of data.
Peer authorities did not complain to Ireland’s draft decision, which is another interesting thing about enforcement under the DPC’s two commissioners, Dr. Des Hogan and Dale Sunderland, who took over from Helen Dixon, who was the only commissioner before this year.
It said in a press release, “The DPC is grateful for the cooperation and help of its peer EU/EEA supervisory authorities in this case.”
People who didn’t like the DPC under Dixon said that the regulator regularly didn’t enforce the GDPR enough on Meta and other tech giants. Its peers didn’t always agree with its draft choices about Big Tech at the time. A number of enforcement actions against Meta involved very long dispute proceedings. In some cases, the process had to be ended by a ruling that was legally binding from the European Data Protection Board.
It’s interesting that this latest action against Meta, which the DPC says was sent to the GDPR cooperation mechanism in July 2024 as a draft decision, went through without any problems.
When asked about the punishment, Meta spokeswoman Emily Westcott sent an email in which the company said, “This decision is about an event that happened in 2018.” The problem was fixed right away after it was found, and we told those affected as well as the Irish Data Protection Commission without delay. We have a lot of measures in place to protect people on all of our sites that are the best in the business.
Also Read: Eu Market Rules Are Broken by Meta’s “pay or Consent” Plan, Says the Commission
It was back in September that the DPC made another decision against Meta for a 2019 security breach. This time, the company was fined €91 million because “hundreds of millions” of users’ passwords were saved in plaintext on its servers.
What do you say about this story? Visit Parhlo World For more.
