Ireland
Meta Platforms Ireland Limited
GDPR enforcement action by Data Protection Authority of Ireland on 2024-12-17.
Case details
- Authority
- Data Protection Authority of Ireland
- Date
- 2024-12-17
- Controller / Processor
- Meta Platforms Ireland Limited
- Sector
- Media, Telecoms and Broadcasting
- Quoted Articles
- Art. 33 (3), (5) GDPR, Art. 25 (1), (2) GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Irish Data Protection Commission (DPC) has fined Meta Platforms Ireland Limited EUR 251 million. The fine was imposed for data protection violations related to a data breach that occurred in 2018 and affected 29 million Facebook accounts worldwide, including 3 million in the EU/EEA. Compromised data included names, email addresses, phone numbers, and children's data. The breach resulted from the exploitation of user tokens on the platform by unauthorized third parties. The DPC found that Meta had violated Art. 33 GDPR (EUR 11 million), as information was missing from the data breach notification, for example. The DPC also found violations of Art. 25 GDPR (EUR 240 million), concluding that Meta had failed to ensure that data protection principles were protected in the design of processing systems and had failed in its obligations as a controller to ensure that, by default, only personal data that are necessary for specific purposes are processed.
Related fines