Meta fined €91 million in Ireland due to a lack of security in respect of users’ passwords

On 27 September 2024, the Irish Data Protection Commission (DPC) announced its Decision to fine Facebook’s parent company, Meta Platforms Ireland Limited (Meta, or, as defined by the DPC, “MPIL”), €91 million following an inquiry launched in April 2019.

In short, the Decision¹, which was made by the Commissioners for Data Protection, Dr. Des Hogan and Dale Sunderland, and notified to MPIL, concerns the following corrective powers:

1. A reprimand pursuant to Article 58(2)(b) GDPR; and
2. Administrative fines totalling €91 million pursuant to Articles 58(2)(i) and 83 GDPR.

The fine has been issued on the basis of Meta’s inadequate storage of users’ passwords, in violation of GDPR obligations in relation to technical and organisational measures, and integrity and confidentiality.

Background to the Decision 

In March 2019, the DPC received a notification from Meta that it had “inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems (i.e. without cryptographic protection or encryption).” Meta also published information regarding the incident, although it is understood that the passwords were not made available to external parties, and that there were no signs of internal abuse. 

As Meta is headquartered in Ireland, the DPC acted as Lead Supervisory Authority in the investigation. The scope of the inquiry concerned Meta’s compliance with the GDPR and in particular:

1. Whether measures had been implemented “to ensure a level of security appropriate to the risks associated with the processing of passwords”; and 
2. Whether Meta had complied with “obligations to document, and notify the DPC of, personal data breaches.”

Article 60 of the GDPR regulates the cooperation procedure between the Lead Supervisory Authority and the other Concerned Supervisory Authorities.

Accordingly, the DPC submitted a draft decision to other Concerned Supervisory Authorities across the EU/EEA in June 2024, pursuant to Article 60 of the GDPR. No objections to the draft decision were raised by the other authorities. 

The violation 

The GDPR requires data controllers to implement adequate security measures to ensure the integrity and confidentiality of personal data, “taking into account factors such as the risks to service users and the nature of the data processing.” The DPC noted that “data controllers should evaluate the risks inherent in the processing and implement measures to mitigate those risks”, and that this decision “emphasises the need to take such measures when storing user passwords.”

The DPC’s Decision records the following four findings of infringement of the GDPR:

• “Article 33(1) GDPR, as MPIL failed to notify the DPC of a personal data breach concerning storage of user passwords in plaintext;
• Article 33(5) GDPR, as MPIL failed to document personal data breaches concerning the storage of user passwords in plaintext;
• Article 5(1)(f) GDPR, as MPIL did not use appropriate technical or organisational measures to ensure appropriate security of users’ passwords against unauthorised processing; and
• Article 32(1) GDPR, because MPIL did not implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the ability to ensure the ongoing confidentiality of user passwords.”

As above, a fine of €91 million and a reprimand was issued by the DPC to Meta.

Comment 

• Overall, the Decision concerns, inter alia, the GDPR principles of integrity and confidentiality. It highlights the requirements for data controllers to implement appropriate technical security measures when processing personal data, taking into account factors such as the risks to service users and the nature of the data processing.
• In order to maintain security, data controllers should evaluate the inherent risks when storing user passwords and implement measures to mitigate those risks.

Meta and the DPC have a history with regard to GDPR fines:

• In March 2022, the DPC found that Meta had violated Articles 5(2) and 24(1) GDPR for not having appropriate technical and organisational measures in place to protect EU users' data, following 12 personal data breaches that took place between 7 June 2018 to 4 December 2018. Meta was fined €17 million. 
• In September 2022, the DPC fined Meta €405 million for violations of Articles 5(1)(a), 5(1)(c), 6(1), 12(1), 24, 25(1), 25(2), and 35(1) of the GDPR, following an inquiry into the processing of personal data of Instagram users under the age of 18.
• In November 2022, Meta received a €265 million fine, due to its non-adherence to the principles of Data Protection by Design and Default, pursuant to Article 25 GDPR. 
• In December 2022, Meta was fined €390 million by the DPC (€210 million for GDPR breaches relating to Facebook, along with €180 million for breaches relating to Instagram), due to complaints concerning the way in which users had to accept changes to the platform’s Terms of Service.
• In May 2023, Meta received the highest GDPR fine to date – €1.2 billion – from the DPC due to the transfer of data from the EU to the US in absence of applicable safeguards, in violation of Article 46(1) GDPR. 

However, Meta has issued several claims against the DPC in the Irish High Court. 

For example, by way of claims filed in June 2023, Meta issued a statutory appeal and judicial review of the DPC’s decision concerning US data transfers and the €1.2 billion fine imposed.

In another case, Meta issued statutory and judicial review proceedings in January 2023 against the €265 million fine imposed by the DPC. This matter was adjourned, as requested by Meta, in a judgment² handed down by the Irish High Court on 10 May 2024, pending the outcome of WhatsApp’s appeal to the Court of Justice of the European Union concerning the European Data Protection Board’s interpretation of Article 83(3) – which addresses the general conditions for imposing administrative fines.

The final outcome and impact of these claims, and others, remains to be seen. 

Given the vast amount of data that technology companies process, their conduct more naturally invites regulatory interest across the EU/EEA. For instance, in the DPC’s 2023 Annual Report, it explained that, “…In addition to engagement with other EU/EEA Supervisory Authorities in the context of complaints and inquiries, on some 100 occasions…the DPC provided written updates to all other authorities on impending internet/ social media platform product or service launches in the EU and invited their input on identifying any data protection concerns...”. 

More recently, both the DPC and the UK Information Commissioner’s Office (ICO), have been interested in Meta’s plans to train its AI on Facebook and Instagram data. After plans were paused in June 2024, Meta has proceeded under a new framework, although the ICO stated that it has not “provided regulatory approval for the processing” and that it “is for Meta to ensure and demonstrate ongoing compliance."

In the context of the DPC’s recent Decision, the regulator has emphasised that the measures in place were not good enough – DPC Deputy Commissioner, Graham Doyle, commented that, “[i]t is widely accepted that user passwords should not be stored in plaintext.” In this case, the passwords were “particularly sensitive, as they would enable access to users’ social media accounts."

The DPC’s full Decision will be published in due course, which should provide some further discourse on the issues considered and the regulator’s reasoning. A separate update will be prepared in respect of this.

For more information, please contact a member of our Litigation or Privacy & Data Teams.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

¹The DPC’s announcement is available here.

²Meta Platforms Ireland Limited v Data Protection Commission [2024] IEHC 264