The Irish Data Protection Commission (DPC) has announced its final decision in two inquiries into Meta Platforms Ireland Limited (MPIL), levying a combined €251 million in fines for GDPR violations related to a 2018 Facebook data breach. The incident, which compromised sensitive user information, arose from the unauthorized exploitation of user tokens on the Facebook platform.
Meta reported the breach in September 2018, revealing that approximately 29 million accounts were impacted worldwide. Of those, 3 million users were based within the EU/EEA. The compromised data included users’ full names, email addresses, phone numbers, locations, workplaces, dates of birth, religious affiliations, genders, posts, group memberships, and even children’s personal data. The breach, which posed significant risks to individuals’ privacy, was quickly mitigated by Meta and its US parent company following the discovery.
The decision was reached by Commissioners Dr. Des Hogan and Dale Sunderland, who found Meta in violation of several key GDPR provisions:
- Article 33(3) GDPR: Meta failed to include all necessary information in its breach notification, resulting in a €8 million fine.
- Article 33(5) GDPR: Meta did not adequately document the breach facts or remediation steps, incurring a €3 million penalty.
- Article 25(1) GDPR: Meta failed to integrate data protection principles into the design of its processing systems, leading to a €130 million fine.
- Article 25(2) GDPR: Meta did not adhere to the principle of “data minimization by default,” imposing a €110 million penalty.
Graham Doyle, DPC Deputy Commissioner, underscored the significance of this enforcement action, warning about the risks posed when privacy safeguards are neglected during system design. “Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances,” Doyle stated. “The vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
The DPC’s decision follows a GDPR cooperation process launched in July 2024, during which no objections were raised by peer EU/EEA supervisory authorities. The regulator acknowledged the collaborative efforts of its counterparts in finalizing the ruling.
A costly day for Meta
This substantial €251 million fine comes on the same day as news of Meta agreeing to a $50 million settlement for Australian Facebook users affected by the Cambridge Analytica scandal, as
reported earlier. Combined, these cases highlight Meta’s ongoing global regulatory challenges and the financial consequences of past data privacy failures.
The fine highlights the critical importance of integrating data protection “by design and by default” under GDPR, especially for companies handling large amounts of sensitive user data. Organizations must prioritize privacy safeguards in system development, thoroughly document breaches and their remedies, and ensure timely, comprehensive reporting to regulators. For Meta, this decision represents another major regulatory setback, underscoring the need for continued improvements to avoid further scrutiny and financial penalties. The full text of the Irish DPC’s decision will be published soon, offering more profound insight into the case.