Why trust Greenbot
Meta Platforms, the parent company of Facebook, Instagram, and WhatsApp, has been fined €251 million (approximately $263 million) by the Irish Data Protection Commission (DPC) for a data breach in 2018 that exposed the personal information of 29 million users. Among the affected accounts, 3 million belonged to users in the European Union, where strict data protection laws apply.
The breach and Meta’s response
The 2018 breach exploited a vulnerability in Facebook’s “View As” feature, a tool that allows users to see how their profiles appear to others. Hackers used this flaw to obtain account access tokens, enabling them to view sensitive user information. This included names, email addresses, phone numbers, places of work, posts, and even children’s data. The feature has since been removed; however, Meta has yet to face the repercussions.
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” DPC Deputy Commissioner Graham Doyle said in a statement. “By allowing unauthorized exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
Meta said it has plans to appeal the decision, arguing that it had complied with the General Data Protection Regulation (GDPR) in addressing the breach swiftly. “This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission,” Meta spokeswoman Emily Westcott said.
A history of fines and regulatory challenges
This is not the first time Meta has faced significant penalties for privacy violations. The company has been fined nearly $3 billion in total by the EU for various breaches.
This year alone, Meta was fined €1.2 billion in May for transferring European user data to the United States, a violation of GDPR’s data transfer restrictions. In September, it faced another €91 million penalty for storing passwords in ‘plaintext’ on its internal systems. The DPC also fined Meta for breaching children’s privacy on Instagram. These recurring issues have intensified calls for stricter oversight of the tech giant.
The fine highlights the importance of the GDPR, which has influenced data protection laws worldwide. The regulation’s stringent requirements have set a benchmark for holding companies accountable.
As Meta contemplates its appeal, the case highlights the challenges tech companies face in balancing innovation with compliance. However, given the sheer scale of Meta’s expected annual revenue, the financial impact may be manageable. For users, it serves as a reminder of the ongoing risks to digital privacy in an increasingly connected world.
