On December 17, the EU regulator imposed another €251 million ($263.5 million) fine on Meta for a 2018 data breach affecting 29 million users.
Since Meta’s European headquarters are in Dublin, it is the Irish data protection regulator (DPC) that handles complaints about its services. To date, the DPC has fined Meta nearly €3 billion for violations under the EU’s General Data Protection Regulation (GDPR) adopted in 2018. This includes a record €1.2 billion fine in 2023, which Meta appealed.
- At the end of 2022, Meta was fined €265 million by a European regulator in Ireland: https://cpa.rip/en/news/ireland-meta-penalization/.
- In 2023, the regulator fined Meta €390 million: https://cpa.rip/en/news/meta-violations-processing-of-personal-data/.
The Irish Data Protection Commission issued the fine after completing an investigation into a hack involving three different bugs in Facebook’s “View As” feature, which allows people to see how their profiles are displayed to others. The vulnerability was used to steal access tokens from the accounts of people whose profiles appeared in search queries using the “View As” feature.
The vulnerability leaked personal data including users’ full names, contact details, location, workplace, date of birth, religious beliefs, gender, and personal details of their children, the DPC said in a statement. Of the 29 million Facebook accounts affected worldwide, about 3 million were in the EU and the European Economic Area.
“By allowing unauthorized access to profile information, these vulnerabilities created a serious risk of misuse of this type of data,” DPC Deputy Commissioner Graham Doyle said.
Meta said it intends to challenge the €251 million fine, noting that the company employs a broad set of measures to protect users on its platforms.
“We took immediate action to rectify the problem as soon as it was identified and actively notified affected users as well as the Irish Data Protection Commission,” a Meta spokesperson said in an official statement.
More information has been published on the regulator’s website.
