Mobile phone with Facebook logo showing GDPR fine for privacy breach

Penalty Finally Issued in 2018 Privacy Breach Case as Meta Gets €251 Million GDPR Fine

A 2018 Facebook privacy breach incident that first drew complaints just after the GDPR went into force has finally resulted in the issuance of a penalty. The €251 million GDPR fine stems from a flaw in the platform’s “View All” feature that allowed anyone to access private profile information, sometimes of a sensitive nature.

The incident took place so long ago that Meta had not yet transitioned to its present name. The penalty was issued by Ireland’s Data Protection Commission (DPC), which was the lead investigating body and has been repeatedly criticized in the past for being slow to render judgements involving big tech firms that reside in its territory.

Meta GDPR fine total inches closer to €3 billion since 2018

The 2018 privacy breach ultimately impacted about 29 million Facebook users in total, with unauthorized parties using a set of glitches to exploit the feature and view information that would normally not be public-facing. For about 15 million users this consisted of their full name and contact information. For an additional 14 million it went further: the types of devices they used, their employment and education history, their birthdate, location check-ins, other Facebook pages they had viewed, recent searches on the platform and their listed religious preference were also exposed. In a US court filing, Facebook was accused of knowing about the flaw for years but only providing protection from it to its employees.

However, only about three million of the overall count of impacted users were found to be in the EU or the European Economic Zone. The actual privacy breach window was also fairly narrow, with the bad actors racking up the stolen information from September 14 to 28 of 2018 (though the vulnerability is thought to have been present since at least July 2017). The penalty is nevertheless substantial, adding a big chunk to a total of almost $3 billion in GDPR fines for Meta racked up since the act went into force (though over $1.2 billion of that remains under appeal).

While the privacy breach appears to be another case of the Irish DPC taking a very long time with its investigation, the agency says that it submitted its draft decision for the GDPR fine in September of this year and that the proposed penalty met with no objection from the bloc’s other privacy regulators. The DPC found that Facebook had failed to provide all required information in its breach notification and document the steps it took remedy the issue, in violation of Article 33 of the GDPR, and failure to limit processing of personal data to only that which is necessary and ensure that data protection principles were protected in the design of processing systems, in violation of Article 25.

Old privacy breaches continue to haunt Meta

The Irish DPC seems to finally be clearing out a backlog of privacy breach complaints against Meta and its associated companies, with the agency also reaching a decision in September that delivered a €91 million GDPR fine to the company over a failure to adequately protect user passwords in 2019. In that case, millions of user Facebook and Instagram passwords were stored internally in plain text and visible to thousands of employees.

The step-up in resolution of these old cases may have something to do with the appointment of a new chairperson to the DPC this year. Since Des Hogan took the reins in February, this has been the third such GDPR fine issued to a Dublin-dwelling big tech platform; LinkedIn also received one for €10 million in October over its use of targeted advertising. Hogan was joined by another new commissioner at the time, Dale Sunderland, with Minister for Justice Helen McEntee noting during their appointments that the agency’s role was expanding and that it faced a “significant body of work.” Former chair Helen Dixon had been the sole commissioner for most of the GDPR period, with Hogan first being added to the DPC in mid-2022; a third chair established at that time remains vacant despite the flurry of recent GDPR fine activity. In early 2023 the DPC was criticized by the European Data Protection Board (EDPB) for failing to perform its privacy breach enforcement responsibility with “due diligence.”

The new GDPR fine also continues a general pattern of Meta and its component companies receiving penalties around the globe for incidents that can date back years, as regulations and enforcement gradually catch up with them. Meta also recently settled a privacy breach case with the Australian Information Commissioner (OAIC) that ties back to the Cambridge Analytica scandal. The company agreed to pay $50 million AUD for the infamous breach associated with the “Your Digital Life” app that took place from November 2, 2013 to December 17, 2015.