HomeWinBuzzer NewsIreland Slaps Meta with €251M Fine for GDPR Violations in 2018 Breach

Ireland Slaps Meta with €251M Fine for GDPR Violations in 2018 Breach

Ireland’s DPC penalizes Meta €251M for failing to protect user data in a Facebook breach exposing sensitive personal details.

-

Meta Platforms, the parent company of Facebook, has been fined €251 million ($264 million) by Ireland’s Data Protection Commission (DPC) for a 2018 data breach that exposed sensitive user information.

The breach, which exploited a flaw in Facebook’s “View As” feature, affected 29 million accounts worldwide, including 3 million within the European Union. The penalty shows the growing importance of data protection regulations under the EU’s General Data Protection Regulation (GDPR).

What Happened in the 2018 Breach

The breach originated from Facebook’s “View As” feature, a tool designed to let users preview how their profiles appeared to others. Attackers combined this feature with a video uploader tool, inadvertently creating user tokens—digital keys that grant full access to a user’s account.

These tokens enabled unauthorized access to personal information, including names, phone numbers, email addresses, and sensitive data such as religious beliefs and political affiliations.

By allowing the video uploader tool to generate fully permissioned user tokens, Facebook’s system inadvertently created a cascading vulnerability. Such tokens, intended as secure authentication mechanisms, became the gateway for attackers to access millions of profiles.

Between September 14 and 28, 2018, attackers exploited the vulnerability, accessing millions of user accounts. Facebook’s security team discovered the issue after noticing unusual video upload activity. The company promptly disabled the affected features, notified regulators, and contacted users whose accounts were compromised.

This technical failure reflects broader criticisms of Meta’s approach to system design. Regulators have consistently called for companies to prioritize privacy and security from the outset, rather than addressing issues reactively after breaches occur.

Related: Microsoft owned LinkedIn Fined €310M for EU Privacy Violations

The DPC’s Findings and Penalties

After a thorough investigation, the DPC found Meta in violation of several GDPR articles. The largest fines were issued for failing to implement adequate data protection measures during system design and default settings:

  • Article 25(1): A €130 million fine for failing to integrate sufficient safeguards into Facebook’s system architecture.
  • Article 25(2): A €110 million fine for insufficient measures ensuring minimal data processing by default.
  • Articles 33(3) and 33(5): An additional €11 million for providing incomplete breach notifications and inadequate documentation of remedial actions.

In a statement, Deputy Commissioner Graham Doyle explained, “This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals.

Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”

Related: Austrian NOYB Group Accuses Microsoft of GDPR Breaches in Education

Meta has announced its intention to appeal the decision. A company spokesperson stated, “We took immediate action to fix the problem as soon as it was identified, and we proactively informed both impacted users and the Irish Data Protection Commission.”

While Meta emphasizes the measures it took in response to the breach, regulators argue that these actions do not absolve the company of systemic flaws in its data protection practices.

Meta’s History of Data Privacy Failures and Anticompetitive Practices

The €251 million fine is part of a broader pattern of regulatory actions against Meta. One of the company’s most infamous privacy scandals, the Cambridge Analytica case, involved the unauthorized harvesting of data from 87 million Facebook users.

The data was used to influence elections, leading to a $725 million settlement in a U.S. class-action lawsuit. The fallout from Cambridge Analytica permanently shifted public perceptions of Facebook’s commitment to user privacy.

Subsequent GDPR fines have further illustrated Meta’s compliance struggles. These include a €390 million penalty for mishandling children’s Instagram accounts and a record €1.2 billion fine in 2023 for improper data transfers between the EU and the United States. Collectively, these cases highlight recurring weaknesses in Meta’s approach to privacy and security.

Scandal
/ Fine
YearAmountDetailsImpact
Anticompetitive Integration of Facebook Marketplace2024€800 millionMeta’s decision to bundle its classified ads service with the social media platform created an unfair market advantage, restricting competition in the digital marketplace sector.On November 12, 2024, Meta rolled out a new ad format across Europe aimed at meeting EU compliance requirements. Users now have the option to view less personalized ads that only use session-based data
Cambridge Analytica scandal2018$725 millionData from 87 million Facebook users acquired and exploited without consent.Erosion of user trust, increased scrutiny of data privacy practices, changes to platform policies.
GDPR violation (personalized ads)2023€390 million ($414 million)Meta prohibited from requiring users to accept personalized ads as a condition of service.Set a precedent for data usage for advertising, potential impact on Meta’s revenue model.
Instagram GDPR violations2023€390 million ($414 million)Children’s accounts automatically set to public, teenagers with business accounts could make contact information public.Highlighted the need for greater protection of children’s data on social media.
WhatsApp GDPR violation2023$267 millionLack of transparency in data processing and usage.Emphasized the importance of clear communication with users about data practices.
Giphy takeover investigation2020-2021£50.5 millionFine for non-compliance with CMA during investigation.Demonstrated increased scrutiny of Big Tech acquisitions and their potential impact on competition.
2018 data breach2018€251 million ($263 million)Data breach affecting 29 million Facebook accounts.Damaged Meta’s reputation, increased scrutiny of its security practices.
Australian privacy violation case2023$50 millionMeta published scam ads featuring public figures without their consent.Highlighted the responsibility of social media companies to prevent misleading content.

The GDPR, enacted in 2018, has become a global benchmark for privacy legislation, influencing laws in jurisdictions such as California. Under GDPR, companies can face fines of up to 4% of their global revenue for noncompliance. For Meta, which so far has been fined nearly €3 billion under GDPR enforcement, the regulation has created significant financial and reputational challenges.

Beyond the EU, Meta’s regulatory troubles extend to other regions. In Australia, the company paid $50 million for running scam ads featuring public figures. In the UK, it faced a £50.5 million fine for breaching rules during its acquisition of Giphy. These cases reflect growing global momentum to hold Big Tech accountable for privacy and competition violations.

Related: Google Fails to Overturn €2.4 Billion EU Antitrust Fine

Implications for the Broader Tech Industry

Meta’s repeated fines serve as a cautionary tale for the tech industry. As regulators worldwide adopt stricter data protection laws, companies are under increasing pressure to prioritize user privacy. The GDPR’s enforcement mechanisms are likely to inspire similar frameworks globally, compelling tech firms to adopt proactive compliance measures.

However, Meta’s recurring lapses suggest deeper governance issues that must be addressed. Critics argue that the company’s focus on growth and monetization often comes at the expense of user security—a balance that regulators and consumers are increasingly unwilling to accept.

While Meta has made efforts to improve its security infrastructure, its history of fines and scandals raises questions about the effectiveness of these measures.

Markus Kasanmascheff
Markus Kasanmascheff
Markus has been covering the tech industry for more than 15 years. He is holding a Master´s degree in International Economics and is the founder and managing editor of Winbuzzer.com.

Recent News

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
We would love to hear your opinion! Please comment below.x
()
x