Meta Platforms Ireland Limited – €251,000,000 Fine (Ireland, 2024)

The Irish Data Protection Commission (DPC) has fined Meta Platforms Ireland Limited EUR 251 million. The fine was imposed for data protection violations related to a data breach that occurred in 2018 and affected 29 million Facebook accounts worldwide, including 3 million in the EU/EEA. Compromised data included names, email addresses, phone numbers, and children's data. The breach resulted from the exploitation of user tokens on the platform by unauthorized third parties. The DPC found that Meta had violated Art. 33 GDPR (EUR 11 million), as information was missing from the data breach notification, for example. The DPC also found violations of Art. 25 GDPR (EUR 240 million), concluding that Meta had failed to ensure that data protection principles were protected in the design of processing systems and had failed in its obligations as a controller to ensure that, by default, only personal data that are necessary for specific purposes are processed.