Meta Platforms Ireland Limited – €91,000,000 Fine (Ireland, 2024)

This decision is the final result of an inquiry launched in April 2019 after Meta Platforms Ireland Limited (MPIL) notified the DPC of the personal data breach. MPIL notified the DPC that it had inadvertently stored passwords of social media users in plaintext on its internal systems without cryptographic protection or encryption. The DPC press release shows that passwords were not made available to external parties. The DPC had submitted a draft decision under Article 60 GDPR to the other Concerned Supervisory Authorities across the EU/EEA in June 2024 and no objections were raised by the other authorities. The DPC found the following violations: 1. Article 33(1) GDPR, for failure to notify the DPC the data breach concerning storage of user passwords in plaintext. 2. Article 33(5) GDPR, for failure to document personal data breaches concerning the storage of user passwords in plaintext. 3. Article 5(1)(f) GDPR, for failure to implement appropriate technical and organisational measures to secure users’ passwords against unauthorized processing. 4. Article 32(1) GDPR, for failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including confidentiality of user passwords. Highlighting that an unaddressed personal data breach can result in damage such as loss of control over personal data, the DPC reprimanded MPIL pursuant to Article 58(2)(b) GDPR and issued a fine of €91 million pursuant to Article 58(2)(i) and Article 83 GDPR.