Reset your clocks: Meta has once again been hit with a major privacy penalty in Europe. On Friday, Ireland’s Data Protection Commission (DPC) announced a substantial €91 million fine — roughly $101.5M — following a multi-year investigation into a significant 2019 security breach involving Facebook, Meta’s flagship platform.
The breach, which came to light in 2019, revealed that hundreds of millions of Facebook users’ passwords were stored in plaintext on Meta’s servers, a glaring security failure by any standard. Under the General Data Protection Regulation (GDPR), this mishandling of sensitive information — especially unencrypted passwords — is a clear violation, leaving Meta vulnerable to regulatory action across the European Union.
The Breach and Investigation
The DPC, Meta’s lead regulator for GDPR compliance, opened its statutory inquiry into the breach in April 2019 after the company, then still operating under the Facebook name, notified them of the massive lapse in password protection. According to Meta’s disclosure, hundreds of millions of passwords were inadequately stored, leaving them open to potential misuse. These plaintext passwords could have exposed users to security risks, including unauthorized access to their social media accounts.
After a thorough investigation, the DPC determined that Meta failed to uphold GDPR standards, as the passwords were not encrypted. Encryption is a fundamental security measure, designed to protect sensitive data and shield it from third-party access. Meta’s failure to do so meant the company had not sufficiently protected its users’ personal data.
GDPR Non-Compliance: Meta’s Double Breach
In addition to the encryption lapse, Meta also violated GDPR’s breach notification rules, which require companies to report data breaches to regulators within 72 hours of becoming aware of the incident. Meta failed to meet this deadline, and, even more critically, did not properly document the breach. This dual failure escalated the severity of the penalty levied against the company.
The deputy commissioner of the DPC, Graham Doyle, emphasized the importance of protecting sensitive user data. In a statement, Doyle noted: “It is widely accepted that user passwords should never be stored in plaintext, given the risks of abuse that arise when such data is improperly accessed. These passwords were especially sensitive, as they granted access to users’ social media accounts — making them particularly vulnerable to misuse.”
Meta’s Response: “An Error in Password Management”
Unsurprisingly, Meta has downplayed the severity of the breach and the resulting fine. In a response to the DPC’s findings, Meta spokesperson Matthew Pollard defended the company’s actions, referring to the password mishandling as an “error” in its processes. Meta claimed to have taken “immediate action” to rectify the issue and assured regulators and the public that there was no evidence of the passwords being abused or improperly accessed.
“As part of a security review in 2019, we discovered that a subset of Facebook users’ passwords were temporarily logged in a readable format within our internal data systems. We took immediate action to fix this error, and there is no evidence that these passwords were abused or accessed improperly,” Meta stated. The company also noted that it proactively reported the issue to the DPC and engaged with regulators throughout the inquiry.
A History of Fines and Privacy Issues
This latest €91 million ($101.5M) penalty is just another in a growing list of GDPR fines handed to Meta, underscoring the company’s persistent struggles with privacy compliance. While the sum might seem substantial, it pales in comparison to Meta’s massive annual revenues. The company reported earnings of $134.90 billion in 2023, meaning this fine represents only a small fraction of what it could have faced under GDPR’s maximum penalty — 4% of global annual turnover.
To put this in perspective, the DPC’s fine in March 2022 for another security breach was significantly lower — €17 million — related to a 2018 incident that affected up to 30 million Facebook users. In contrast, the 2019 breach exposed the passwords of hundreds of millions of users, leading to this stiffer penalty. With these recurrent breaches, it’s clear Meta’s data protection challenges remain a systemic issue.
The Gravity of GDPR Penalties
The GDPR framework empowers European data protection authorities to impose fines based on various factors, including the nature, gravity, and duration of the infringement; the scope and purpose of the data processing; and the number of individuals affected, along with the level of damage caused. In Meta’s case, the scope of this breach — with hundreds of millions of passwords exposed — was a major factor in the size of the penalty.
However, the €91 million fine, while significant, is still far below the potential maximum. Had the DPC chosen to penalize Meta more aggressively, it could have been hit with a fine up to 4% of its global revenue, potentially reaching into the billions.
A Wake-Up Call for Big Tech?
This incident serves as yet another wake-up call for Meta and other tech giants that operate under the scrutiny of global privacy regulations. While Meta has managed to avoid the maximum penalty this time, the repeated breaches and fines signal a deeper issue within the company’s data security practices. GDPR fines are not just a slap on the wrist but a strong message that companies must prioritize the security and privacy of their users’ data — or face steep consequences.
As tech companies continue to collect vast amounts of personal data, the stakes for protecting that information are higher than ever. Meta’s ongoing legal battles and privacy sanctions suggest that the path to true GDPR compliance remains a challenge for even the largest players in the industry. Whether Meta will make the necessary changes to avoid future breaches remains to be seen, but for now, the €91 million penalty stands as a stark reminder that privacy matters, and lapses will not be tolerated.
Conclusion
While Meta may have framed the 2019 breach as an “error,” the reality is that such mistakes come at a steep cost — not just financially, but also in terms of user trust and brand reputation. With regulators around the world closely watching, Meta’s privacy missteps could continue to shape its future in a more regulated, privacy-conscious world.
For now, this latest fine cements the company’s reputation for struggling with privacy compliance, leaving many to wonder whether Meta can truly fix the systemic issues that have plagued its security practices for years.